Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/3/2015
10:30 AM
Paul Kurtz
Paul Kurtz
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Congress Clears Path for Information Sharing But Will It Help?

The key challenge companies will face with the new Cybersecurity Information Sharing Act of 2015 is how quickly they can separate data they need to share with data they need to protect.

With the Senate’s recent passing of the Cybersecurity Information Sharing Act of 2015 (CISA), we are now very close to having a law that provides companies liability protection when sharing information around cybersecurity threats. In the coming weeks, Congressional leaders and staff will be working in conference to officially merge CISA with the two complementary House bills passed in April, the Protecting Cyber Networks Act (PCNA) and the National Cybersecurity Protection Advancement Act of 2015 (NCPAA).

All three bills have the following in common: they provide liability protection for companies sharing cyber threat indicators and defensive measures for a cybersecurity purpose both among themselves and with the government. There are some differences in how these three key terms are defined across the bills, and they are not insignificant to the eventual implementation of the law.

The bills also offer differing levels of prescriptive details around the process by which this information is to be shared and the role of various government entities in ensuring compliance. Given the technical nature of the discussion and the impact these definitions have on the resolution of some of the privacy concerns surrounding the bills, (as well as the recent changes in committee leadership), we can expect a challenging conference process that is likely take at least a few weeks once underway.

The debate surrounding the bills has largely focused on privacy concerns, with far less discussion around how they will actually impact information sharing programs now that they have been passed. The resolution of the differences between the bills during the conference process leaves some open questions on implementation, but we can draw some general conclusions given what we know now.

[For more information on the Cybersecurity Information Sharing Act of 2015, read 5 Things To Know About CISA.]

It appears that we will see a process whereby the Department of Homeland Security, likely through the National Cybersecurity and Communications Integration Center (NCCIC), will play the lead role both in collecting and distributing information shared with the government. It is clear that legislators envision some type of DHS-managed portal to accept and communicate cyber threat indicators and defensive measures from any entity in real time. The final legislation is also likely to include explicit limitations around how government can use the data it receives with the objective of confining usage to cybersecurity defense.

Given concerns surrounding government usage of the data and privacy protection, it is frequently overlooked that these bills provide private-sector entities the same liability protections when they exchange information with one another, even with no government involvement in the process at all. In this way, the legislation aims to address concerns about legal liability, antitrust violations, and protection of intellectual property and other proprietary business information that have long been obstacles to rapid information sharing within industry.

In order to be covered by the liability protections, which are fairly narrow, companies will need to ensure that the information they share fits the forthcoming definitions of “cyber threat indicator” and “defensive measure” and that they are sharing the information for no other reason than cybersecurity defense. As an example, information shared amongst companies regarding consumer violation of license agreements is likely to be explicitly excluded from liability protection under the new law. Further, companies are likely to be responsible for scrubbing data of any personally identifiable information before sharing it. This will require companies participating in information sharing initiatives to have some controls in place to ensure that they are sharing the right information for the right purpose and not running afoul of privacy protections.

On its surface, this legal-speak may not sound incredibly game changing, especially for those companies already accepting some of the risk of participation in information sharing initiatives. But consider that even when companies decide to share information, lengthy internal legal reviews frequently prevent companies from sharing it quickly enough to be of value to their own mitigation efforts or a useful early warning for others. New liability protections hold the potential to shorten that legal review significantly if companies can put in place a streamlined process to ensure the data they share meets the criteria for coverage under the law.

The key challenge for companies will be separating the data they need to share (cyber threat indicators and defense measures) with the data they need to protect (PII) – and to do so quickly enough that the information shared is still relevant. Fortunately, there are a number of new solutions and standards aimed at automating much of this process.

As an industry, we’ve known for a long time that we need to get better at sharing cyber threat information to reduce uncertainty around cyber incidents and get ahead of our adversaries. While legislation is certainly not a cure-all, the government has done its part to clear at least one of the longstanding hurdles to effective cybersecurity collaboration by addressing many of the industry’s legal concerns. It will be interesting to watch as the guidance around the implementation of the bill progresses and see whether the industry is finally able to use information sharing as a key factor in staying ahead of the bad guys.

Paul Kurtz is the CEO and cofounder of TruSTAR Technology. Prior to TruSTAR, Paul was the CISO and chief strategy officer for CyberPoint International LLC where he built the US government and international business verticals. Prior to CyberPoint, Paul was the managing partner ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/25/2015 | 11:24:23 AM
Re: Congress Clears Path for Information Sharing But Will It Help?
...not to mention customer information!
jries921
50%
50%
jries921,
User Rank: Ninja
12/16/2015 | 9:45:51 AM
Re: Congress Clears Path for Information Sharing But Will It Help?
I haven't read the bill, but I think the bigger concern is that it will be used as a means of indemnifying companies who decide to hand over personnel and customer records to the FBI, ostensibly for use in cybersecurity investigations, but actually in criminal ones (so it doesn't have to go through the hassle of getting search warrants).
UmeshKTiwari
50%
50%
UmeshKTiwari,
User Rank: Strategist
12/8/2015 | 10:28:12 AM
Congress Clears Path for Information Sharing But Will It Help?
I happen to think this will certainly help and give credence to the organizations that have already been sharing information or understand the value of sharing, want to share, but had been held back for fear of potential liabilities. There are obviously the privacy hawks and those who still believe in keeping their stuff under wraps as a form of protection through obscurity that they can live with. Information sharing organizations (the ISACs) will become more mature, profitable business ventures rather than the largely volunteer service organizations that they are today.

This new legal framework will enable making information sharing a mainstream and acceptable thing over time.
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...
CVE-2020-5242
PUBLISHED: 2020-02-20
openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Starting with version 2.5.2 all commands need to be whitelisted in a local file whic...
CVE-2020-8601
PUBLISHED: 2020-02-20
Trend Micro Vulnerability Protection 2.0 is affected by a vulnerability that could allow an attack to use the product installer to load other DLL files located in the same directory.