The Cybersecurity Information Sharing Act is facing an uphill battle to become a widely adopted platform, according to a panel of prominent cybersecurity executives representing Citibank, AT&T and Beacon Strategies.
Though private industry largely sees CISA as a show of “good faith” from the Department of Homeland Security to encourage the collaboration between the Fed and big business, the legislation must overcome significant, inherent challenges that are presently keeping many companies from sharing valuable cyber threat intelligence, Michael Allen, a partner at Beacon Strategies, told an audience Thursday at the 2016 Intelligence & National Security Summit.
Known more commonly as CISA, the bill was was signed into law by President Barack Obama last December.
“Whether it will work ultimately or not is in the implementation and we’ll probably have a good idea of that within the next year,” Allen said. “I would posit that strength of this program moving forward is going to depend on how much value the companies think they get out of participation.”
Some of challenges CISA must confront stem from the limited value of information currently shared on the platform by it’s roughly 50 active private sphere members, said Chris Boyer, an assistant vice president for global policy at AT&T. Another obstacle is the contractual obligations they hold with customers — such as nondisclosure agreements — that otherwise prevent them from sharing information about active cyber attacks with any party.
The panel of speakers said they were also concerned with who may be able to review threat intel, even though the law stipulates that each companies’ customer data is scrubbed of relevant personal identifiable information. Boyer and Allen specifically cited the participation of foreign sharing partners involved with DHS’ automated indicator sharing program as an issue.
“If we actually put information into the system, we want to know where it is going and who is receiving it — in particular, I know DHS has talked about including foreign nationals … I think that’s why you see more companies on the receiving side rather then sending,” said Allen.
Enterprises have largely preferred to share cyber threat intel amongst themselves rather than include the federal government given industry relationships and the value of information provided by sector-specific industry information sharing and analysis centers, or ISACs, said Katavolos.
Citbank, for example, is member of the financial sector ISAC, an independent nonprofit organization that acts as a center for bilaterally sharing of cyber threat intel between competing companies.
“Each individual firm, each ISAC, each country, is at a different stage of maturity with how it deals with information sharing and network security. And I think at each level you need to be challenged to get to the next one … [but] what we don’t want is a one size fits all solution,” explained James Katavolos, senior vice president of Citibank’s cyber intelligence center.
Boyer, Katavolos and Allen agreed that CISA has provided valuable information, but the program will nonetheless be eventually judged by the information it disseminates, the partners it attracts and the hacks it helps avoid, they said. And in those areas, the nascent program has yet to prove itself for any number of reasons, including what some identified as an over classification of shared government data and a lack of strong regulatory and legal protections surrounding the actual exercise of data sharing.
“We do receive a much larger flow of information that we actually use on a day-to-day basis from private sources rather than government sources [today]. But I think even if it’s 20 percent of the time that government comes through with something useful and important, then obviously we want that too,” said Katavolos.