Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Security experts mostly critical of proposed threat intelligence sharing bill

Maria Korolov | Sept. 11, 2015
This fall, the Senate is expected to take another look at the Cybersecurity Information Sharing Act, or CISA.

US flag in front of government state capital

This fall, the Senate is expected to take another look at the Cybersecurity Information Sharing Act, or CISA, but many security experts and privacy advocates are opposed.

Cybersecurity has been in the news a lot this summer, and not just with several new high-profile breaches in government and the in private sector.

Last month alone, the Pentagon began requiring defense contractors to report breaches, the White House Office of Management and Budget proposed new cybersecurity rules for contractor supply chains, and a court agreed that the Federal Trade Commission has the authority to enforce cybersecurity standards.

And many security experts agree that it's important for companies to share cybersecurity information, in real time, without risk of being publicly embarrassed, fined, or sued.

"I understand the concern about individuals and organizations concerned about privacy," said Jerry Irvine, CIO at Prescient Solutions. "But the bottom line is that we can't protect ourselves without the ability to show actual technical data to other organizations within our industry and agencies in the federal government."

It is extremely important for a law to get passed, he added, since existing information sharing platforms are inadequate, or not in real time.

"Concerns about privacy with regard to CISA are in my view overblown," said Simon Crosby, co-founder and CTO at Bromium. "There are undoubtedly many benefits that will accrue as a result of wider, faster sharing of threat intelligence."

But the bill, as written, has problems, others say.

Privacy? What privacy?

The biggest concern most critics of the CISA bill have is that it seems to be more about the government gathering information than about helping companies improve security.

"For most of the security community, the concern about CISA is in its potential to open up yet another avenue for warrantless seizure of personal information," said Andy Manoske, senior product manager at AlienVault.

According to Manoske, government organizations would be able to seize any private data that they say is related to violent crimes without a warrant or share privacy user data with other international organizations.

"The way that the bill is written would give companies the ability to spy on all of their users with impunity, in order to detect if they are a 'cyber threat,'" said Justin Harvey, chief security officer at Fidelis Cybersecurity. "This information can be shared with the Department of Homeland Security, which can then, in turn, send the data to the NSA in real time, or companies can bypass DHS altogether and send it over to the NSA."

The only positive feature of the bill, he said, is that it requires the federal government to share cyber threat information with the commercial sector.

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.