This post was originally authored by Josh Kenway.
Over the past two years, as I have worked towards a graduate degree focused on cybersecurity and digital policy at Stanford University, the variety and seeming intractability of numerous collective action problems in this broad domain has been a consistent curricular theme.
However, interning at the Cyber Threat Alliance (CTA) during the last year has taught me a lot about the means by which the cybersecurity industry has worked to overcome its own specific obstacles to collective action. This includes the problem of maximizing visibility and customer security through large-scale, automated sharing of well-structured threat intelligence data. The lessons that I have taken from my experience at CTA, however, extend beyond data sharing in a cybersecurity context alone.
Information Sharing: Not Only Desirable, But Necessary
Cybersecurity companies have historically been held back in their data sharing by a mistaken conventional wisdom around proprietary data and its singular importance to companies’ relative competitiveness.
However, in reality, cybersecurity is a highly differentiated and global industry in which complete visibility into the threat landscape is not something that any one company can achieve alone. Even our largest members report receiving nontrivial amounts of new-to-them data through CTA, affirming that companies with a significant level of visibility into different industry verticals and a presence in a number of national contexts can still benefit from sharing across the industry.
CTA & The Looming Challenge of Digital Collective Action
It is widely acknowledged that ongoing societal digitalization and, more specifically, the advancement of sharing across and within industries has the potential to deliver enormous welfare gains through innovation and efficiency. Of course, this also assumes that appropriate protections for sensitive and private data can be assured where required.
By way of example, the European Commission recently estimated that unlocking the potential value of non-personal data produced in European manufacturing contexts alone could unlock €1.5 trillion of additional economic output by 2027; an amount that is equivalent to almost 10% of the EU’s 2018 GDP. However, tapping that potential value will require addressing many of the same kinds of obstacles that CTA has worked hard to overcome in the context of threat intelligence sharing since its founding in 2017.
Lessons from the Cyber Threat Alliance
So, what can the story of CTA tell us about how to solve these kinds of collective action problems? At least as I have experienced and come to understand the organization over the past year, there are three key elements:
First, collective action problems, low levels of trust, technical deficits, uncertainty around the true value of data, and other disincentives that impede the sharing of data across corporate entities and with the public sector are not new phenomena; nor are they impossible to overcome. This holds true even in specific industrial contexts, such as cybersecurity, whose workforce has a high level of technical competence and knowledge about the value of relevant data.
Second, cultural and technical barriers to information sharing can take a long time to overcome, but that is no reason not to work on addressing them. The creation and maintenance of trust in multi-stakeholder arrangements is essential to their success as environments for informational exchange at human and machine speed. The development and widespread adoption of common technical standards that allow for contextualization and linkages across data entries are similarly a necessary prerequisite to large-scale information sharing.
Third, appropriate institutional structures, legal assurance mechanisms, a dedicated team, and the cultivation of interpersonal relationships among relevant stakeholders are all key ingredients for fostering trust. Moreover, when these kinds of multi-party, trust-dependent sharing arrangements can be made to work, the value that they accrue for participants can far exceed those parties’ initial expectations.
Tying It All Together with Trust
None of what CTA does on a daily basis to support stronger cybersecurity across the digital ecosystem would be possible without the trust of our members in the organization itself. Although legal documents and codes of conduct can do a lot to sustain this trust, such mechanisms only go so far.
When our members are asked to trust in CTA, they are being asked to trust in each other but also in the CTA team. Over the course of this internship, every member of CTA’s leadership team has demonstrated the characteristics of empathy, excellence, cooperation, and dedication that are foundational to the trust that our members have in this organization. It has been my privilege and pleasure to support them and the CTA mission over the last twelve months — and I look forward to seeing how the CTA story continues into the future.
Rest assured, the organization is in trustworthy hands.