Info Sharing Déjà Vu
What do you do to pass controversial cybersecurity legislation that’s unlikely to make it through Congress as a standalone bill? You tuck it into a 2,009-page must-pass budget bill to keep the federal government open.
That’s the approach the 114th Congress took when it included the Cybersecurity Information Sharing Act (CISA) of 2015 in the omnibus spending bill it passed in December 2015, sending it to President Barack Obama to sign into law right before the holidays.
The law tasks the director of national intelligence, the attorney general, and the secretaries of homeland security and defense with developing and issuing procedures to facilitate and promote “the timely sharing of classified cyber threat indicators and defensive measures” among the federal government, local and state governments, and private businesses.
Threat indicators refer to various types of information, but they can apply to almost any information that’s necessary to describe or identify cyber activity used to gain unauthorized access to a system to cause harm.
To prevent personally identifiable information from being shared—intentionally or accidentally—the law includes a provision that requires information that could be used to identify a specific individual to be stripped from cyberthreat indicators before being shared.
To encourage private businesses to participate in this voluntary sharing program, the law clarifies that businesses will not be held liable or prosecuted for information that’s shared through the system to combat cyberattacks.
To keep track of CISA’s progress, House Homeland Security Committee Chair Rep. Michael McCaul (R-TX) wrote in a column for Bloomberg that he plans to have his committee hold regular oversight hearings on the U.S. Department of Homeland Security’s (DHS) role in cybersecurity information sharing.
These hearings will be designed “to make certain there is effective implementation of these authorities and to ensure Americans’ privacy and civil liberties are properly protected,” McCaul explained in his op-ed.
James Barnett, head of Venable LLP’s cybersecurity practice, says that passing CISA is a major step forward because it provides real encouragement for businesses to share cyberthreat indicators with other businesses and with the government.
“I’ve had a former director of the National Threat Operations Center for the National Security Agency tell me it was very frustrating that they could see attacks occurring across the Internet, but because of restrictions in the law, they couldn’t share that information,” explains Barnett, who is the former chief of public safety and homeland security at the Federal Communications Commission. “Having a way that companies can share things with the government, and vice versa, is a good thing.”
But sharing cyberthreat indicators isn’t a new thing, which makes some experts skeptical as to why legislation needed to be passed in the first place. For example, Sean Mason, director of incident response and threat management practices at Cisco, noted that the bill breaks no new ground.
“To be honest, I’m still curious on why we needed to push this legislation through when programs like this have been in place for a number of years now,” Mason says. “I get the liability protection…but it’s not a get-out-of-jail-free card…it’s not going to prevent incidents from happening.”
Information Sharing and Analysis Centers (ISACs) have been around since 1998, when President Bill Clinton signed a directive requesting that public and private sectors create partnerships to share information about physical and cyber threats, vulnerabilities, and events to protect U.S. critical infrastructure.
There are currently 14 ISACs for critical infrastructure, and one of the most successful is the Financial Services ISAC (FS-ISAC), which was launched in 1999 and is sponsored by the U.S. Department of Treasury.
“Members of the Financial Services Information Sharing and Analysis Center worldwide receive timely notification and authoritative information specifically designed to help protect critical systems and assets from physical and cybersecurity threats,” according to its website.
Given the history of some of these ISACs, Chris Wysopal, chief technology officer and CISO of Veracode, is also doubtful of whether private companies will participate in a new cybersecurity information-sharing network.
“It’s voluntary, so how are they going to incentivize companies to do it? Like if I’m a financial services company and I’m already sharing with all the other banks, what’s going to incent me to share with DHS essentially?” Wysopal asks.
Technology companies have also been taking their own approach to information sharing with many using Facebook’s ThreatExchange Platform, which is in its beta form and is used by Pinterest, Tumblr, Facebook, Yahoo!, and Dropbox.
“If I were a tech company, I’d be more interested in trying that out before I would be sharing with DHS,” Wysopal adds.
And if companies do choose to participate in the government’s information-sharing network, there may be roadblocks to being able to share effectively, Mason says.
“It’s been a continued struggle for the private sector companies to actually ingest that intel, to have teams built out within private companies that are built to harness that information, learn from that, take those indicators, send them up—in a timely manner—and then ultimately have the government essentially be a clearing house and taking that information and disseminating it out in a very quick, automated fashion,” Mason explains.
This is why, for CISA to work, the government needs to create an automated portal to share cybersecurity information, says ThreatMatrix Chief Technology Officer and Senior Vice President of Engineering Andreas Baumhof.
“The essence of CISA is fantastic, but everything happens really fast, so this information needs to be shared in a fully automated way,” Baumhof says. “If there is any human person anywhere, that means it will be too late.”
Another issue that could prevent information sharing is whether workers in the private sector will need a security clearance to participate.
Going through the process of obtaining a clearance is time consuming, and may pose a problem; there’s already a shortage of information security workers that’s expected to reach 1.5 million by 2020, according to the 2015 (ISC)² Global Information Security Workforce Study.
“And now if we’re limiting that to folks who have a clearance or are capable of going out and getting one, that makes a problem that we already have now 10 times as hard to fill and to fix,” Mason explains.
Related to that issue is the problem of putting classified indicators and classified information into play. Mason notes that private companies can’t take something that’s Secret Level or Top Secret and use it to detect a breach.
“And then, also, the concept that the government tends to overclassify already, when the reality is you can’t necessarily take that information and now use it with folks who aren’t cleared or with tools that aren’t at a classified level. If you think about most companies out there, you just don’t operate that way,” Mason says.
Also of concern is the perceived lack of privacy protections for sharing data that may be considered a threat indicator. This is especially worrisome for individuals outside the United States, Baumhof says, because they are concerned about the U.S. government having access to their private data.
“European countries are not too comfortable sharing lots of data with the United States, especially if they don’t see protections against someone coming in and having access to that data,” he adds.
Director of National Intelligence James Clapper had until February 18 to outline the procedures that private companies and the federal government would use to share cybersecurity threat indicators, possibly addressing the issue of automation.
Attorney General Loretta Lynch and DHS Secretary Jeh Johnson then have until mid-May to publicly release the final policies and procedures for cybersecurity information sharing with the federal government. However, as of Security Management’s press time, that information was not available.
While McCaul plans to hold hearings on cyber information sharing, he is also planning to look at other ways to strengthen the nation’s cybersecurity that go beyond information sharing.
“This year I will also lead efforts to strengthen our cyber posture by bolstering our state and local cyber defenses, providing incentives to private entities to more effectively manage cyber risks, and improving how we conduct cyber investigations in the digital age,” McCaul wrote.
This approach by Congress—figuring out how to get the private sector to enhance cybersecurity without regulations—is the right one, Barnett says.
To get the private sector to adopt better cybersecurity practices, Barnett says Congress should provide tax incentives to allow companies to improve their systems, implement the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, and buy cybersecurity insurance.
Purchasing cybersecurity insurance is especially critical because it “will have the effect of upping companies’ game, because the insurance company will put them through a regime that will make them more secure—they’ll get the systems and services they need,” Barnett says. “And I think that’s really important for the mid-size and smaller companies.”
While passing any sort of legislation through the 114th Congress may be difficult during the upcoming election year, Barnett says he’s optimistic about tax incentives for cybersecurity enhancements.
“There’s going to be a great opportunity to do this over the next couple of years because there seems to be some real interest in tax reform, and there’s even discussion about lowering the tax rate,” he adds. “Why not get a twofer there? If you’re going to give some kind of tax break or encouragement to corporations, then why not give it in the realm of ‘well if you do some stuff on cybersecurity, you get the benefit of this tax break’?”
Wysopal says he thinks that cyber insurance will encourage greater transparency about what companies are doing. If these companies are breached but have adequate protections for their data, they can mitigate liability for damages.
“I think that’s a way that the market can force companies to raise the bar with their cybersecurity, without the government having to regulate anything except disclosure,” he explains.
One piece of legislation he supports that might change the game is the Cybersecurity Disclosure Act of 2015 (S. 2410). It would require companies that report to the Securities and Exchange Commission to disclose whether any member of their governing body—such as the board of directors or general partner—has expertise or experience in cybersecurity.
Experience would be defined in coordination with NIST and could include professional qualifications or experience detecting, preventing, mitigating, or addressing cybersecurity threats.
If no one in the governing body has cybersecurity experience, the company would be required “to describe what other cybersecurity steps taken by the reporting company were taken into account” by individuals responsible for identifying and evaluating nominees for the governing body, according to the bill.
Senator Jack Reed (D-RI) introduced the bill in December and it has one cosponsor: Senator Susan Collins (R-ME). The bill, however, has not advanced since its introduction.