This past week I presented at the U.S. Department of Defense Cybersecurity conference in Atlanta, Georgia. I was invited to participate in a meeting to discuss data sharing strategy between private industry and law enforcement. The goal is to improve threat awareness for law enforcement. Everyone agrees this is important, but it is also a very difficult goal.
Most current data sharing occurs informally. Trusted partners identify a specific need and share intelligence. One of the ideas discussed in Atlanta was to create an electronic fingerprint “hash value” database for known malicious programs. Law enforcement could access this database and use it for their own investigations to identify known malware.
While a identifying known malware is important, one of the biggest concerns raised was whether a hash database is really useful. Recent trends identified by Symantec show that many viruses are now “singletons.” Singletons are virus mutations that might only appear on a few computers. This is the entire reason Symantec is moving from signature based security that fingerprints every virus to “reputation” based security. Reputation security relies on identifying malware thru a collection of intelligence and it improves detection ability.
Many participants in the group cited The National Center for Missing & Exploited Children (NCMEC) as an example of successful data sharing with law enforcement. However, NCMEC’s benefits are limited to child abuse cases and they also provide significant analysis on cases. It would be difficult to transfer this model to the much broader issues involving other forms of cybercrime. This would require a much larger budget, staff, and technical analysis.
A database of known viruses may not be the best solution for fighting cybercrime. However, everyone agrees that increased collaboration is necessary. Having the security community together and talking about a solution is at least a great first step.