The U.S. Congress is having another one of its
less-than-fine hours on the matter of
cybersecurity. Despite consensus support across the
political spectrum and the business community, admonishments
from the White House and alarms sounded by government and
private sector battlers against the relentless onslaught of
malicious attacks, a law designed to marshal threat
intelligence more effectively has yet to be enacted.
The objective of several proposals is to encourage
collaboration, as implied by the name of one Senate bill, the
Cybersecurity Information Sharing Act of 2015. The principle is
embodied in the Protecting Cyber Networks Act that passed the
House in April by 307-116.
Cooperation toward a common good would seem inherently
uncontroversial; 94 percent had a favorable view of
public-private information sharing in a survey released in May by San Mateo,
Californiabased BrightPoint Security. Corporate interests
say codification is necessary to protect them from liability
that they may incur under existing laws that restrict
disclosures, or as a result of disseminating information in
good faith that turns out to be inaccurate.
Washington analysts might say that the legislation ran up
against conflicting priorities Senate Republicans were
rebuffed in a June attempt to attach the Cybersecurity
Information Sharing Act to the National Defense Authorization
Act or the persuasiveness of a few dissenting voices
objecting to some surveillance provisions.
Such punditry may obscure certain on-the-ground realities.
The fact is that information sharing is neither unknown nor
unproven, and it is no more a silver bullet than any other
cybersecurity measure. It even has a common vulnerability:
Anything shared can be hacked.
It is worth emphasizing that information sharing is
not a panacea but rather the low-hanging fruit of
greater protection, research associate David Inserra and visiting fellow Paul
Rosenzweig wrote in an April 2014 Heritage Foundation
The U.S. has shown the way with Information Sharing and
Analysis Centers (ISACs). The Reston, Virginiabased Financial
Services Information Sharing and Analysis Center (FS-ISAC),
formed in 1999 following a presidential directive on critical
infrastructure protection, has grown into a global network of
5,500 members continuously exchanging and acting upon threat
and incident reports. FS-ISAC is one of about 20 such bodies
that are members of the 12-year-old National Council of ISACs.
At the federal level, President Obama has issued executive
orders and taken to the bully pulpit to rally support for
comprehensive cybersecurity responses, including information
sharing. Theres only one way to defend America from
these cyberthreats, and that is through government and industry
working together, sharing appropriate information as true
partners, Obama said in a February 13 speech at
The Department of Homeland Securitys National
Cybersecurity and Communications Integration Center in fiscal
year 2014 received over 97,000 cyber incident reports
from the private and government sectors and issued nearly
12,000 cyber alerts or warnings, DHS secretary Jeh
Johnson reported in an April 21 speech to an information
If sharing on that scale is not enough, then what is
The next wave of solutions may in fact be technological.
Information and notifications alone have limitations as
do overtaxed security staffs. The data has to be
operationalized and actionable, and
outside of the defense and IT industries and a few members of
the banking and corporate elite, those capabilities are
immature at best, observes Mark McArdle, chief technology
officer of Canada-based eSentire, which specializes in threat
protection for midsize firms.
automated intelligence-gathering and monitoring platform is
Soltra Edge, provided by a joint venture formed last year by FS-ISAC
and New Yorkbased Depository Trust & Clearing Corp.
Whereas that offering grew out of the finance industry, a
Washington-area start-up, ThreatQuotient, is operationalizing
threat intelligence based on the defense industry
experience of co-founders Wayne Chiang and Ryan Trost. Coming
out of Silicon Valley are AlienVaults crowdsourced Open Threat
Exchange and Norses real-time,
machine-readable threat intelligence.
Three-year-old BrightPoint, with former Lehman Brothers
chief security officer Rich Reybok serving as chief technology
officer, overcomes legal concerns in its actionable threat
intelligence by anonymizing shared information and making
private details unattributable.
BrightPoint president and CEO Anne Bonaparte says its
usually not wise to wait for the legislative process to
solve business problems, and these technologies are
obviously moving faster than government. Still, she favors a
sharing law because its an amplification of the