Real-world roadblocks to implementing CISA
The recent approval of CISA (the Cybersecurity Information Sharing Act) by the US Congress and Senate is paving the way for broader security collaboration.
There is a rapidly growing belief that security intelligence sharing needs to become part of every company’s defense toolbox – to detect, analyze, research and mitigate cybersecurity risks. Nevertheless, major obstacles remain. These include the implications that information sharing will have on the privacy of consumers, who are caught in the crosshairs of security data exchanges between companies and governments.
The main goal of CISA is to reduce the barriers to meaningful sharing and collaboration between enterprises and government by addressing liability concerns associated with sharing sensitive data.
In its current form, CISA focuses on the following concerns:
1. Liability Protection – Companies will not be held liable for sharing indicators of compromise, this includes sending and receiving, required to respond to a cyber threat. An important distinction should be made between sharing with government agencies and with other companies. When sharing security intelligence with the government, liability is limited to the extent of another lawful requirement:
“No civil or criminal cause of action shall lie or be maintained in any Federal or State court against any entity for the voluntary disclosure or receipt of a lawfully obtained cyber threat indicator… that the entity was not otherwise required to disclose to or from (1) NCICC, or (2) a private ISAO that “maintains a publicly-available self-certification.”
However, sharing with other companies will provide complete liability protection, excluding situations where CISA protection is abused – such as amendment 2564 which will prevent businesses from using CISA liability protections to violate user agreements.
2. Government Sharing – President Obama’s 2011 proposal allowed the DHS to share data it received with other law enforcement entities. This broad reaching approach triggered massive opposition over fears that other agencies would misuse data and discourage private companies from sharing information with the government, over concerns they could be implicated in criminal investigations.
The 2015 proposal is addressing this concern (section 107(2)) by limiting the requirement to share security data with law enforcement to situations where the information is needed ” to investigate, prosecute, disrupt, or otherwise respond to:
(A) a computer crime
(B) a threat of death or serious bodily harm
(C) a serious threat to a minor, including sexual exploitation and threats to physical safety; or
(D) an attempt or conspiracy to commit any offense described in (A)-(C)
3. Privacy Protection – The most criticized part of the act concerns possible privacy violations if an individual’s personal information is shared as part of a cybersecurity event. The 2015 proposal retains provisions from the 2011 proposal that require entities to make “reasonable efforts” to remove information that could be used to identify a specific person before sharing and only requires this information to be removed for individuals ‘reasonably believed to be unrelated to the cyber threat’.
The current debate regarding privacy protection centers around distinguishing between information about suspected attackers (which should be shared), and information about potential victims (which merits protection).
The need for sharing and collaboration
If and when CISA is ratified into law, the chief obstacles to cybersecurity collaboration within the private sector will remain, including:
Cyber experts are paranoid, and for good reason – the magnitude, sophistication and damages arising from cyber breaches are enormous – which makes them hesitant to disclosing sensitive information with non-trusted peers. Meanwhile, current cloud-based approaches for creating intelligence sharing hubs pose concerns that data may be leaked to unwanted parties.
One painful challenge for security experts is the enormous amount of data they must parse – which makes identifying actionable insights almost impossible. False positives, data overlap and threat relevancy – also discourage companies from investing in security collaboration initiatives.
Other Regulatory Frameworks
CISA promotes sharing – but when dealing with cyber threat data companies are also concerned about other mandates which may govern the information being shared. These include anti-trust, privacy, sectorial directives and data protection regulations that affect many multi-national organizations. Cross-jurisdictional sharing creates the need for a mechanism to handle the overload of decision making required to avoid potential liabilities arising from sharing at scale.
So while CISA is a step in the right direction and will encourage broader cyber security collaboration, the mechanics and execution of sharing intelligence between companies and with the government requires technology frameworks that can eliminate current trust, information overload and regulatory roadblocks.