Officials from private sector information sharing and analysis centers were lukewarm this week about new legislation designed to encourage the sharing of cyberthreat intelligence, saying privacy concerns about the bill were overblown, but so were claims it was a silver bullet for cybersecurity.
The directors of three different ISACs said during a panel discussion at the ISACA CSX conference in Washington, D.C., that they support the Cybersecurity Information Sharing Act, set to hit the Senate floor this week, but added that a great deal of sharing is already being done by the ISACs without the legislation.
The Senate version of CISA, like the various information sharing bills already passed by the House, gives liability protection to businesses who share cybersecurity information with each other or with the U.S. government. Privacy advocates have come out against the bill, saying it grants the government and the private sector too much leeway when it comes to accessing Americans’ private data.
But panel members Monday dismissed the privacy concerns. Denise Anderson, executive director of the National Health ISAC, said the information the centers share with their members is typically devoid of anything that could identify a person or company.
“The types of information that we are sharing is nothing that would affect somebody’s privacy or would affect some collusion on pricing on anything like that,” she said, “I find that whenever that [privacy] discussion comes up, its because people don’t understand how we’re sharing that information.”
Scott Algeier, the executive director of the IT ISAC, said the bill “doesn’t need to be controversial.”
“Some companies are saying that it would be helpful to have liability protection for the information that we are sharing,” he said. “It’s important to tilt the ratio away from the risk and more toward the reward.”
Anderson, who has sat on the board of the National Council for ISACs, said she has seen examples of centers shutting down discussions at even the hint of a company or vendor name. But she said not all sectors are the same: The telecom industry, for instance, has to deal with customer data when examining threat indicators.
“They can share if the customer gives them permission,” Anderson said, “but in order to be able to be more robust in their sharing, to be free from the concern of liability and sharing that type of information, that’s where [liability protection] could be helpful.”
The provisions in CISA are just some of the regulations and standards that ISACs, founded in the Clinton era and focused on the 17 sectors of critical infrastructure, have been dealing with this year. In February, President Barack Obama issued an executive order that established information sharing and analysis organizations. ISAOs are similar to ISACs, but are being created for businesses that do not fall into critical infrastructure silos.
Algeier said he’s “frustrated” by the standards going into these ISAOs because it adds another layer of complexity to work that ISACs were already working to accomplish.
“The great source of frustration for me is those that have been out there and doing it well for a decade and half, are now having to spend a lot of resources, a lot of time, a lot of effort on things that are being governed to make my memberships and capabilities better,” he said “Who knows where these standards will be?”
“Let’s be blunt: ISACs were original ISAOs,” Andersen said. “I definitely see the need for new user groups. Does that mean the president needed to set that order for us? Not necessarily, because many of us have already been moving down that course.”
Steve Liens, director of the defense industrial base ISAC, said whether it’s new bills or presidential decrees, it comes down to the companies understanding how information sharing can be worthwhile for their enterprises.
“One of the problems we constantly wrestle with is between sharing information and collaboration,” he said. “You can share information all day long, but if you’re not collaborating, you’re not going to get anywhere.”
Algeiers pointed to example of how ISACs can only go so far: Sony Pictures was a member of his center when hackers, said by U.S. officials to be North Korean, destroyed the company’s network and brought the studio to its knees.
“Even if you joined an ISAC, that doesn’t make you immune from attacks,” he said. “We’re one way to help manage your risk. There’s large global companies that are complex beasts. You are not going to fix all of your security concerns by joining an ISAC.”