An old adage in Washington says it is easier to defeat a bill than it is to pass one. Frank Underwood doesn’t even have to write the script on this one, as cyber information sharing and its critics shuffle back to the top of Washington’s house of cards.
The Cybersecurity Sharing Act of 2015 (S. 754), or CISA, hit the Senate floor this week.
But with the House versions passed back in April, opposition had time to organize while massive misconceptions about privacy rights and the proposed cybersecurity legislation grew.
CISA formalizes the voluntary exchange of information with the government.
CISA would allow the private and public sector to share the digital ones and zeroes behind the back wall of computer networks, where cyber traffic is tracked. It’s the technical data IT professionals have access to and use to assess the threats on systems while learning the adversaries’ methods and tactics. These valuable data points are called cyber threat indicators (CTIs). Sharing CTIs is the key to stopping, and even preventing, hack attacks.
What specific pieces of information are we talking about? The malware programs developed and deployed by an adversary leaves observable data. Networks can track things like IP addresses, websites, source email addresses, URLs. It is log data, traffic and network communication data related to suspicious activity.
Cyber information sharing is not about Social Security numbers, medical records, financial records or any other personally identifiable information (PII). From a cybersecurity perspective, that information has no value. Prominent cybersecurity sharing platforms, such as STIXX and TAXI, are not even built to accommodate PII.
Cyber sharing is already happening, but all too infrequently. It’s time to institutionalize voluntary cyber sharing that shields personal privacy, and CISA can do that.
Cybersecurity sharing actually works
In early 2015, Anthem Blue Cross and Blue Shield announced its induction into the least popular club forming in corporate America: the growing ranks of major companies admitting their IT networks have been hacked.
What’s remarkable about the Anthem breach is how quickly the company and its cybersecurity partners shared information about the attack’s specific threat indicators with the FBI, the Homeland Security Department and the U.S.-Computer Emergency Readiness Team (US-CERT). That technical dataset allowed Anthem’s business partners, the federal government, health care communities and anyone actively defending valuable computer networks to deploy appropriate defense measures, scan their systems, effectively shutting down the hacker’s modus operandi.
Anthem shared MD5 hashes, IP addresses and threat actor email addresses surrounding the attack. Anthem did not share any of the personal information of the almost 80 million clients affected.
But most hacking victims aren’t so quick to share CTIs, if that information is even shared at all. Private businesses don’t want to be accused of sharing PII or violating privacy protections. So instead of sharing the forensics needed to shut down cyber attacks, no information is shared at all.
This legislation formalizes rules of the road, determining which information is shared and providing liability protection for those who do share in good faith.
Most importantly, it is voluntary. Anthem was only obligated to disclose it had been hacked, not to disclose threat indicators voluntarily with business partners and the government. With CISA, that will not change. If an organization has privacy or other concerns, it cannot be compelled to share any CTIs.
CISA would encourage more companies to collaborate by providing liability protection for organizations sharing CTIs. It’s already standard procedure in the cyber world to scrub data, so only what is necessary is shared. CISA does not extend protection to a company that knowingly shares PII.
The unfounded idea that privacy rights are being threatened actually threatens the critical advances our government and private industry need to make in order to evolve at the same pace as the threat actors.
CISA is about even more than information sharing. There are significant weaknesses in our nation’s cybersecurity defenses, and strengthening collaboration is only the first step toward solving those problems.
A federal cybersecurity official once predicted that even if every current college undergraduate in our country majored in cybersecurity, the nation would still face a significant shortfall in qualified warriors to wage and win the cyber arms race. A framework for sharing attack information will help bridge the skill-set gap.
That is how the hackers do it. Adversaries share techniques, known vulnerabilities, malicious code and farm out tricky projects to other experts. If investigators do not collaborate on all fronts, U.S. cyber defenses are headed for a crisis because innovation won’t be happening on the right side of the fence.
This is not about one patient’s record or even 78 million patient records. CISA will help move national cyber defenses from a reactive to proactive stance, so we can catch the 21st century crook.
Todd Helfrich is the director of federal sales for ThreatStream.