The U.S. Congress is having another one of its less-than-fine hours on the matter of cybersecurity. Despite consensus support across the political spectrum and the business community, admonishments from the White House and alarms sounded by government and private sector battlers against the relentless onslaught of malicious attacks, a law designed to marshal threat intelligence more effectively has yet to be enacted.
The objective of several proposals is to encourage collaboration, as implied by the name of one Senate bill, the Cybersecurity Information Sharing Act of 2015. The principle is embodied in the Protecting Cyber Networks Act that passed the House in April by 307-116.
Cooperation toward a common good would seem inherently uncontroversial; 94 percent had a favorable view of public-private information sharing in a survey released in May by San Mateo, California–based BrightPoint Security. Corporate interests say codification is necessary to protect them from liability that they may incur under existing laws that restrict disclosures, or as a result of disseminating information in good faith that turns out to be inaccurate.
Washington analysts might say that the legislation ran up against conflicting priorities — Senate Republicans were rebuffed in a June attempt to attach the Cybersecurity Information Sharing Act to the National Defense Authorization Act — or the persuasiveness of a few dissenting voices objecting to some surveillance provisions.
Such punditry may obscure certain on-the-ground realities. The fact is that information sharing is neither unknown nor unproven, and it is no more a silver bullet than any other cybersecurity measure. It even has a common vulnerability: Anything shared can be hacked.
“It is worth emphasizing that information sharing is not a panacea” but rather “the low-hanging fruit of greater protection,” research associate David Inserra and visiting fellow Paul Rosenzweig wrote in an April 2014 Heritage Foundation Backgrounder.
The U.S. has shown the way with Information Sharing and Analysis Centers (ISACs). The Reston, Virginia–based Financial Services Information Sharing and Analysis Center (FS-ISAC), formed in 1999 following a presidential directive on critical infrastructure protection, has grown into a global network of 5,500 members continuously exchanging and acting upon threat and incident reports. FS-ISAC is one of about 20 such bodies that are members of the 12-year-old National Council of ISACs.
At the federal level, President Obama has issued executive orders and taken to the bully pulpit to rally support for comprehensive cybersecurity responses, including information sharing. “There’s only one way to defend America from these cyberthreats, and that is through government and industry working together, sharing appropriate information as true partners,” Obama said in a February 13 speech at Stanford University.
The Department of Homeland Security’s National Cybersecurity and Communications Integration Center in fiscal year 2014 “received over 97,000 cyber incident reports from the private and government sectors and issued nearly 12,000 cyber alerts or warnings,” DHS secretary Jeh Johnson reported in an April 21 speech to an information security convention.
If sharing on that scale is not enough, then what is missing?
The next wave of solutions may in fact be technological. Information and notifications alone have limitations — as do overtaxed security staffs. The data has to be “operationalized” and “actionable,” and outside of the defense and IT industries and a few members of the banking and corporate elite, those capabilities are immature at best, observes Mark McArdle, chief technology officer of Canada-based eSentire, which specializes in threat protection for midsize firms.
One automated intelligence-gathering and monitoring platform is Soltra Edge, provided by a joint venture formed last year by FS-ISAC and New York–based Depository Trust & Clearing Corp. Whereas that offering grew out of the finance industry, a Washington-area start-up, ThreatQuotient, is “operationalizing threat intelligence” based on the defense industry experience of co-founders Wayne Chiang and Ryan Trost. Coming out of Silicon Valley are AlienVault’s crowdsourced Open Threat Exchange and Norse’s real-time, “machine-readable” threat intelligence.
Three-year-old BrightPoint, with former Lehman Brothers chief security officer Rich Reybok serving as chief technology officer, overcomes legal concerns in its actionable threat intelligence by anonymizing shared information and making private details unattributable.
BrightPoint president and CEO Anne Bonaparte says it’s usually not wise to “wait for the legislative process to solve business problems,” and these technologies are obviously moving faster than government. Still, she favors a sharing law because “it’s an amplification of the message.”
