“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families,” President Barack Obama told the U.S. Congress during the State of the Union Address last week.
However, hunting down the perpetrators of cyberattacks that compromise national security or disrupt commerce is only going to get more difficult in the future, as the president noted a week earlier during a visit to the National Cybersecurity Communications Integration Center. A unit of the Department of Homeland Security, the NCCIC is a 24/7 cybersituational awareness, incident response, and management center that collects and shares cyberthreat information among various parties.
“Foreign governments, criminals and hackers probe America’s computer networks every single day,” Obama noted at NCCIC, “but every day, our adversaries are getting more sophisticated and more determined, and more plentiful. So every day, we’ve got to keep upping our game at the same time. We’ve got to stay ahead of those who are trying to do us harm.”
The administration earlier this month proposed a package of legislative measures designed to improve the country’s ability to combat cyberintrusions. Among them was encouraging businesses to share information on cyberattacks and threats. Proposals supporting a national sharing effort moved forward in Congress last year but failed to become law. However, the need to improve such sharing has become more urgent in the wake of recent cyberattacks on U.S. merchants, Sony, and the U.S. Central Command.
Stumbling Blocks to Sharing Data
The main challenges to maximizing cyberthreat information sharing are ensuring that consumer information is protected in any sharing activity, and that private sector firms are relieved of any legal liability — such as suits that might arise from citizens contending that their privacy has been compromised in the process of sharing digital records.
“Sometimes it’s still too hard for government to share threat information with companies. Sometimes it’s still too hard for companies to share information about cyberthreats with the government. There are legal issues involved and liability issues,” Obama said at NCCIC. “At the same time, the American people have a legitimate interest in making sure that government is not potentially abusing information that it’s received from the private sector.”
The administration’s legislative proposal provides mechanisms for the private sector to share appropriate cyberthreat information with the government through the NCCIC, which then will share it, in as close to real time as practicable, with relevant federal agencies and with private sector-developed and operated information sharing and analysis organizations, or ISAOs.
Under federal law, an ISAO is “any formal or informal entity or collaboration created or employed by public or private sector organizations” for gathering, analyzing and communicating cyberthreat information. The White House proposal provides “targeted liability protection” for companies that share information with these entities.The legislation also encourages the formation of ISAOs.
The White House intends its proposals to complement, rather than limit, existing effective relationships between government and the private sector.
Businesses Seek Better Protection
Businesses solidly support cyberinformation-sharing initiatives — but they want to ensure that the private sector is protected from any potential liability.
“These days, and especially after last year, liability protection is incredibly important. Private sector firms don’t want the burden of having to look out for new threats and spend countless millions on new solutions,” said Adam Kujawa, head of malware intelligence at Malwarebytes.
“They would love it if there was a single organization — like the government — that they could work with to share threat information and be provided a list of ‘how-to stay secure’ that they have to keep up with once a year. If something were to happen to one of these organizations while they were sharing information and following these regulations, the blame is no longer their own,” he told the E-Commerce Times.
Finding a way to provide that liability protection has become a challenge for business and government. Financial companies already are engaged in multiple cyberinformation-sharing activities, according to 2014 Senate testimony by Doug Johnson, senior vice president for payments and cybersecurity policy at the American Bankers Association.
The sharing of threat information is “critical to the government and the private sector,” Johnson noted, but “clarity concerning liability protections for the sharing of information are still extremely important and transcend our sector.”
The failed 2014 Senate proposal would have granted broad liability protections for the private sector. However, the recent White House proposal “is narrower than last year’s Senate bill,” Johnson told the E-Commerce Times. “The protections need to extend not only for business-to-government sharing, but also between entities in the private sector.”
What’s needed is legislation that would allow private entities to share cyberthreat information with one other and with the federal government, in real time, while safeguarding the privacy and civil liberties of consumers, urged the Financial Services Roundtable in a response to the White House proposal.
However, the FSR noted the same flaw detected by the ABA.
Ball Is in Congress’ Court
“From what we can see in the administration’s proposal, liability protection is focused on cyberthreat indicators shared only through information-sharing mechanisms, such as the NCCIC and ISACs. While this is important, the proposal does not provide protections — and thus no incentive — for sharing cyberthreat information from one party to another. This is a gap, especially since not every industry has an information-sharing organization as robust as the financial services ISAC,” the FSR told the E-Commerce Times in a statement provided by spokesperson Alison Hawkins.
It appears that businesses, including many in the information technology sector, are not ready to completely endorse the administration’s proposals on information sharing and other cybersecurity matters, and will seek to modify them during congressional deliberations.
For example, “we are strongly in favor of cybersecurity legislation that will give businesses more access to government information on threats, open channels for greater information sharing between companies, and enhance private sector liability protection,” said Scott Belcher, CEO of the Telecommunications Industry Association.
The administration’s proposal “takes several positive steps toward achieving these goals,” he acknowledged.
However, “we look forward to engaging with both the House and Senate to advance effective cybersecurity legislation,” Belcher added.
“All security professionals agree that the threats described by the president are real, serious, and require a strong response, but since those responses are likely to be laws, we can expect some ugliness in them,” RedSeal CTO Mike Lloyd told the E-Commerce Times.
“However, the proposal is right that sharing is important,” he added, “so long as we agree that we’re all in this together, and that we have some degree of common cause as we face cyberadversaries.”