I've been following cybersecurity legislation for a number of years, including all the proceedings with the Cybersecurity Information Sharing Act (CISA). After much deliberation, I believe that CISA remains fundamentally flawed and needs a lot more work before it becomes the law of the land.
To be clear, I understand and support the basic objective CISA seeks to promote. Real-time threat intelligence sharing and analysis could help public and private sector organizations proactively react to emerging cyber-threats, mitigating risk and/or minimizing the potential damages associated with devastating data breaches (i.e. Anthem, OMB, Sony Pictures, Target, etc.).
Yup, frictionless real-time threat intelligence sharing could really make a difference. The problem that Washington doesn't seem to understand is that cybersecurity processes, technologies, and International implications are far from a perfect world. Before our representatives in Washington get too carried away, they should consider a few important facts:
- The government's threat intelligence sharing track record isn't very good. CISA appears to open opportunities for federal agencies to share mountains of highly-valuable threat intelligence with the private sector, but history suggests a more dubious situation. In his excellent book, @War: The Rise of the Military-Internet Complex, author Shane Harris gives countless examples where federal agencies presented threat intelligence to financial services companies claiming it was unique and valuable, only to be told by the banks that they'd seen these very indicators of compromise (IoCs like IP addresses, URLs, domains, etc.), weeks before. I hear the same thing from CISOs I speak with who also complain that the feds are much better at consuming threat intelligence from the private sector than they are at sharing what they have with the cybersecurity community. In their zeal to get legislation passed, Congress seems to have missed this shortcoming.
- Threat intelligence consumption and sharing processes are extremely immature. According to ESG research, 40% of enterprise cybersecurity professionals say that their organization's threat intelligence program has been in place for less than two years (note: I am an ESG employee). It is also worth noting that these programs are really focused on the consumption of external commercial and open source treat intelligence (i.e. gathering intelligence, consuming commercial threat intelligence feeds, correlating external threat indicators to internal network and system activities, etc.). While threat intelligence consumption is fairly immature, threat intelligence sharing is even further behind. The reality is that most threat intelligence sharing today consists of phone calls and emails where cybersecurity professionals reach out to trusted peers about suspicious activities they are investigating at a specific point in time. For CISA to work, threat intelligence sharing processes must be anonymous, scalable, and automated, but most organizations are years away from best practices like these.
- Anything associated with privacy rights violations hurts the U.S. overseas. In truth, data privacy should be a non-issue as threat intelligence sharing should be about ‘how' and ‘why,' not ‘who.' Nevertheless, as the bill is written today, it comes with a loophole suggesting that U.S. intelligence and law enforcement agencies could use CISA for surveillance purposes. This huge privacy loophole begs an obvious question to me: Is anyone supporting this bill aware of the recent European Court of Justice ruling against Safe Harbor? This ruling concludes that leaks from Edward J. Snowden, the former contractor for the National Security Agency, prove that American intelligence agencies had almost unfettered access to the data, infringing on Europeans' rights to privacy. Thus, European businesses are now forbidden from storing European citizens' PII on the resources used by American companies regardless of their locations. This judgement is wreaking havoc on U.S. firms doing business in the EU and European companies using SaaS applications (i.e. Google Apps, Office365, Salesforce.com, ServiceNow, etc.) and cloud computing infrastructure (AWS, Azure, etc.) owned by U.S. companies. Rather than addressing this situation and engaging the EU on privacy rights and the Safe Harbor ruling, CISA will be interpreted as yet another privacy rights violation adding more fuel to the data privacy fire abroad.
CISA is based on the naïve assumption that better crowdsourcing will greatly improve organizations' ability to detect and respond to cyberattacks. Maybe it will in some future threat intelligence sharing Xanadu, but not today. In the meantime, anything that opens a privacy and surveillance loophole will be viewed with suspicion by other nations, greatly hindering International cybersecurity cooperation and U.S. business interests.
Washington seems to want to do something about cybersecurity, but in my humble opinion, CISA has the potential to do more harm than good in its existing iteration. Note to Washington: Stop CISA and do your homework on cybersecurity and International relationships before you move forward with further flawed and potentially harmful legislation.