CISA: A good start, but challenges remain on security information sharing

public://webform/writeforus/profile-pictures/eddie_schwartz_2.jpg
Eddie Schwartz, International VP, ISACA

After years of discussion within industry and government sectors calling for effective cybersecurity legislation to deal with the onslaught of data breaches and advanced cyberattacks, the United States recently enacted the Cybersecurity Information Sharing Act (CISA) with wide bipartisan support. Though a good first step toward improving cybersecurity, CISA raises a host of issues that will need to be addressed before the desired improvements in cybersecurity can be realized across public and private organizations.

CISA establishes a voluntary method for sharing cyberthreat intelligence between private businesses and government agencies, with the aim of helping organizations quickly identify and mitigate potential cyber incursions. Under CISA, the Department of Homeland Security (DHS) will receive and store cyberthreat indicators—including samples of malicious computer code—from participating organizations and use that information to develop recommended defensive measures. CISA authorizes individuals or organizations to share cyberthreat indicator information after removal of all personal information not directly related to the threat.

Cyberthreat indicators of compromise (IoC) help identify certain threats, including the tools, techniques, and processes used to probe and monitor an information system to discern security vulnerabilities, methods to defeat a security control or exploit a security vulnerability, or methods to gain unauthorized access to information stored on an information system.

Here is how CISA is supposed to work: If a participating company discovers relevant IoC information, resulting from a breach or failed attack, it would be sent to the federal government, which would then automatically distribute a warning to other companies. All of this would take place within minutes, server to server. Defensive measures might include changes to perimeter security rules, specific actions and procedures, or the addition of specific technology or patches applied to information systems to detect or prevent known or suspected cybersecurity threats or vulnerabilities.

CISA requires DHS to inform the appropriate federal departments and agencies of cyberthreat indicators. It also authorizes individuals, organizations, or companies to share cyberthreat indicators and to operate defensive measures with the federal government or another private entity.

While the financial services and defense sectors have long recognized the importance of collaboration between organizations, they historically have shared only within their verticals. It is critical that other sectors now ramp up their collaborative efforts within their industries and across other verticals.

It is a measure of the importance of this issue that CISA had wide bipartisan support. Cybersecurity is recognized across the political spectrum as critical to national security. CISA is a starting point for addressing certain cybersecurity issues, but its most important feature is that it opens the door to better industry collaboration. Improved collaboration and data sharing, however, bring with them a host of issues related to skills, liability, and technology. In other words, CISA is an important call to action, but more needs to be done.

Application Security Research Update: The State of App Sec in 2018

The cybersecurity skills gap

All the legislation in the world will not improve cybersecurity if organizations do not possess the competencies needed to use the information and collaboration that CISA is supposed to foster. A recent security report from Cisco put the number of unfilled cybersecurity jobs around the globe at 1 million. That study aligns with ISACA’s 2016 Cybersecurity Snapshot survey, which found that 45% of organizations planning to hire cybersecurity personnel in 2016 expect to have a difficult time finding skilled candidates. Nearly two-thirds believe it will be difficult to even identify personnel with adequate skills and knowledge. 

An important way to ensure a prospective cybersecurity hire is well trained is to determine if they are certified in cybersecurity. However, all certifications are not created equal. Not surprisingly, 81% of hiring managers are more likely to hire a cybersecurity job candidate with a performance-based certification.

[ Webinar: Get Started with Seamless App Sec in a Single Day (Jan. 23) ]

Liability reduced, not eliminated

At the heart of CISA is the matter of sharing cyberthreat intelligence. Strong public-private collaboration and ongoing knowledge sharing are needed to safeguard organizations from cybercriminals. CISA certainly opens up the potential for significantly more government-private collaboration. And some of the constraints around sharing data with partners and government—namely liability concerns—have been reduced but not eliminated.

Despite bipartisan support, there were widespread concerns that participating companies might not anonymize the data sufficiently before sending it to law enforcement officials, expanding how much both authorities and potential adversaries know about Americans and U.S. businesses. There was also concern that CISA gives the FBI another way to investigate Americans for crimes not related to hacking. A letter signed by 55 civil society organizations, security experts, and academics opposing CISA said it would seriously threaten privacy and undermine Internet security.

In addition to the removal of any personal information not directly related to the threat, CISA requires courts to dismiss actions brought against private entities for sharing cyberthreat indicators or defensive measures. As a way to protect privacy, it creates a Privacy and Civil Liberties Oversight Board to assess CISA’s effect on privacy and civil liberties every two years. Even with this measure, some advocates are concerned the act infringes on citizens’ privacy. 

The verdict is still out on whether CISA will effectively protect the privacy of individuals and corporations while also eliminating the liability of organizations from inadvertently sharing personal data

Another critical concern is whether organizations will participate in CISA. Unanswered questions around CISA’s untested liability issues may push companies to not opt in to the voluntary process. ISACA’s 2016 Cybersecurity Snapshot found that only a third of IT professionals believe their organization would voluntarily share cyberthreat information after a breach due to concerns about corporate reputation. At the same time, a large majority recognized the value of information sharing between businesses, government, and consumers. 

Will these unknowns prevent CISA from doing what it was designed to do? Only time will tell. Theory and reality rarely align perfectly. But there is no question that increased sharing of the right data in a timely manner can be a powerful weapon in combating advanced threats. 

Tech concerns: Are organizations up to the job?

Do organizations have the technical capabilities required to take advantage of CISA’s cyberthreat-fighting potential? Just as organizations without skilled, certified cybersecurity professionals will likely not benefit from CISA collaborations, those enterprises that lack the operational technologies that can make the intelligence actionable or are unable to share intelligence effectively also may not benefit from CISA. 

For example, organizations lacking technologies that can process standards-based IoC information and compare it electronically with organization-specific network and application-layer data may not be able to leverage the benefits of CISA meaningfully. Thus, technology gaps may prevent organizations from realizing the true benefits of data sharing and become a disincentive to participate in a collaborative ecosystem.

A call to action

CISA provides many opportunities to improve cybersecurity, but there is a lot of work ahead. Can organizations acquire the skills and technologies to take advantage of the act’s data sharing and threat indicator information processes? Will liability concerns prompt enterprises to not participate in CISA? Will CISA actually work as designed from a public-private partnership perspective? Only time will tell.

Right now, greater collaboration and data sharing holds significant promise in the battle against cybercriminals. Until that vision is achieved, CISA should be considered a call to action and a great starting point. In the meantime, organizations should continue ensuring their cybersecurity personnel are trained, certified, and prepared to protect and defend their data using the best technology they can afford.

Image credit: Flickr

Topics: Security