A bill that encourages businesses to share threat intelligence with each other and the government is closer to becoming a law than it has been for years now that it offers businesses near immunity from liability if the data they share is stolen and causes harm, but such sharing is still fraught with problems.
The proposed Cybersecurity Information Sharing Act (CISA) proposal doesn’t force anyone to participate in sharing, but it creates incentives for businesses to do so willingly, says Nathan Taylor, a partner in the law firm Morrison & Foerster, who is following the bill as it wends its way through Congress.
The Senate has approved a version of the bill, which must be consolidated with two versions passed already by the House, and then signed by President Obama before it becomes law.
The biggest carrot is protection from liability if the shared information is misused but it was submitted in compliance with the law, which means that personally identifiable information was stripped or an automated system was in place to strip it, Taylor says.
Threat intelligence sharing is considered a good thing by a broad range of security pros who practice it in Information Sharing and Analysis Centers (ISAC) and in informal associations with trusted peers.
But sharing with a central government clearinghouse worries privacy advocates who fear agencies such as the NSA will scoop up the shared data and somehow de-anonymize it, putting at risk the privacy of data businesses were entrusted to keep, says Ari Schwartz, the former White House Senior Director for Cybersecurity, now Managing Director of Cybersecurity Services for Venable.
The Senate-passed version of the bill would put the Department of Homeland Security in charge of creating and maintaining a portal for submission of data, sorting it, deciding what other federal agencies ought to see it and distributing it. DHS is a civilian agency, so was a less divisive choice than, say, the CIA or NSA.
Despite that, if the law passes and keeps intact the liability protections it will make it more difficult for businesses to resist sharing. They couldn’t say the risk of privacy lawsuits is too high because the new law would override privacy laws for cyber-threat information sharing. “It’s harder to say no now,” he says. “You have to give information to get information.”
Heavily regulated telecom and healthcare industries in particular were worried about complying with privacy rules, he says. Yet with major breaches at health care providers this year, the industry could benefit from swapping threat information to identify and head off attacks sooner.
The bill leaves some gray areas. For example, what happens if a service provider monitoring a customer’s network detects cyber threat information? Can it share the information and be protected from liability? “I don’t think the issue is squarely addressed in the bill,” says Taylor. “I don’t think the bill was intended to trump a company’s ability to control its own service providers.”
Tech industry trade groups Computer and Communications Industry Association (CCIA) and the Business Software Alliance (BSA) oppose CISA, saying it lacks privacy assurances and fails to limit the uses to which the information can be put. Apple, Salesforce, Twitter and Reddit are among individual companies opposed. It is supported by the U.S. Chamber of Commerce.