ORILLIA, Ont. – Cash-strapped Canadian public sector institutions have the opportunity to join the country’s cyber information sharing platform at reduced pricing.
The Canadian Cyber Threat Exchange (CCTX) said Wednesday it has created a special pricing model to entice local governments, hospitals and institutions of higher education to join the not-for-profit data exchange and participate in newly set-up private sector discussion forums.
Mary-Jane Couldridge, the exchange’s director of business development, made the announcement here at the annual security conference of the Municipal Information Systems Association (MISA), whose members work in town, city and county IT departments.
CCTX set up the discount pricing in co-operation with MISA “because there’s an obvious need,” she said. “We’re seeing municipalities being hit regularly and we know they can benefit from collaboration and sharing of resources, given every municipality has got a lot of different things to cover with their budget.”
In the U.S. it’s common for companies to join sector-specific information sharing and analysis centers (ISACs). However, the goal of CCTX is to support a variety of industries in the hope that it will be able to offer deep expertise across sectors.
“If something hits an industry before it comes to municipalities they’re going to learn about the tactics and vectors being used so they can be prepared if it comes to them,” Couldridge said. “And they can also collaborate around projects so they don’t have to be doing things themselves. Not everyone has to repeat the same work.”
Although they get a discount, these new public sector members have access to all CCTX platform capabilities. including the repository of threat intelligence, a daily intel feed and the ability to up private invitation-only online meeting spaces.
Couldridge didn’t have exact numbers but said the discount would amount to about 20 per cent off the cost of a regular CCTX membership, which runs from $500 to $50,000 depending on the number of employees.
In an era when attackers have the advantage of time, money and the ability to alter their code at will, experts say collaboration is a necessity if defenders are to keep pace. However, managers can be unwilling to give a green light for fear of lawsuits if a staffer says something defamatory or an organization may use a report of an incident to trash a competitor.
Information sharing groups usually have rules about limiting sensitive conversations — for example, it may be appropriate to say ‘We’ve seen unusual code,’ and forbidden to say, ‘We’ve suffered a data breach.’
“Having people become comfortable with sharing is a big cultural shift,” Couldridge admitted. “We in IT and cyber have been raised to hold our cards close to our chest.” But, she added, “people are starting to understand this is a game you can’t play alone anymore.”
Couldridge noted that CCTX members have to sign a services agreement that forbids disclosing sensitive information colour-coded red from being shared outside the platform.
CCTX is also working with the Ontario Energy Board to ensure power utilities that join the exchange aren’t disciplined for cyber information sharing.
The limits those in the municipal field face were evident at a panel Couldridge participated in here on how some MISA infosec members are sharing cyber information. Several spoke of participating in groups set up on the Slack platform’s City Cyber channel, others about holding period face-to-face meetings with colleagues from neighboring municipalities.
Mark Dillon vice-president of information technology at Waterloo North Hydro, wish Slack had a secure channel for communications. One of the problems he finds is that because conversations are cautious participants talk largely about planning things and not how problems are solved.
Another panelist noted that sharing doesn’t only have to be about threat information. Shared procedures among municipalities can also be used to squeeze suppliers.
“If all of us have different questionnaires we’re asking our vendors [before buying products or services], it’s pretty easy for the vendor to tell us they’re not going to fill it out,” said Joel Duffield, network and server administrator at the town of Huntsville. “But if we can create some collaborations where we all signed into something and say [to vendors], ‘We all going to put this into our procurement documentation’ ” and wish them luck trying to sell to the 30 other municipalities demanding the same questionnaire be filled out. “I think there can be a lot of power in that.”
While the CCTX has been running since early 2017 no municipalities have joined.
Adam Abernethy, network security manager, city of Oshawa and a MISA Ontario infosec group member who moderated the panel, said in an interview that one of the biggest issues holding back municipal IT departments from joining a threat sharing group is the reluctance of senior city management to approve the move. Few municipalities have guidelines on what threat or product information to share with others.
Abernethy said CCTX’s decision to offer special pricing to public sectors is “a really good idea,” but he also cautioned that the fee for some small towns may still be prohibitive.