Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/3/2015
10:30 AM
Paul Kurtz
Paul Kurtz
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Congress Clears Path for Information Sharing But Will It Help?

The key challenge companies will face with the new Cybersecurity Information Sharing Act of 2015 is how quickly they can separate data they need to share with data they need to protect.

With the Senate’s recent passing of the Cybersecurity Information Sharing Act of 2015 (CISA), we are now very close to having a law that provides companies liability protection when sharing information around cybersecurity threats. In the coming weeks, Congressional leaders and staff will be working in conference to officially merge CISA with the two complementary House bills passed in April, the Protecting Cyber Networks Act (PCNA) and the National Cybersecurity Protection Advancement Act of 2015 (NCPAA).

All three bills have the following in common: they provide liability protection for companies sharing cyber threat indicators and defensive measures for a cybersecurity purpose both among themselves and with the government. There are some differences in how these three key terms are defined across the bills, and they are not insignificant to the eventual implementation of the law.

The bills also offer differing levels of prescriptive details around the process by which this information is to be shared and the role of various government entities in ensuring compliance. Given the technical nature of the discussion and the impact these definitions have on the resolution of some of the privacy concerns surrounding the bills, (as well as the recent changes in committee leadership), we can expect a challenging conference process that is likely take at least a few weeks once underway.

The debate surrounding the bills has largely focused on privacy concerns, with far less discussion around how they will actually impact information sharing programs now that they have been passed. The resolution of the differences between the bills during the conference process leaves some open questions on implementation, but we can draw some general conclusions given what we know now.

[For more information on the Cybersecurity Information Sharing Act of 2015, read 5 Things To Know About CISA.]

It appears that we will see a process whereby the Department of Homeland Security, likely through the National Cybersecurity and Communications Integration Center (NCCIC), will play the lead role both in collecting and distributing information shared with the government. It is clear that legislators envision some type of DHS-managed portal to accept and communicate cyber threat indicators and defensive measures from any entity in real time. The final legislation is also likely to include explicit limitations around how government can use the data it receives with the objective of confining usage to cybersecurity defense.

Given concerns surrounding government usage of the data and privacy protection, it is frequently overlooked that these bills provide private-sector entities the same liability protections when they exchange information with one another, even with no government involvement in the process at all. In this way, the legislation aims to address concerns about legal liability, antitrust violations, and protection of intellectual property and other proprietary business information that have long been obstacles to rapid information sharing within industry.

In order to be covered by the liability protections, which are fairly narrow, companies will need to ensure that the information they share fits the forthcoming definitions of “cyber threat indicator” and “defensive measure” and that they are sharing the information for no other reason than cybersecurity defense. As an example, information shared amongst companies regarding consumer violation of license agreements is likely to be explicitly excluded from liability protection under the new law. Further, companies are likely to be responsible for scrubbing data of any personally identifiable information before sharing it. This will require companies participating in information sharing initiatives to have some controls in place to ensure that they are sharing the right information for the right purpose and not running afoul of privacy protections.

On its surface, this legal-speak may not sound incredibly game changing, especially for those companies already accepting some of the risk of participation in information sharing initiatives. But consider that even when companies decide to share information, lengthy internal legal reviews frequently prevent companies from sharing it quickly enough to be of value to their own mitigation efforts or a useful early warning for others. New liability protections hold the potential to shorten that legal review significantly if companies can put in place a streamlined process to ensure the data they share meets the criteria for coverage under the law.

The key challenge for companies will be separating the data they need to share (cyber threat indicators and defense measures) with the data they need to protect (PII) – and to do so quickly enough that the information shared is still relevant. Fortunately, there are a number of new solutions and standards aimed at automating much of this process.

As an industry, we’ve known for a long time that we need to get better at sharing cyber threat information to reduce uncertainty around cyber incidents and get ahead of our adversaries. While legislation is certainly not a cure-all, the government has done its part to clear at least one of the longstanding hurdles to effective cybersecurity collaboration by addressing many of the industry’s legal concerns. It will be interesting to watch as the guidance around the implementation of the bill progresses and see whether the industry is finally able to use information sharing as a key factor in staying ahead of the bad guys.

Paul Kurtz is the CEO and cofounder of TruSTAR Technology. Prior to TruSTAR, Paul was the CISO and chief strategy officer for CyberPoint International LLC where he built the US government and international business verticals. Prior to CyberPoint, Paul was the managing partner ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/25/2015 | 11:24:23 AM
Re: Congress Clears Path for Information Sharing But Will It Help?
...not to mention customer information!
jries921
50%
50%
jries921,
User Rank: Ninja
12/16/2015 | 9:45:51 AM
Re: Congress Clears Path for Information Sharing But Will It Help?
I haven't read the bill, but I think the bigger concern is that it will be used as a means of indemnifying companies who decide to hand over personnel and customer records to the FBI, ostensibly for use in cybersecurity investigations, but actually in criminal ones (so it doesn't have to go through the hassle of getting search warrants).
UmeshKTiwari
50%
50%
UmeshKTiwari,
User Rank: Strategist
12/8/2015 | 10:28:12 AM
Congress Clears Path for Information Sharing But Will It Help?
I happen to think this will certainly help and give credence to the organizations that have already been sharing information or understand the value of sharing, want to share, but had been held back for fear of potential liabilities. There are obviously the privacy hawks and those who still believe in keeping their stuff under wraps as a form of protection through obscurity that they can live with. Information sharing organizations (the ISACs) will become more mature, profitable business ventures rather than the largely volunteer service organizations that they are today.

This new legal framework will enable making information sharing a mainstream and acceptable thing over time.
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15113
PUBLISHED: 2019-08-16
The companion-sitemap-generator plugin before 3.7.0 for WordPress has CSRF.
CVE-2019-15114
PUBLISHED: 2019-08-16
The formcraft-form-builder plugin before 1.2.2 for WordPress has CSRF.
CVE-2019-15115
PUBLISHED: 2019-08-16
The peters-login-redirect plugin before 2.9.2 for WordPress has CSRF.
CVE-2019-15116
PUBLISHED: 2019-08-16
The easy-digital-downloads plugin before 2.9.16 for WordPress has XSS related to IP address logging.
CVE-2017-18547
PUBLISHED: 2019-08-16
The nelio-ab-testing plugin before 4.6.4 for WordPress has CSRF in experiment forms.