Cyber Threat Sharing: What’s in Store for 2015
The hack of Sony Entertainment last December did much more than help The Interview make $40+ million in digital sales; it renewed public interest in cyber security. Two months later and with a second major hack fresh on our minds (Anthem Insurance), American politicos and tech firms alike are gearing up to change the ways in which we tackle online threats. But as businesses and the government begin sharing security data with one another, let’s not lose sight of the risks to personal privacy and liberty that might be incurred. We are our personal data, and can’t afford to be shared alongside the common numbers.
This article attempts to place the most recent happenings in the word of cyber sharing into context. It’s not the usual XDA fare, but bear with me. As developers, hacks and malware cost us in clicks, cash, and the trust of our users. All are easy to lose and hard to win, so it’s vital that we stay current on how our peers and the government are proposing to help. On the other hand, unchecked trust in the CIA and congress can spell “police state,” which has an equal potential for damage. We balance on a fine line between liberty and safety, with our users and our own data at risk on both sides. Knowledge is our best defense, so here’s what is on the docket for 2015.
Anatomy of a Cyber Sharing Initiative
After reading dozens of existing laws, proposals, and press briefings, I’m struck by how formulaic cyber threat sharing initiatives are on paper. This isn’t a coincidence. For the idea to work, all a proposal needs is something actionable to share, a place for that information to live during analysis, some privacy safeguards to keep the public happy, and legal safeguards to keep the sharers out of jail. Here is the basic recipe I’ve seen time and time again:
- Define “threat.”
- Limit the sharing/collection of Personally Identifiable Information (PII).
- Quickly share relevant information with those in need through a special data hub or system.
- Provide immunity from prosecution, and (occasionally) immunity from Freedom of Information Act requests to encourage sharing. This one is only a feature of proposed laws, of course. Private sharing pacts must tread lightly within the bounds of whatever laws are on the books now.
- Provide a measure of transparency.
Privacy advocates and security analysts agree that this structure can work to our best interest. Cooperation helps us see threats and patterns we would otherwise miss, and it’s a vital and beneficial part of the internet age. The controversy comes from the spectrum within each point. Should “threat” be so broad a term that political dissent and copyright disputes are caught by the drag-net, or so insubstantial that even North Korea can slip by unscathed? How about personal data? Do we even need the ability to tie figures to faces when hunting malware and botnets? Even CISPA proponents are skeptical, yet the provisions remain. Legal immunity encourages more parties to contribute, but makes it difficult to prosecute (or even know about) abuse, so what’s the proper balance? These are the kinds of questions to ask when reading security proposals. With them in mind, what follows are the recent initiatives organized by instigator – the President’s office, congress, and industry.
The White House
The White House has had cybersecurity on its mind for a long time. Back in 2011, it was President Obama’s first Cybersecurity Legislative Proposal that sparked the congressional debate leading to CISPA, the ill-fated and oft-revived Cyber Intelligence Sharing and Protection Act. Since that time, comprehensive legislation has remained elusive. Several follow-up executive orders and mandates have precipitated cyber intelligence infrastructure improvements (more on them later), but the need still exists for wide-scale reform. This lack of action, coupled with recent hacks and public sentiment, sets the stage for current efforts.
The White House summit on Cybersecurity and Consumer Protection this past Friday marked the start of a renewed push for threat sharing across the board. At the conference, the President made three related moves to spur action. First, a re-vamped legislative proposal eases the path to sharing between businesses and the government. Second, a new hub for collecting, organizing and disseminating threat data – the Cyber Threat Intelligence Integration Center (CTIIC) – will stand ready to make real-time sharing between public and private sectors possible. Finally, an Executive Order calls on businesses to create their own hubs for sharing amongst themselves, and draft an API to help the government share intel with the new private networks.
The presidential call to action is thorough and well thought out, but only time will tell its effectiveness. At the end of the day, the first and third points can do little more than place pressure on congress and industry. It’s a hard sell because both halves of the legislature are Republican-lead, and many tech firms are still fighting to regain consumer trust following accusations of aiding the Central Intelligence Agency in widespread surveillance. For their part, Facebook, Google, Yahoo, and Microsoft representatives were conspicuously absent during the summit’s main act, turning up only for the closing breakout session on lessons learned from fighting hackers. Perhaps this is why Apple Pay got the presidential nod instead of Wallet.
Despite the recent track record of few bills passing the House and Senate each session, some progress is still being made with cybersecurity legislation. Last session, four relatively minor, yet still noteworthy bills made it through:
- Federal Information Security Modernization Act (S.2521) – update to the Federal Information Security Management Act
- National Cybersecurity Protection Act of 2014 (S.2519) – authorizes a National Cybersecurity and Communications Integration Center (NCCIC) at the Department of Homeland Security. In short, a hub for sharing and analysis.
- Cybersecurity Workforce Assessment Act (H.R.2952) – as it says on the tin, this requires a cybersecurity audit by the Secretary of Homeland Security, with a provision on developing “workforce strategy.”
- Border Patrol Pay Reform Act (S.1691) – part of this act bolsters the previous DHS Cybersecurity Workforce Recruitment and Retention Act of 2014.
The broader and more aggressive proposals have thus-far suffered from partisan bickering, public backlash, and a host of other concerns, but this year might be different. Some news sources are pointing to President Obama’s recent proposals and the pressure to take action following the Sony hack as writing on the wall that he is willing to come to the legislative table. Could we see something like the privacy-abusing bill the president threatened to veto less than two years ago signed into law?
CISPA 2015; Yes, It’s Back
Two crowd favorites in the intelligence community are known for circling back to the top of the pile and inciting doomsday headlines from privacy advocates:
- House – the Cyber Intelligence Sharing and Protection Act (CISPA)
- Senate – the Cybersecurity Information Sharing Act (CISA)
CISPA is currently bouncing between subcommittees on its way to a full House vote, which seems favorable given that the only change from the well-received 2013 version is a removed space between “cyber” and “security” around line 604. Third time’s the charm? The Senate version, CISA, is MIA, but we’ll cover what the Senate is up to in a moment.
Why all the doom and gloom about CISPA and your personal privacy/liberty? For a complete rundown, check out some of the voices of dissent; there’s no better way to find out how a law works than to ask a group of lawyers to knock it down a peg.
- Electronic Frontier Foundation’s Q&A on CISPA
- Fight For The Future’s curated stream of links, videos, and infographics wrapped in a petition drive.
Some of the linked posts are older, but like I said, the bill is quite literally a copy/paste from before. Looking for the quick-and-dirty explanation, instead?
- Broad definitions. As long as someone down the line says your email, chat history, browsing history, location history, or other personal info might be connected to a threat, it can be shared with the government and others.
- Legal immunity. The numerous privacy laws on the books are waived, and the sharer can’t be sued regardless of the consequences resulting from the share.
- Potential for copyright abuse. This one shouldn’t need to be here after public outcry lead to removing “intellectual property” from the original language, but what remains can still apply to copyright due to broad definitions of “confidential material” and “authorized restrictions on access.”
- No notification or recourse. Even if the government breaks this new law by mishandling your data or going beyond the already vague limits, only the company must be notified. As long as the company acted “in good faith,” they can’t be sued and don’t have to report a thing.
- Personally Identifiable Information is fair game. Even though security experts agree that information linked to your identity isn’t even needed to share threats, it can still be shared with impunity.
- Companies can target and punish. If a company deems you to be a threat, they can break the law to fight back. DDOS attacks and other aggressive measures could be considered “decisions made” in response to threat information, which is covered by legal immunity. Remember the copyright abuse point above? Judge and executioner in one blow.
- Collected info can be used for anything. Once the data is in the system, the legally broad definition of “national security” gives tremendous latitude.
In short, the bill tackles an important issue using an admirable formula, but leaves doors open to abuse left and right.
The Cyber Threat Sharing Act of 2015
Senator Thomas Carper (D-Del) proposed his take on threat sharing last Wednesday – The Cyber Threat Sharing Act of 2015. At first glance, this bill looks the same as CISPA… but that’s a product of formula, not fault. Let’s see how it handles the details before we pass judgement. After all, stopping hacks is still a good thing, and sooner or later one of these bills needs to become law. Our responsibility as citizens is to kick and scream until it’s the right bill.
Here’s an itemized summary:
- Speedy sharing within the government. All relevant parties must be looped into the discussion in “as close to real-time as practicable.”
So far, so good. When the government receives a threat, they’re obligated to share it with those in need post haste. What data is involved, and what the other agencies do with the data is another story.
- Improve sharing of “classified and unclassified cyber threat data with industry.”
Again, information is not a bad thing, provided it’s the right information.
- Authorizes sharing and provides liability protections to sharers. Data collected is immune to Freedom of Information Act (FOIA) requests. Sharers include:
- The National Cybersecurity and Communications Integration Center (NCCIC) at the Department of Homeland Security
- Any self-certified group of security analysts
“Self Certification” is always a red flag in my book because it lacks oversight and accountability. After all, I’m a self-certified priest, but that doesn’t mean my immortal soul is safe in the hands of Jeff Bridges’ character from The Big Lebowski. Also, there’s the small matter of FOIA exemption. The government can store my data, but I can’t know what that data is, who knows about it, or how it’s being (ab)used?
- Privacy protections
- Narrow definition of what data may be collected and how it can be used.
- Reasonable efforts made to minimize Personally Identifiable Information
- Transparency reports about how the bill functions
- Bill must be re-examined within five years
What qualifies as a “reasonable effort” is important here, especially because little light can be shown on the issue once the information is part of the system. Likewise, the scopes of data collection and use will need considerable scrutiny before being deemed safe for the public.
The takeaway? Good start, but there are some hefty red flags. Watch this space.
Private Sector: Facebook & Beyond
Seemingly taking the President up on his offer (before he even asked), two new corporate threat sharing initiatives took off recently, including the Facebook-driven Threat Exchange that launched to the public just days before the Cybersecurity summit snubbed by Zuckerberg.
Doing what they do best, Facebook has been using their own Graph Search for cyber threat analysis since at least March of last year. But now the system, known as ThreatData, has gone social to become a full network in its own right: a ThreatExchange. Instead of sharing vacation snapshots and photos of teacup piglets with snarky captions, the network lets businesses send the latest malware samples, bad domains, and associated metadata to the cloud, complete with privacy controls to limit who sees what on their wall. Launch partners include Bitly, Dropbox, Pinterest, Tumblr, Twitter, and Yahoo.
Another sharing hub, the Cyber Threat Alliance, claims to set itself apart by going after “actionable threat intelligence” including “information on zero day vulnerabilities, botnet command and control server information, mobile threats” and other indicators in addition to common malware samples. Members include Fortinet, McAfee, Palo Alto Networks, and Symantic, with membership contingent on meeting weekly quotas of new intelligence.
How effective each network proves to be in the face of common threats remains to be seen, but their existence is an encouraging sign for the future of malware detection. If you’re in the market to beef up your app’s back-end, these are both worth the look.
Initiatives starting in the private sector are theoretically less invasive because they answer to current laws, public opinion, and government data requests… but that’s a topic for another article. What do you think about the recent White House proposals, pending legislation, and social cyber threat sharing collectives? Are you ready for CISPA v3.0? Sound off below!