Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Paul Kurtz
Paul Kurtz
Connect Directly
E-Mail vvv

Congress Clears Path for Information Sharing But Will It Help?

The key challenge companies will face with the new Cybersecurity Information Sharing Act of 2015 is how quickly they can separate data they need to share with data they need to protect.

With the Senate’s recent passing of the Cybersecurity Information Sharing Act of 2015 (CISA), we are now very close to having a law that provides companies liability protection when sharing information around cybersecurity threats. In the coming weeks, Congressional leaders and staff will be working in conference to officially merge CISA with the two complementary House bills passed in April, the Protecting Cyber Networks Act (PCNA) and the National Cybersecurity Protection Advancement Act of 2015 (NCPAA).

All three bills have the following in common: they provide liability protection for companies sharing cyber threat indicators and defensive measures for a cybersecurity purpose both among themselves and with the government. There are some differences in how these three key terms are defined across the bills, and they are not insignificant to the eventual implementation of the law.

The bills also offer differing levels of prescriptive details around the process by which this information is to be shared and the role of various government entities in ensuring compliance. Given the technical nature of the discussion and the impact these definitions have on the resolution of some of the privacy concerns surrounding the bills, (as well as the recent changes in committee leadership), we can expect a challenging conference process that is likely take at least a few weeks once underway.

The debate surrounding the bills has largely focused on privacy concerns, with far less discussion around how they will actually impact information sharing programs now that they have been passed. The resolution of the differences between the bills during the conference process leaves some open questions on implementation, but we can draw some general conclusions given what we know now.

[For more information on the Cybersecurity Information Sharing Act of 2015, read 5 Things To Know About CISA.]

It appears that we will see a process whereby the Department of Homeland Security, likely through the National Cybersecurity and Communications Integration Center (NCCIC), will play the lead role both in collecting and distributing information shared with the government. It is clear that legislators envision some type of DHS-managed portal to accept and communicate cyber threat indicators and defensive measures from any entity in real time. The final legislation is also likely to include explicit limitations around how government can use the data it receives with the objective of confining usage to cybersecurity defense.

Given concerns surrounding government usage of the data and privacy protection, it is frequently overlooked that these bills provide private-sector entities the same liability protections when they exchange information with one another, even with no government involvement in the process at all. In this way, the legislation aims to address concerns about legal liability, antitrust violations, and protection of intellectual property and other proprietary business information that have long been obstacles to rapid information sharing within industry.

In order to be covered by the liability protections, which are fairly narrow, companies will need to ensure that the information they share fits the forthcoming definitions of “cyber threat indicator” and “defensive measure” and that they are sharing the information for no other reason than cybersecurity defense. As an example, information shared amongst companies regarding consumer violation of license agreements is likely to be explicitly excluded from liability protection under the new law. Further, companies are likely to be responsible for scrubbing data of any personally identifiable information before sharing it. This will require companies participating in information sharing initiatives to have some controls in place to ensure that they are sharing the right information for the right purpose and not running afoul of privacy protections.

On its surface, this legal-speak may not sound incredibly game changing, especially for those companies already accepting some of the risk of participation in information sharing initiatives. But consider that even when companies decide to share information, lengthy internal legal reviews frequently prevent companies from sharing it quickly enough to be of value to their own mitigation efforts or a useful early warning for others. New liability protections hold the potential to shorten that legal review significantly if companies can put in place a streamlined process to ensure the data they share meets the criteria for coverage under the law.

The key challenge for companies will be separating the data they need to share (cyber threat indicators and defense measures) with the data they need to protect (PII) – and to do so quickly enough that the information shared is still relevant. Fortunately, there are a number of new solutions and standards aimed at automating much of this process.

As an industry, we’ve known for a long time that we need to get better at sharing cyber threat information to reduce uncertainty around cyber incidents and get ahead of our adversaries. While legislation is certainly not a cure-all, the government has done its part to clear at least one of the longstanding hurdles to effective cybersecurity collaboration by addressing many of the industry’s legal concerns. It will be interesting to watch as the guidance around the implementation of the bill progresses and see whether the industry is finally able to use information sharing as a key factor in staying ahead of the bad guys.

Paul Kurtz is the CEO and cofounder of TruSTAR Technology. Prior to TruSTAR, Paul was the CISO and chief strategy officer for CyberPoint International LLC where he built the US government and international business verticals. Prior to CyberPoint, Paul was the managing partner ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
12/25/2015 | 11:24:23 AM
Re: Congress Clears Path for Information Sharing But Will It Help?
...not to mention customer information!
User Rank: Ninja
12/16/2015 | 9:45:51 AM
Re: Congress Clears Path for Information Sharing But Will It Help?
I haven't read the bill, but I think the bigger concern is that it will be used as a means of indemnifying companies who decide to hand over personnel and customer records to the FBI, ostensibly for use in cybersecurity investigations, but actually in criminal ones (so it doesn't have to go through the hassle of getting search warrants).
User Rank: Strategist
12/8/2015 | 10:28:12 AM
Congress Clears Path for Information Sharing But Will It Help?
I happen to think this will certainly help and give credence to the organizations that have already been sharing information or understand the value of sharing, want to share, but had been held back for fear of potential liabilities. There are obviously the privacy hawks and those who still believe in keeping their stuff under wraps as a form of protection through obscurity that they can live with. Information sharing organizations (the ISACs) will become more mature, profitable business ventures rather than the largely volunteer service organizations that they are today.

This new legal framework will enable making information sharing a mainstream and acceptable thing over time.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-12
Intesync Solismed 3.3sp1 allows Local File Inclusion (LFI), a different vulnerability than CVE-2019-15931. This leads to unauthenticated code execution.
PUBLISHED: 2019-12-12
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP ...
PUBLISHED: 2019-12-12
An issue was discovered in Intesync Solismed 3.3sp1. An flaw in the encryption implementation exists, allowing for all encrypted data stored within the database to be decrypted.
PUBLISHED: 2019-12-12
A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrat...
PUBLISHED: 2019-12-12
The Scoutnet Kalender plugin 1.1.0 for WordPress allows XSS.