Security experts mostly critical of proposed threat intelligence sharing bill

This fall, the Senate is expected to take another look at the Cybersecurity Information Sharing Act, or CISA

This fall, the Senate is expected to take another look at the Cybersecurity Information Sharing Act, or CISA, but many security experts and privacy advocates are opposed.

Cybersecurity has been in the news a lot this summer, and not just with several new high-profile breaches in government and the in private sector.

Last month alone, the Pentagon began requiring defense contractors to report breaches, the White House Office of Management and Budget proposed new cybersecurity rules for contractor supply chains, and a court agreed that the Federal Trade Commission has the authority to enforce cybersecurity standards.

And many security experts agree that it's important for companies to share cybersecurity information, in real time, without risk of being publicly embarrassed, fined, or sued.

"I understand the concern about individuals and organizations concerned about privacy," said Jerry Irvine, CIO at Prescient Solutions. "But the bottom line is that we can't protect ourselves without the ability to show actual technical data to other organizations within our industry and agencies in the federal government."

It is extremely important for a law to get passed, he added, since existing information sharing platforms are inadequate, or not in real time.

Simon Crosby, co-founder and CTO at Bromium

"Concerns about privacy with regard to CISA are in my view overblown," said Simon Crosby, co-founder and CTO at Bromium. "There are undoubtedly many benefits that will accrue as a result of wider, faster sharing of threat intelligence."

But the bill, as written, has problems, others say.

Privacy? What privacy?

The biggest concern most critics of the CISA bill have is that it seems to be more about the government gathering information than about helping companies improve security.

"For most of the security community, the concern about CISA is in its potential to open up yet another avenue for warrantless seizure of personal information," said Andy Manoske, senior product manager at AlienVault.

According to Manoske, government organizations would be able to seize any private data that they say is related to violent crimes without a warrant or share privacy user data with other international organizations.

[ ALSO ON CSO: U.S. surveillance disclosure mostly useless to business ]

"The way that the bill is written would give companies the ability to spy on all of their users with impunity, in order to detect if they are a 'cyber threat,'" said Justin Harvey, chief security officer at Fidelis Cybersecurity. "This information can be shared with the Department of Homeland Security, which can then, in turn, send the data to the NSA in real time, or companies can bypass DHS altogether and send it over to the NSA."

The only positive feature of the bill, he said, is that it requires the federal government to share cyber threat information with the commercial sector.

"I haven’t heard of any security experts supporting the bill," he added. "Those who support it either don’t know that much about threat intelligence sharing or they don’t know enough about the bill."

Clumsy and ineffective

Meanwhile, when it comes to actually improving security, CISA is so badly written that it won't do any good, experts say.

"Privacy issues aside, it will be totally ineffective for a variety of reasons," said Jason Polancich, founder and chief architect at Sterling, Va.-based SurfWatch Labs. "The biggest reason is the issues being legislated around are not at all understood by Congress. Information sharing is difficult -- there isn’t one model that works for everybody and our government is simply not equipped to move as fast as the cybercriminals are moving now."

CISA will be a waste of time and taxpayer money, he added.

"CISA requires little to nothing in terms of actual security protections," said AlienVault's Manoske. "In fact, in a particularly comical oversight, the lack of a listed reporting standard means that threat indicators reported in CISA will require organizations to manually sift through indicators -- arbitrarily introducing a time delay."

In fact, CISA might even create new security problems, said Ben Johnson, chief security strategist at Bit9.

"The fact that a lot of private and personally identifiable information could be shared sets up yet another lucrative target for cyber attackers," he said.

Several security experts pointed out that the federal government doesn't exactly have a good reputation at protecting data.

The recent breach of the Office of Personnel Management "showed everyone how porous and vulnerable our government networks are," said Ron Gula, CEO at Tenable Network Security. He suggested that what we need is more information about security practices at federal agencies.

Another problem with the bill is that some of the amendments added on to make it better actually make it worse.

For example, one amendment is intended to help prosecutors take down botnets, but does a bad job at explaining just what a botnet is.

"A overzealous prosecutor could use it to target any behavior that the government didn't like," said Ryan Kalember, senior vice president of cybersecurity strategy at Proofpoint. "That includes many examples of legitimate peer-to-peer software."

There's already sharing going on

There are already more than a dozen Information Sharing and Analysis Centers, for aviation, defense, finance, IT, healthcare, energy, real estate, education, transportation, and other industry sectors.

"Given the number of ISACs being formed, I'm also concerned with whether an information sharing bill is really needed," said Todd Inskeep, advisory board member at the RSA Conference. "There is already a tremendous amount of information sharing across corporations and with the government. It’s not clear there's a real need for new rules."

In addition, there are commercial threat intelligence information services.

"All the big players, because they want to see what everyone else has, anonymously exchange malware samples," said Kalember. "And its very very useful information. The private sector has been doing things like this for a very long time."

And companies without the ability to set up information sharing infrastructure on their own are increasingly turning to security vendors who do it for them.

One recent vendor in this space is TruSTAR Technology, which allows enterprises to instantly share threat data with one another in an anonymized way.

"It allows companies to work together and share actionable information without it being known that it comes from you," said CEO Paul Kurtz, who is a former White House cybersecurity adviser.

And member organizations don't just share out of the goodness of their hearts, since they get immediate feedback about other similar reports and benefit from what others have already learned. The platforms even enable security analysts from different companies to work together to counter attacks, both anonymously, and in trusted groups.

The incident database is stripped of all identifying information, Kurtz said, either personally identifiable information about the individuals, or information about the organization that is sharing the information.

"Even if Uncle Sam comes to me sand says, 'Where did you get that data?' I can't tell them," Kurtz said. "It's not that I won't tell them -- I can't tell them."

But despite the fact that his company offers a product specifically designed to address the same kind of problems as CISA, Kurtz supports the legislation.

"I really do think we need Congress to enable enterprises to connect with each other and work with each other in defeating the bad guys," he said. "Right now, they have one hand tied behind their back."

Join the CSO newsletter!

Error: Please check your email address.

More about AlienVaultCSOFederal Trade CommissionNSAOffice of Management and BudgetProofpointRSASterlingTechnologyTenableTenable Network Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place