The Cyber Intelligence Sharing and Protection Act of 2013 (CISPA), which aims to bolster America’s ability to anticipate and defend against cyber-attacks by improving the situational awareness of front-line IT professionals and law enforcement authorities, will be on the House floor this week. So it is worth taking a close look at how the information sharing it aims to encourage between the public and private sectors would work in practice to protect critical systems and safeguard people’s personal information.
The point of information sharing is to promote nimble, adaptive commercial innovation, which is the best defensive strategy against a rapidly evolving threat landscape. Think of it like this: Sharing threat information helps thwart malicious hackers, criminals and foreign agents in the same way that tracking humidity, temperature, and wind direction helps predict the weather.
But today private companies find themselves inhibited by a patchwork of laws that either prohibit information sharing or cause confusion about whether and when it is allowed. This slows down our ability to protect everything from critical systems to small businesses to home computers. CISPA addresses the problem by breaking down legal barriers. On a purely voluntary basis, it encourages sharing of threat data in the private sector and back and forth with the federal government.
As the bill has advanced through the early stages of the legislative process, it has been the subject of a constructive debate among public stakeholders about how best to defend against very real and dangerous cyber threats while also protecting people’s privacy and civil liberties. The bill’s co-sponsors, House Intelligence Committee Chairman Mike Rogers (R-Mich.) and Ranking Member Dutch Ruppersperger (D-Md.), have been very open to addressing these concerns, as reflected in the Committee’s recent markup. To take one example, the current iteration of CISPA expressly prohibits the private sector from using information from the government for any purpose other than cybersecurity. This process is ongoing, and it proves that security and civil liberties can go hand-in-hand.
How can sharing “anonymized” threat data work in practice?
In a fast-moving cyber threat landscape, “situational awareness” comes from knowing what machines are doing, not people. For example, security companies routinely monitor data flows, new malicious computer code, and telling technical behaviors such as blasts of unusually large batches of email from corporate networks at two o’clock in the morning.
Sensitive personal information such as Social Security numbers, credit card numbers, PIN numbers, and health records is not germane to cybersecurity. Furthermore, when it comes to sharing, there are practical, business reasons why companies carefully protect it: At the end of the day, personal information is customer information, and maintaining trust with customers is a core business imperative.
What really matters for cybersecurity purposes is machine-level data about such things as changes in the volume of traffic (often a key indicator of malicious intent), the types of devices being used, their chip sets and operating systems, and the IP addresses at the source of suspicious activity. Security experts look for trends, the prevalence of certain behaviors, and propagation patterns for malware. By analyzing these technical data, security companies can assign threat scores to certain IP addresses or computers, much like credit ratings for consumers. System operators then can use that information to block dangerous traffic and stop malicious activity.
How can sharing aggregated threat data curb cyber-attacks?
Information-sharing can help mitigate cyber threats in a number of ways:
- Identifying vulnerabilities that need patching. Sharing malware signatures and aggregated machine-level data allows security experts to identify systems that are vulnerable to attacks and exploits, so warnings can be issued and patches distributed.
- Intercepting threats early. When system operators spot telltale signs emanating from a particular source, such as patterns of trial and error, they can predict a perpetrator’s next move and react by blocking likely paths.
- Decreasing the profit model for cybercrime. When public and private sectors cooperate to identify threats, share information, and increase situational awareness, they can reduce malicious traffic and raise the cost of doing business for cybercriminals.
- Curbing state-sponsored cyber-attacks. The most sophisticated attackers defeat traditional security systems by quietly targeting underlying components of IT systems. Rapid, real-time information-sharing will give the government and private sector additional tools to deter these types of attacks by clearing the “noise” of less-sophisticated attacks and spotlighting the most egregious actors.
There is widespread agreement about the need to bolster America’s ability to prevent cyber-attacks — and BSA firmly believes that increased cybersecurity does not have to come at the expense of privacy or civil liberties. On the contrary, increased security can enhance citizens’ privacy by preventing private information from falling into the hands of cybercriminals. CISPA represents an important step in the right direction, and as the bill proceeds through the House and Senate there is every reason to believe it will continue benefiting from the constructive, bipartisan debate that began in the House Intelligence Committee.