The United States Department of Homeland Security will start to share cyberthreat information with certain private companies in accordance with the Cybersecurity Information Sharing Act.
The DHS plans to collect threat indicators from private companies and share them with other companies. That way, the private sector as a whole can better understand cyber threats and therefore be in a better position to protect itself in our digital age.
CISA removed liability from this information sharing, meaning companies no longer have to risk being sued for sharing information with the government.
CEO of Comilion Kobi Freedman stated, “Taking the liability issue out of the road is a huge step forward.”
That said, there are still many companies that are hesitant to share information with the government. A recent CIO conference found that over half the executives attending were no more likely to share their companies’ information with the government after CISA being passed.
“There is a lot of concern about the ability of DHS to reshare data with other law enforcement agencies if the data being shared is relevant to a criminal investigation,” explained Freedman. “Potentially, it could expose the initiator of the shared data to be part of an investigation that it didn’t want to be part of.”
However, for the time being, CISA does not give the government the power to force companies to share any information they don’t want to share.
“CISA doesn’t have any disclosure requirements or obligations. It creates a framework for meaningful sharing,” Freedman stated. “The main obstacle to meaningful sharing is trust between the participating parties– the government and the private sector… The private sector has to be confident that the government is not only receiving, but sharing, too.”
Controlling the quality of the threat indicators shared by the government will likely prove another challenge in CISA’s initiative to further protect companies from cyber attacks.
“Sharing threat indicators and not contextual data could become a joke,” speculated Freedman. “Threat indicators have very short life expectancy. By the time that information is shared, it could become irrelevant.”
“The government needs to show it can add value to the existing threat intelligence feeds that are being consumed,” Freedman continued. “There is real skepticism about whether what the government provides the private sector will be meaningful or not.”
Unfortunately for the private sector, keeping hackers out of an organizations’ network has proven to be an increasingly losing battle. Perimeter defenses that were adequately protective two or three years ago are already obsolete, and no matter how cutting-edge and high quality a network’s protection is, there’s always the risk of user error.
This was proven to be dismally true last week, when the IRS and departments of Justice and Homeland Security lost huge amounts of personal data regarding their employees when a relatively mediocre hacker simply did some snooping and eventually called the department acting like a new employee and requested a password.
“Access controls and passwords work- until someone gets in,” stated Zoltan Gyorko, CEO of BalaBit. “It’s easier to do social engineering than write a zero-day exploit.”