Cyber security threats and data breaches are almost daily news. In a recent interview, Secretary of State John Kerry described the current cybersecurity landscape as being “a complicated and fast moving world…pretty much the wild west”. The U.S. federal government has therefore taken the initiative to devise a strategy to combat cyber threats. An Executive Order (EO), “Promoting Private Sector Cybersecurity Information Sharing,” was announced in February this year, followed by passage in April in the House of Representatives of the Cyber Intelligence Sharing and Protection Act (CISPA), which is awaiting approval by the Senate. The express purpose of the policymaking activity is to encourage companies to share security intelligence.
Sharing threat intelligence and security information is not a new concept. Since 1999, the financial sector has been running the FSISAC (Financial Services Information Sharing and Analysis Center), which encourages cybersecurity collaboration between members of the financial sector. FSISAC processes thousands of threat indicators every month and informs its members of cybersecurity attacks, helping each to prepare and respond to threats.
The federal government’s move to make cybersecurity sharing a more institutionalized and widespread ethos is therefore not a new notion, nor out of reach. But will government succeed? Can they win over the opposition?
Supporters of CISPA
Federal government has a number of supporters of CISPA . These include tech industry members such as Facebook, Business Roundtable, CSC, Edison Electric, Intel, IBM and Symantec, Lockheed Martin, Microsoft and Verizon, all of whom have sent letters of support.
The financial sector, already seasoned advocators of collaborative security, also support the bill, with the Financial Service Roundtable stating that, “…information sharing legislation, and collaboration between the financial industry, merchants and the federal government are all critical steps to ensuring our shared customers and the economy can stay one step ahead of cyberattacks”
What do CISPA supporters care about?
The industries supporting the legislation, recognize that sharing cyber information allows them to better defend their own and their customers’ data. In particular, the tech industry is, in general, in favour of CISPA. They understand that sharing cyber threat data is a positive step towards being able to manage the increasing levels of threats we are currently experiencing. For example, Facebook released a public message of support for CISPA,stating: “We hope that as Congress moves forward in considering this and any other cyber legislation, the result will be legislation that helps give companies like ours the tools we need to protect our systems and the security of our users’ information, while also providing those users confidence that adequate privacy safeguards are in place”.
Opposers of CISPA
There are, of course, many who oppose CISPA. These are predominantly organizations involved in civil liberties, such as the Center for Democracy and Technology, the American Civil Liberties Union and Reporters Without Borders. There are also commercial groups opposing the bill, such as Mozilla.
What do CISPA opposers care about?
Those who oppose the bill are predominantly concerned with privacy,the legalities of copyright law and protection of proprietary information. Personally identifiable information, or PII, is an area that has been addressed in the bill and many have questioned the need to share PII to achieve a collaborative eco-system. The opposition also claim that ‘cyber threat information’ and ‘proprietary information / intellectual property’ are not well defined in the bill. This has led to concerns that customer information would be handed over to government without real protections applied, this action, in itself, causing a cyber-threat.
Immunity from any wrongdoing, is given to companies that claim to have performed a transaction ‘in good faith’ – something that is very difficult to disprove. Once PII is passed over to government, there are no checks and measures to ensure that the government cannot then subsequently use that data, especially under the very broad definitions of the National Security Act. Some CISPA detractors like Access, who promote global digital freedom, have described the bill as an attempt to create a ‘mass surveillance state’ and have petitioned to withdraw support for the bill. Similar actions have been taken by the American Civil Liberties Union and the Cato Institute.
Others are also worried about the regulation and control of the legislation. For example, some are concerned that the cyber threat data shared through the bill, will be used in a hack back attack, where shared details could be used to attack weaker third party companies without their knowledge.
Current state of play and next steps
It’s good news that the U.S. is taking a positive stance against cybercrime by bridging the legal barriers between industry and government, so that they can collaborate r. Sharing information is always going to result in a more informed community. However, nothing is ever straight forward. Organizations are notoriously careful, even secretive about security breaches. Often this is based on the hope that keeping it private will offer protection from further attacks, thus protecting the company’s reputation.
As CISPA awaits the approval of the Senate, many are hopeful that the bill will address the legal angle of data sharing and the protection of companies sharing their cybersecurity threat data. However, some still say this doesn’t go far enough to protect the privacy of the companies (and their customers) sharing the data. Especially in the post Snowden era, many privacy advocates have pointed out the government’s poor record in protecting data shared with them. It is therefore of little wonder that some, such as senator Wyden, have coined the bill as a ‘surveillance bill’.
Opposing Republican senators have tried to negate the bill by limiting which amendments can be made to the legislation, claiming that it would prove difficult for industry to enact.
Indeed, their concern is correct. Pushing the envelope on cybersecurity protection via an industry/government intelligence sharing bill, needs to have the full and engaged backing of industry and government to be truly effective. If industry does not embrace the ideologies behind the order fully, it will fall short of its mark. The order needs to be backed by investment in specialist teams to integrate the initiative into real world actions, including utilizing the right types of security tools that can provide affirmative action and can promote security collaboration as a technology, not just an idea.
The sharing of security intelligence will only be successful if it is done in an environment of trust. This has to be carefully monitored within an infrastructure set up purely for this purpose and highly regulated. But creating this environment is not impossible. A working example of this type of security collaboration can be seen in Pittsburgh, which is using a public-private cybersecurity collaboration initiative to fight the increasingly sophisticated cyber threats being experienced across sectors. The Pittsburgh initiative was formed by FBI agents in the early 2000s to work within banks to identify cyber threats. The key to its success has been in building trusted collaboration networks, helped by organizations such as the National Cyber-Forensics & Training Alliance that use the knowledge of the public sector and the strengths of law enforcement to make real inroads in fighting cybercrime.
Another positive example of cross industry collaboration which fits in well with the ideologies of the Obama cybersecurity executive order, can be seen in the Google Zero Day Project which hunts down zero day vulnerabilities, used by cybercriminals to exploit holes in software, so called because the vendor in question hasn’t yet discovered the vulnerability. Google has created a team of security specialists who run this project, the team identifying security vulnerabilities in software products, which are then disclosed to the vendor for remediation. This is a very positive and helpful collaborative security initiative.
To ensure that the very positive nature of the Obama cybersecurity executive order is successful, the positive aspects of it need to be understood, balanced with an acknowledgement and a management of the negative aspects. What is needed is collaborative platforms, like Comilion, to create tools that build trust frameworks that an organization can work within and that can, at the same time, accommodate the varying types and levels of compliance and regulations that cross industry collaboration would require.
Latest posts by Kobi Freedman (see all)
- Data Sharing Technology Revolutionizes Healthcare - March 14, 2016
- Data Sharing Gets a Ride: How Popular Ride-Sharing Apps Influence Policy On Sharing - March 1, 2016
- Data Ownership Questions Answered by Decentralized P2P Platforms - February 18, 2016