The Department of Homeland Security released its final documents last week on the specifics of its voluntary cyber-threat-indicator portal. The automated indicator-sharing initiative, known as AIS, was authorized under the Cybersecurity Act of 2015, commonly known as CISA. The portal has been up and running since March, but DHS has been making tweaks to the processes and guidelines since then.
Thus far, just 30 companies are using the portal and an additional 70 or so are signed up to participate. Some of the privacy concerns expressed by industry and advocates alike surrounded what kind of data could and would be shared between private and public organizations and the government, and how that data would be safeguarded appropriately.
The idea is: Share only the necessary threat information, share it quickly, and make sure it’s clean. For DHS’s part, it will use existing standards, specifically the Structured Threat Information eXpression, or STIX, and Trusted Automated eXchange of Indicator Information, or TAXII, to be sure it collects and treats the data responsibly meaning there are essentially two layers of privacy protection, the work the company sharing does before sharing the data, and the checks DHS runs on that data to be sure it's clean.
DHS was required under the act to work with seven named entities, which included privacy advocates, to ensure privacy was embedded in data sharing from the beginning. That consultation yielded suggestions that certain aspects of the initial privacy and civil liberties guidelines should be made more robust, suggestions DHS took to heart, according Diana Carr, deputy director for privacy at the Department of Homeland Security’s National Protection and Programs Directorate. This week’s final documents included suggested improvements on deletion requirements, data retention and safeguarding provisions.
One incentive for private and public entities to share data through AIS is a guarantee that as long as the data is appropriately scrubbed of personal information and relates to a cyber threat, sharers can not face threat-related litigation and are exempt from anti-trust laws. In addition, shared data is exempt from FOIA disclosures.
Shimon Modi is director of product and technology at TruSTAR Technology. Looking at it through a technologist's lens, Modi said the idea to share threat-data isn’t new at all. It’s very common for security and technology professionals to alert each other of red flags. But it tends to happen in informal, ad-hoc ways among trusted friends and colleagues, or through sector-specific information sharing and analysis centers, which are third-party non-governmental data-collection efforts set up by industry associations and the like. Participants in CISA’s threat-sharing network will simply see this process formalized across industries and via the federal government.
The reason, Modi said, that companies tend to avoid sharing risks in formal ways is two-fold: there can be a legal and reputational risk to flagging that they may or may not have been hit with a data-security threat, which could also impact stock price, and there’s antitrust issues to think about. Sharing certain data could be a dangerous move.
Thus, the act’s liability protections.
Mary Ellen Callahan, former privacy chief at DHS, anticipates the liability provisions will be effective, but she says they won’t necessarily have CPOs and CISOs feeling weightless and worry-free.
“Lawyers are lawyers,” she said. “They are likely going to argue there are loopholes.”
Liability concerns aside, privacy pros and technologists seem to agree data redaction will be problematic for some organizations.
“By and large, sophisticated companies have gotten accustomed to scrubbing data before sharing,” Callahan said, particularly, financial institutions participating in FS-ISAC, the financial industry's information-sharing and analysis center. “They’re probably the most advanced. Others may not be as far along in terms of maturity.”
DHS’s Carr said that while the data-scrubbing requirements apply to everyone, larger companies indeed may have better technical capabilities to complete the data scrub, allowing them to more easily meet the requirements. Depending on how an organization chooses to share the data, she says, there are less sophisticated ways to complete the data scrub while still taking full advantage of the benefits of sharing. Data that must be redacted can be done in low-tech, manual ways. It’s organizations that want to use their own automated threat detection systems that might need a more sophisticated data scrubbing method.
And while that might mean participating institutions need to work to get their proverbial ducks in a row if they want to share data, Callahan said some organizations are using the prospect of participation as impetus to advance their own information-sharing standards and threat-detection indicators.
“Those are the people doing the work right now,” she said. “They are looking at, ‘Can we quickly identify a cyber threat? If so, can we find the indicator itself, what the malware was, was a phishing email the sourcing? And if so, can we share it?'"
Stu Sjouwerman is CEO of Knowbe4, a security-awareness training software company. His company exists based on the idea that humans are the weak link in IT security, whether because an employee left a laptop in a car or clicked on a phishing link. To that end, Knowbe4 offers training for employees to better threat-spot and appropriately share.
Sjouwerman doesn’t think AIS is going to be the solution the government and those participating may be hoping for.
“It’s a game of chess,” he said. “The bad guys always have the advantage in that they are always the guys that start first, and everyone else is forced into a reactive mode."
He said sure, companies can share threat data with the government and each other but by the time it's shared, the criminal has moved on. According to Sjouwerman, 50 percent of people who click on a phishing email's URL do so within the first hour it's sent, and the average phishing site doesn't live longer than six hours. In addition, the average anti-virus systems is updated roughly every six hours.
"Those three data points together paint you the picture of, first: the bad guys are always ahead, and end-point security is always behind. And if you look at a six-hour delay, DHS is never going to be able to catch up with that," he said.
Speaking of bad guys, what about those who no longer trust the federal government with data given the Snowden revelations? A lot has changed in the three years since that all went down.
But Carr said the legislation's naming of DHS as the lead on this initiative should quell concerns because of DHS's strong privacy program.
"DHS has a long reputation of building privacy into their programs," Carr said, "specifically with respect to cybersecurity. I think coming through a civilian agency with strong privacy made folks more comfortable."
There are also concerns about latent liability.
Susan Bandi, CIPM, CIPP/US, CIPT, executive global data security and privacy officer at Monsanto, said her company is one that would be interested in participating in threat-sharing via AIS but questioned how carefully data would be scrubbed before it was shared. Her concern was whether organizations would have proper processes in place and hoped to see “consistency and validation that the data was scrubbed in a manner that it protected privacy.”
To that, Carr said, on the receiving end DHS will be “looking at all information submitted by both federal and non-federal entities. That scrub is comprised of both automated and manual (human review) checks to ensure information received has been appropriately scrubbed.”
In addition, she said, “DHS will conduct oversight reviews of this information on a regular basis to ensure the privacy scrub is effective in removing personal information that is not directly related to the cyber threat.”
Whether your company is interested in participating or not, Callahan said it makes sense to prepare like you’re going to.
“Even if you’re not going to share with the federal government," she said, "you might as well try to be prepared to respond” to cyber threats.
photo credit: Do Not Hump The Railing via photopin (license)