Security experts mostly critical of proposed threat intelligence sharing bill

10.09.2015
This fall, the Senate is expected to take another look at the Cybersecurity Information Sharing Act, or CISA, but many security experts and privacy advocates are opposed.

Cybersecurity has been in the news a lot this summer, and not just with several new high-profile breaches in government and the in private sector.

Last month alone, the Pentagon began requiring defense contractors to report breaches, the White House Office of Management and Budget proposed new cybersecurity rules for contractor supply chains, and a court agreed that the Federal Trade Commission has the authority to enforce cybersecurity standards.

And many security experts agree that it's important for companies to share cybersecurity information, in real time, without risk of being publicly embarrassed, fined, or sued.

"I understand the concern about individuals and organizations concerned about privacy," said Jerry Irvine, CIO at Prescient Solutions. "But the bottom line is that we can't protect ourselves without the ability to show actual technical data to other organizations within our industry and agencies in the federal government."

It is extremely important for a law to get passed, he added, since existing information sharing platforms are inadequate, or not in real time.

Simon Crosby, co-founder and CTO at Bromium

"Concerns about privacy with regard to CISA are in my view overblown," said Simon Crosby, co-founder and CTO at Bromium. "There are undoubtedly many benefits that will accrue as a result of wider, faster sharing of threat intelligence."

But the bill, as written, has problems, others say.

The biggest concern most critics of the CISA bill have is that it seems to be more about the government gathering information than about helping companies improve security.

"For most of the security community, the concern about CISA is in its potential to open up yet another avenue for warrantless seizure of personal information," said Andy Manoske, senior product manager at AlienVault.

According to Manoske, government organizations would be able to seize any private data that they say is related to violent crimes without a warrant or share privacy user data with other international organizations.

[ ALSO ON CSO: U.S. surveillance disclosure mostly useless to business ]

"The way that the bill is written would give companies the ability to spy on all of their users with impunity, in order to detect if they are a 'cyber threat,'" said Justin Harvey, chief security officer at Fidelis Cybersecurity. "This information can be shared with the Department of Homeland Security, which can then, in turn, send the data to the NSA in real time, or companies can bypass DHS altogether and send it over to the NSA."

The only positive feature of the bill, he said, is that it requires the federal government to share cyber threat information with the commercial sector.

"I haven’t heard of any security experts supporting the bill," he added. "Those who support it either don’t know that much about threat intelligence sharing or they don’t know enough about the bill."

Meanwhile, when it comes to actually improving security, CISA is so badly written that it won't do any good, experts say.

"Privacy issues aside, it will be totally ineffective for a variety of reasons," said Jason Polancich, founder and chief architect at Sterling, Va.-based SurfWatch Labs. "The biggest reason is the issues being legislated around are not at all understood by Congress. Information sharing is difficult -- there isn’t one model that works for everybody and our government is simply not equipped to move as fast as the cybercriminals are moving now."

CISA will be a waste of time and taxpayer money, he added.

"CISA requires little to nothing in terms of actual security protections," said AlienVault's Manoske. "In fact, in a particularly comical oversight, the lack of a listed reporting standard means that threat indicators reported in CISA will require organizations to manually sift through indicators -- arbitrarily introducing a time delay."

In fact, CISA might even create new security problems, said Ben Johnson, chief security strategist at Bit9.

"The fact that a lot of private and personally identifiable information could be shared sets up yet another lucrative target for cyber attackers," he said.

Several security experts pointed out that the federal government doesn't exactly have a good reputation at protecting data.

The recent breach of the Office of Personnel Management "showed everyone how porous and vulnerable our government networks are," said Ron Gula, CEO at Tenable Network Security. He suggested that what we need is more information about security practices at federal agencies.

Another problem with the bill is that some of the amendments added on to make it better actually make it worse.

For example, one amendment is intended to help prosecutors take down botnets, but does a bad job at explaining just what a botnet is.

"A overzealous prosecutor could use it to target any behavior that the government didn't like," said Ryan Kalember, senior vice president of cybersecurity strategy at Proofpoint. "That includes many examples of legitimate peer-to-peer software."

There are already more than a dozen Information Sharing and Analysis Centers, for aviation, defense, finance, IT, healthcare, energy, real estate, education, transportation, and other industry sectors.

"Given the number of ISACs being formed, I'm also concerned with whether an information sharing bill is really needed," said Todd Inskeep, advisory board member at the RSA Conference. "There is already a tremendous amount of information sharing across corporations and with the government. It’s not clear there's a real need for new rules."

In addition, there are commercial threat intelligence information services.

"All the big players, because they want to see what everyone else has, anonymously exchange malware samples," said Kalember. "And its very very useful information. The private sector has been doing things like this for a very long time."

And companies without the ability to set up information sharing infrastructure on their own are increasingly turning to security vendors who do it for them.

One recent vendor in this space is TruSTAR Technology, which allows enterprises to instantly share threat data with one another in an anonymized way.

"It allows companies to work together and share actionable information without it being known that it comes from you," said CEO Paul Kurtz, who is a former White House cybersecurity adviser.

And member organizations don't just share out of the goodness of their hearts, since they get immediate feedback about other similar reports and benefit from what others have already learned. The platforms even enable security analysts from different companies to work together to counter attacks, both anonymously, and in trusted groups.

The incident database is stripped of all identifying information, Kurtz said, either personally identifiable information about the individuals, or information about the organization that is sharing the information.

"Even if Uncle Sam comes to me sand says, 'Where did you get that data' I can't tell them," Kurtz said. "It's not that I won't tell them -- I can't tell them."

But despite the fact that his company offers a product specifically designed to address the same kind of problems as CISA, Kurtz supports the legislation.

"I really do think we need Congress to enable enterprises to connect with each other and work with each other in defeating the bad guys," he said. "Right now, they have one hand tied behind their back."

(www.csoonline.com)

Maria Korolov

Zur Startseite