The Department of Homeland Security released its final documents last week on the specifics of its voluntary cyber-threat-indicator portal. The automated indicator-sharing initiative, known as AIS, was authorized under the Cybersecurity Act of 2015, commonly known as CISA. The portal has been up and running since March, but DHS has been making tweaks to the processes and guidelines since then.
Thus far, just 30 companies are using the portal and an additional 70 or so are signed up to participate. Some of the privacy concerns expressed by industry and advocates alike surrounded what kind of data could and would be shared between private and public organizations and the government, and how that data would be safeguarded appropriately.
The idea is: Share only the necessary threat information, share it quickly, and make sure it’s clean. For DHS’s part, it will use existing standards, specifically the Structured Threat Information eXpression, or STIX, and Trusted Automated eXchange of Indicator Information, or TAXII, to be sure it collects and treats the data responsibly meaning there are essentially two layers of privacy protection, the work the company sharing does before sharing the data, and the checks DHS runs on that data to be sure it's clean.
DHS was required under the act to work with seven named entities, which included privacy advocates, to ensure privacy was embedded in data sharing from the beginning. That consultation yielded suggestions that certain aspects of the
Sjouwerman doesn’t think AIS is going to be the solution the government and those participating may be hoping for.
“It’s a game of chess,” he said. “The bad guys always have the advantage in that they are always the guys that start first, and everyone else is forced into a reactive mode."
He said sure, companies can share threat data with the government and each other but by the time it's shared, the criminal has moved on. According to Sjouwerman, 50 percent of people who click on a phishing email's URL do so within the first hour it's sent, and the average phishing site doesn't live longer than six hours. In addition, the average anti-virus systems is updated roughly every six hours.
"Those three data points together paint you the picture of, first: the bad guys are always ahead, and end-point security is always behind. And if you look at a six-hour delay, DHS is never going to be able to catch up with that," he said.
Speaking of bad guys, what about those who no longer trust the federal government with data given the Snowden revelations? A lot has changed in the three years since that all went down.
But Carr said the legislation's naming of DHS as the lead on this initiative should quell concerns because of DHS's strong privacy program.
"DHS has a long reputation of building privacy into their programs," Carr said, "specifically with respect to cybersecurity. I think coming through a civilian agency with strong privacy made folks more comfortable."
There are also concerns about latent liability.
Susan Bandi, CIPM, CIPP/US, CIPT, executive global data security and privacy officer at Monsanto, said her company is one that would be interested in participating in threat-sharing via AIS but questioned how carefully data would be scrubbed before it was shared. Her concern was whether organizations would have proper processes in place and hoped to see “consistency and validation that the data was scrubbed in a manner that it protected privacy.”
To that, Carr said, on the receiving end DHS will be “looking at all information submitted by both federal and non-federal entities. That scrub is comprised of both automated and manual (human review) checks to ensure information received has been appropriately scrubbed.”
In addition, she said, “DHS will conduct oversight reviews of this information on a regular basis to ensure the privacy scrub is effective in removing personal information that is not directly related to the cyber threat.”
Whether your company is interested in participating or not, Callahan said it makes sense to prepare like you’re going to.
“Even if you’re not going to share with the federal government," she said, "you might as well try to be prepared to respond” to cyber threats.