Cooperation and learning are critical challenges for the future of information security; both require trustworthy communities of practice and trustworthy institutions that support these communities.
Trust no one and nothing. That's the mantra behind the "zero trust" approach to information security. Under this architecture, the activities of users, endpoints, and services within a system are controlled and monitored as closely as the connections that transit the boundary between the system and the outside world. But creating a "zero trust" system isn't just a technological problem. It's also a social problem that presents organizational difficulties. Organizations must often deal with exceptions rather than rules: Business processes never run entirely to specification, departmental collaborations often need renegotiation, staff take on flexible responsibilities, and so on.
This problem is particularly acute in decentralized organizations such as those often found in higher education. It's also critical for the distributed inter-organizational and cross-border coordination often needed to respond to information security incidents. The security of systems within organizational and territorial boundaries often relies on information from people and systems beyond these boundaries, whether for operational data (such as threat intelligence and telemetry) or for practical knowledge (through workshops, degrees, and certification programs).
As our research at the UC Berkeley Center for Long-Term Cybersecurity and Packet Clearing House shows, information security requires trust just as much as it requires distrust. Information security professionals have to trust institutions (like CERTs, ISACs, and law enforcement) as well as their peers in order to accomplish everyday tasks. At the same time, security professionals must remain cautious of the relationships they maintain with institutions and peers, knowing that inadvertent mistakes — or active compromises — can cause sensitive information (such as newly discovered vulnerabilities) to be leaked to adversaries. Trust and distrust are two sides of the same coin — you can't have one without the other.
In this post, I'll share some of the results of our research into cooperation and learning in information security, to provide a framework for thinking about trust in complex organizational — and inter-organizational — information security environments. Rather than asking, "How can we avoid trust?" our research poses the question, "How can we trust?"
Information security is a fundamentally cooperative endeavor, one in which responsibility and authority are distributed across a wide array of actors. Even while dedicated information security teams protect organizations, users within these organizations are expected to maintain a certain level of responsibility for their own information security. Within the decentralized organizational models of higher education, chief information security officers (CISOs) often must function in a coordinating — rather than a directing — role, to build consensus around best practices across different units (some of which might have their own IT teams). The higher education CISO's task is further complicated by a governance model that includes faculty, staff, and students. Cooperation across organizations is enabled by institutions (such as REN-ISAC for higher education) and by interpersonal trust relationships between information security professionals, formed over years of repeated interactions.
In our research, we set out to understand the salience of different kinds of relationships for inter-organizational cooperation in information security. We asked survey respondents to rate the importance of particular channels for gaining information about new attacks and novel approaches, and we asked how willing they would be to share information across these channels. By far, the most important channels were relationships within organizations and interpersonal trust relationships formed with peers in other organizations. These were rated higher than ISACs, CERTs, and other institutions that were also regarded as being important. We also asked survey respondents to rate open online channels and conferences, as well as their closed invitation-only equivalents. Respondents indicated a greater willingness to share information in closed online channels and conferences than in open environments. The reason for these responses became clearer through interviews we conducted. Interviewees consistently told us how they found the highest quality of information to be shared within small, vetted groups within which everyone knows and trusts each other.
Cooperation needs to spread widely across organizational boundaries to construct effective responses to new kinds of attacks and vulnerabilities. But the presence of adversaries tempers the ability to spread cooperation widely. Institutions play an important role in building the organizational relationships needed to manage cooperation. However, our research shows that tightly bounded and controlled information sharing environments within organizations and between trusted individuals will likely remain critical for effective cooperation in information security.
There simply aren't enough qualified information security personnel to fill the open positions across the industry. In response, a wide variety of certificate and degree programs have emerged to train personnel to staff these positions. But learning takes place as much in the practice of doing information security as within formal training programs.
To understand the ways in which information security skills are learned, we asked survey respondents to rate the importance of different social contexts for their own learning. The results mirrored what we found in evaluating mechanisms for cooperation: Working with colleagues within organizations and working with trusted peers in other organizations were rated the highest. Degree and certification programs were regarded as being important but not as important as the experience gathered in hands-on everyday work. In fact, online channels, informal gatherings, and conferences were all rated marginally higher for their importance to learning than degrees and certification programs. Our interviews bore out these results, with interviewees of a variety of ages and experience levels telling us about the importance of mentors and peers to their own learning.
Without question, these results are, in part, indicative of a relatively nascent professional field, one in which formal education programs are still in the process of maturing. However, we believe that these results are equally indicative of a field that depends on interpersonal trust relationships and organizational boundaries. If the highest-quality information is shared within these secure settings, then it is perhaps unsurprising that the highest-quality learning also takes place within such settings, as information security professionals learn alongside each other in the practice of doing information security.
Trustworthy Communities and Institutions
Information security is characterized by a curious tension: To secure information, sensitive information must be securely shared. The security of interdependent systems spanning organizational and territorial boundaries requires cooperation, but a cooperation tempered by caution in the face of determined adversaries. In consequence, effective cooperation and learning in information security will continue to rely as much on trust relationships and organizational boundaries as on strong institutions.
We tend to think of institutions — whether for cooperation or learning — as solutions to these problems, especially for scale. However, the particular tensions within information security suggest that we should equally think about how to grow trustworthy communities of practice for these purposes. This is not a binary choice. Communities often grow from institutional anchors, just as institutions often grow from strong communities.
How can we trust? By building trustworthy communities of practice within and across organizations, as much as by building trustworthy institutions that function alongside these communities. Neither is an easy task, but we believe that thinking about building communities as much as about building institutions is a necessary path forward for the field of information security.
You can find out more about the research and ideas presented in this article in the report A Fragmented Whole: Cooperation and Learning in the Practice of Information Security, published by Packet Clearing House and the UC Berkeley Center for Long-Term Cybersecurity.
© 2018 Ashwin J. Mathew. The text of this work is licensed under a Creative Commons BY 4.0 International License.