Organisations protect their networks and crown jewels from malicious activity and malfunction by generating and using data. Such cybersecurity information can be statistics about downtime, intrusion detection log files, details about different sorts of malware, or detected phishing attacks.
Trust, privacy and reputational damage are reasons why organisations refrain from sharing this valuable information with others. TNO found that MPC is a valuable and viable privacy enhancing technique that enhances data sharing across organisations. It generates new information which improves cybersecurity defences for all participating organisations.
In our data-driven society, there is often a paradox between wanting to collaborate but not being able to share data because it is (privacy-)sensitive. TNO observed that this paradox hinders the willingness of organisations to share cyber security information in the Netherlands. Companies and organisations are eager and ready to learn from each other, but sharing their cyber security data and insights can be a step too far, because of privacy, financial or reputational hurdles.
Secure Multi-Party Computation (MPC), a privacy enhancing technique, offers a solution. MPC allows organisations of any type or size to jointly compute data, just as if they share a database. In the case of cyber security data, this could break down hurdles for data sharing. TNO has built a Proof of Concept to perform a secure analysis on cyber incidents.
Over the course of 2020, TNO developed a use case to research the added value of MPC on cybersecurity information sharing. The use case envisions a group of organisations, let’s call them organisation A, B, C, D and E. These organisations deal with cyber incidents on a regular basis, think of a ransomware or DDoS attack. They expect that others deal with similar attacks, but are not sure about it. However, if it is the case, they would certainly like to learn about it! However, organisation A might not want to tell organisation B, C, D and E about the damage or time to mitigate the aforementioned ransomware attack because it is company sensitive information. Now, the MPC protocol comes into play and looks as follows:
For every cyber incident, the organisations need to answer some questions, e.g. about the action, the actor, or the impact. Each organisation combines this information (input) into a database, which is securely made available for the MPC protocol. The organisations collaboratively decide what analysis they want to perform on this data. For example they can learn in how many of the incidents malware was involved. Remember that they will only learn this output, and that no one will know that company A had a ransomware attack. Organizations have learned from each other whilst anonymity is preserved! A true shared database.
We have observed that that information sharing communities share within trusted group in an informal and relative unstructured way, and that privacy or reputation is withholding them from sharing quantitative data. Doing a Secure Incidents Analysis can help to break the silence and the output of the MPC protocol can help organisations in decision making procedures because they know where they stand in relation to others.
MPC is not a magic solution for everything. Organisations still need to be helped with gathering the right and structured data needed in order to let the MPC protocol calculate. Also a discussion on what would be the most valuable output would be needed. However, MPC offers a step forward in breaking down hurdles that currently hinder enriched information sharing practices.
The project generated new knowledge and experience with MPC in solving common challenges in the cybersecurity domain. We have written this article to inform you about our lessons learned because we find are keen advocates of MPC to enhance cyber security information sharing.
Over the course of the year, our project sparked interest with public and private parties to further develop and implement the technology. Are you interested as well? Contact us to collaboratively explore how MPC can strengthen your information sharing activities!
Contact Marie Beth van Egmond.