The federal government is on the warpath against cyberattacks. Last October, the U.S. Senate passed the Cybersecurity Information Sharing Act, or CISA. Then in December 2015, President Obama signed into law the Omnibus Appropriations Act, a $1.8 trillion funding bill, which includes the Cybersecurity Act of 2015.
The recent legislation allows sharing of information about cyberthreats between the government and the private sector, and provides liability protection for companies that share information with the government. Everybody wants to take a bite out of cyber-crime, and this new law aims to do that. At the same time, however, it raises the age-old controversy between data privacy and security—how far is too far when it comes to protecting sensitive data from possible or perceived cyberthreats? In this article, we’ll explore the pros and cons of the new information-sharing legislation, and what it means for your organization.
What Does the Law Mean?
The goal of sharing information between the private and public sectors is to help identify “what’s next” in cyberthreats. As Andy Ozment, assistant secretary, Office of Cybersecurity and Communications, in the Department of Homeland Security (DHS) told The Wall Street Journal, “The first thing to emphasize about this legislation is it’s about indicators, not incidents…. It’s a ‘be on the lookout.’ Be on the lookout for this IP address, this phishing email, you name it.”
All information will be funneled through DHS, although the new law would allow another federal agency (except the Department of Defense) to also assume that role in the future. Private companies that volunteer such information will receive liability protection against what Congressman Michael McCaul, Chairman of the House Homeland Security Committee referred to as “the reality of unfounded litigation.” Before sharing information, companies must first remove personally identifiable information (PII) unrelated to a cybersecurity threat.
To Share or Not to Share?
So far, support for the Cybersecurity Act has been mixed. In a recent ISACA survey, 72 percent of IT and cybersecurity professionals favor the new law, but only 46 percent would choose to share cyber-threat information as outlined in the Act. This survey shows that “professionals on the front lines of the cyberthreat battle recognize the value of information-sharing among consumers, businesses and government, but also know the challenges associated with doing so,” says Christos Dimitriadis, international president of ISACA.
One of these challenges is customers’ expectation of privacy. Large customer-facing organizations are being asked to share information they would rather keep close to their chest. Once the government has that data, what other uses besides cybersecurity will it be used for? Who will own the data?
The day before President Obama signed the Cybersecurity Act of 2015 into law, a coalition of security experts and civil society groups wrote a letter to Congress opposing the legislation, saying, in part, that it would “significantly increase the National Security Agency’s (NSA) and the Federal Bureau of Investigation’s (FBI) access to personal information, and authorize the federal government to use that information for a myriad of purposes unrelated to cybersecurity. It also fails to provide strong privacy protections or adequate clarity about what actions can be taken, what information can be shared, and how that information may be used by the government.”
Orin Kerr of The George Washington University Law School concurred about the lack of clarity in The Washington Post, saying that the Cybersecurity Act “broadens powers of network operators to conduct surveillance for cybersecurity purposes…although how far isn’t entirely clear.” For example, he says that the Act discusses the why of monitoring and disclosure, but little about the scope of these activities.
On the other hand, some argue that the new law is really nothing that new. Andy Soodek, founder and president of Secure Compliance Solutions (SCS), contends that “much of its mandated content has been common commercial practice for years.”
Most companies, Soodek says, adhere to US-CERT notifications as part of their proactive threat monitoring programs. “Now the government is asking for notifications of security threats detected by non-government entities as a return of favor, so they can respond to and alert all stakeholders more expeditiously.”
You Can Protect Your Organization Now
As with any legislation, it’s the implementation guidelines that matter. It will take time for the dust to settle to know the actual requirements. However, there are actions organizations can take to not only prepare for any compliance mandates, but to protect their data against current and future cyberthreats.
- Stay on top of trends and technologies. The Internet of Things (IoT), for example, is a hotbed of security issues, As FBI CISO Arlette Hart said, “The threat vectors are increasing and they’re pervasive, and they’re going to keep on coming. And they’re going to accelerate because this is such a rich field. IoT compounds the security challenges that we already have.”
- Understand the role that privacy plays in responding to security incidents. Our experience shows that data security incidents are not assessed properly against state and federal regulations, as privacy incidents are. Information security experts can answer many of the important questions about an incident: Did it touch personal data, was the data encrypted, was it de-identified, etc.? But they’re not thinking “Somebody has to do a regulatory assessment to determine whether it’s a breach or not.” The IT security person can’t be expected to know whether an incident qualifies as a breach under federal and state laws. In a lot of organizations there is a disconnect in making the incident to compliance connection.
- Prepare for the inevitable with a breach response plan. “Can you eliminate [the risk of cyberthreats]? Of course not,” DHS’ Andy Ozment told the Wall Street Journal. “But you manage them all day, every day…. We already see sectors that have been putting time and attention and resources into this for six, eight years are doing pretty darn well. Do they still get breached? Absolutely. But they catch it quickly and they contain it. We can all get to that space.”
CISA and the Cybersecurity Act of 2015 are only part of the government’s ongoing strategy to strengthen its overall cybersecurity posture. Earlier this month, for example, President Obama sought $19 billion to address cybersecurity for the federal government in 2017, $5 billion more than this year. No matter the regulations, the private sector needs to maintain an open dialogue with the government. Only together can we address the cyber-threats that endanger our economy and our safety.
In the next article in this series, I’ll discuss three questions to ask before sharing information.