CSOs aren’t waiting for cyber sharing legislation

Security executives say the sharing of threat information is useful – and they’re already doing it. Legislating it, some say, could get in the way

If Congress does pass, and President Obama signs, legislation governing the sharing of cyber threat information among private organizations and with the government, those who will be the most directly affected will likely by those in IT security leadership – CSOs and CISOs.

And, based on the debates on bills now pending in Congress, it would seem that their biggest challenges would be increased pressure to protect personally identifiable information (PII), to make sure that trade secrets or other intellectual property doesn’t get inadvertently “shared” along with threat information, and to make sure that the organization doesn’t ignore threat information from others that then leads to a breach.

Those bills may not get any serious attention at least until next month, and there is no guarantee that anything will get completed – the Senate bill is stalled at the moment and has at least 22 proposed amendments pending. But Ari Schwartz, director of cybersecurity for the National Security Council at the White House, told attendees at the Senior Executive Cyber Security Conference in Baltimore last Thursday that he was optimistic that conflicts over differing provisions in the bills could be sorted out in conference committee negotiations.

[ ALSO ON CSO: REVIEW: Threat Intelligence could turn the tide against cybercriminals ]

Is that possibility making the CISO/CSO community thrilled or nervous about impending drastic changes to their jobs?

Apparently neither at least in part because, based on the track record of previous Congressional efforts, it is almost impossible to predict what might end up on the president’s desk.

As Rick Howard, CSO of Palo Alto Networks put it, “trying to discern what will come out of Congress is a fool’s errand. As a body, they seem to always fumble the ball before they get it across the goal line.”

Indeed, Howard said he and other IT executives have, “grown weary of waiting for the government to come up with something. We have decided to do something ourselves.”

rick howard

 Rick Howard, CSO, Palo Alto Networks

That “something” is the creation of the Cyber Threat Alliance, a group of security vendors that have agreed to share threat information with one another. So far, it includes Palo Alto, Symantec, Intel, Fortinet, Barracuda, zScaler, Telefonica and Reversing Labs.

It was launched about a year ago, and Howard said, “we have a long ways to go, but I am hopeful that this kind of arrangement will work more quickly than anything that comes out of the government.”

The Alliance, along with other, longer-established organizations like ISACs (Information Sharing and Analysis Centers) and ISAOs (Information Sharing and Analysis Organizations) that are promoted by DHS, are examples of what several speakers at the conference said is happening voluntarily, without any legislation.

[ ALSO ON CSO: Silicon Valley wary of U.S. push for cyber security info sharing ]

“Information sharing is moving forward,” said Robyn Greene, policy counsel of the New America Foundation’s Open Technology Institute, adding that the pending bills deserve scrutiny, “but I don’t think they will improve it (sharing).”

Kim Jones, CSO at Vantiv, who stressed he was speaking for himself and not his company, said he is not familiar enough with the details of the legislation to comment on it specifically, but did not think it will substantively change his job. “I deal with regulatory and legal compliance every day; this will be just another requirement,” he said. “Figuring out the mechanics of complying will be a long discussion with my legal team, my compliance team, and my regulators.”

Jones said he is, in general, a proponent of data sharing. “In security, the problem that you have today, I will most likely have tomorrow,” he said. “Sharing data around threats and issues can help us get ahead of the bad guys.”

kim jones

Kim Jones, CSO, Vantiv

But he said problems can arise, “when you legislate that sharing.”

First, he said, it is easy to get “bogged down” in definitions and interpretations of terms like “threat” or “incident.” Those issues then, “get decided by corporate counsel versus security professionals.”

Second, he said, is that ensuring complete anonymity of data becomes “hyper-critical.”

“Once the data is amassed, what’s to prevent it from being pivoted and analyzed in a way that was not anticipated by the legislation?” he said. “If it is truly anonymized there’s no issue, but if there’s any traceability back to companies or individuals, the possibilities for misuse or abuse are only limited to the creativity and imagination of our thoughts.”

Finally, he said sharing mandates could cause legal trouble for CSOs, and could reduce incentives to share.

“What happens when Company A refuses to share a nugget of data with the government but wants to share with his fellow CSOs? Potentially, Company A is breaking the law – and now the CSOs of Companies B and C are complicit in that action."

According to Howard, the sharing rules of the alliance are simple and effective. “You have to give as much as you get,” he said. “To get intelligence, you have to share intelligence, and we measure it every day."

And he said it is useful. “Whatever I get from other alliance members, I dump right into the product. Whatever I give the other members, they do the same.”

The goal is to grow the alliance to the point that, “every Internet-capable organization on the planet will have access to the latest and greatest real-time threat intelligence security controls.

“It is a pretty big idea and we have some hurdles to get over,” he said, “but I am hopeful.”

Join the CSO newsletter!

Error: Please check your email address.

More about BaltimoreCSOFortinetIntelNational Security CouncilPalo Alto NetworksSymantecTechnologyTelefonicaThreat IntelligencezScaler

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place