CBA tells government to declassify cyber intelligence faster

The Commonwealth Bank of Australia has told Australia’s cyber spooks that it wants secret threat intelligence declassified faster so it and other banks can put timely precautions and fixes into place before malware bites and spreads.

Contained in its submission to Home Affairs’ 2020 cyber security strategy consultation, Australia’s largest bank also called out the need for the role of and funding of the Australian Cyber Security Centre to be expanded so it act more effectively as a central clearing house for threats and countermeasures across the economy.

The call to expedite the declassification of threat intelligence, including technical specifics of threats, has been a pressing issue for banks within Australia as they seek to bolster their estates against increasing state-sponsored and financially motivated attacks, the delineation of which is getting blurrier.

CBA’s core argument is that the commercial sector as a whole, but especially critical infrastructure players need to be able to gain a window into attacks on other organisations it calls “near misses” so business can act as a whole to create a kind of herd immunity.

“We need to create an environment that not only supports high standards of cyber security, but also encourages an organisation to share intelligence on compromises or 'near-misses'  it  has suffered, without undue fear of criticism and scrutiny,” the CBA’s submission said.

“This  would  remove  barriers  to  effective  intelligence sharing and align to the global shift  in understanding  that even a well defended organisation  can suffer  a cyber attack, and should be measured against how quickly and transparently it responds.”

Tackling the thorny declassification issue directly, CBA essentially argues that compartmentalising cyber intel to the point where it is withheld from those it affects limits its value because it is less actionable.

Citing an “appetite from Australian cyber threat intelligence teams for more declassified intelligence that is timely, actionable and relevant to their organisations” the CBA said such material could include “directly actionable tactical intelligence, as well as more strategic intelligence that provides geopolitical or other strategic context to the developing threat landscape.”

Parts of industry have long had an issue with what is felt by some to be a growing trend of overclassification where intelligence sensitivity markings routinely start too high to shield assessments from scrutiny.

Overclassification is also seen as a handbrake on the sharing of solid open source intelligence that can often be as useful as protected source material in taking protective countermeasures.

The CBA says it realises it’s a tough call, but reckons it’s still worth it.

“We acknowledge the administrative and security hurdles to declassifying intelligence and the need for industry to articulate clearly its intelligence requirements to government to better enable this process,” CBA said.

One initiative it wants looked at is setting the bots on declassification, citing “initiatives such as the UK National Cyber Security Centre's (NCSC) "IOC Machine", which has reportedly accelerated the speed at which sensitive material is declassified into the public domain through automation”.

“This has enabled the NCSC to share more than 1,000 vital indicators of compromise (IOCs) with industry partners each month, which can provide a broad understanding of how an adversary attacks, but can also cover very specific details, such as signatures of malware used or IP addresses associated with an adversary,” CBA said.

Predictably, the bank also has issues with Australia’s divisive anti-encryption legislation.

Under the heading of “Creating a legal environment that supports digital innovation” – which rather opens the question as to what the current regime does – CBA said it wants the government to “consult with the technology community when developing legislation that could impact technology innovation and the cyber security sector”.

“We would encourage the government to take further steps to those taken to date to clarify the intention and operation of the Assistance and Access Act, which members of the Australian technology industry have cited as potentially making Australian technology less attractive in overseas markets,” CBA said.

Not that banks are treading on eggshells at the moment when it comes to dealing with the government.