The benefits of federal legislation to govern private and public sector sharing of cyber threat information are being oversold -- and the risks are being too easily dismissed.
That was the consensus of a dozen speakers and panelists at the second annual Senior Executive Cyber Security Conference in Baltimore earlier this month. And it runs counter to the view held by government leaders from President Obama on down, and some leaders in the private sector as well, who've been saying for years that without a legal framework for such sharing, there's little hope for either sector to fend off cyber attacks.
The conference, sponsored by the Johns Hopkins University's Whiting School of Engineering, its Information Security Institute and by Comprehensive Applied Security Solutions (COMPASS), included speakers and panelists from the White House, the Department of Homeland Security (DHS), the private sector, advocacy groups and academia.
Though none at the conference were outright opposed to threat information sharing, several attendees noted that 80% to 90% of security incidents are caused by known vulnerabilities, and could be avoided with good "security hygiene" using security tools that already exist. They also gave multiple examples of sharing that is already going on.
More important, they said the legislative proposals now before Congress don't adequately protect privacy and civil liberties.
"Unfortunately, the bills incentivize oversharing," especially from the private sector to government, said Robyn Greene, policy counsel of the New America Foundation's Open Technology Institute. "They don't protect PII (personally identifiable information) once it gets to other companies or the government."
That, she said, would allow, "too much of it to be used for investigations on things that have nothing to do with cybersecurity."
Greene also argued that there is already plenty of sharing within the private sector. "If anything, what needs to increase is more government sharing. Not to create free-for-all, but to find a way to get classified data into hands of technologists."
Journalist Hodding Carter III, who served as assistant secretary of state for public affairs under President Jimmy Carter, was even more blunt. "Our government has decided, on behalf of the nation, that we need extreme measures to combat ... a terminal threat - the worst in American history," he said. "Nonsense, nonsense, nonsense."
Carter asserted that the current terrorist threat doesn't come close to the "mortal threats" of Nazi Germany or the Cold War with the USSR. "We are under threat," he said, "but it's a good time not to do terrible things."
One of those terrible things, he said, is government - specifically the National Security Agency (NSA) - "vacuuming up the details of Americans' lives" - the involuntary data collection exposed by former NSA contractor Edward Snowden.
"I believe in security apparatus for every nation," Carter said. "But what you are defending is as important as how you defend it. We are destroying America by doing things that undermine our essentials. Don't destroy the object you're trying to protect."
Ari Schwartz, director of cybersecurity for the National Security Council at the White House, was one of the few advocates for the pending legislation, though he acknowledged that past efforts have not included adequate privacy or liability protections. He argued that privacy and security don't have to be at odds.
"The goal of government is to do both at the same time," Schwartz said, "and 99% of the time, it's not a problem. It's mutually reinforcing. You can't really have privacy without security."
Given the lack of action in Congress over the past four years, President Obama has issued executive orders promoting best security practices, he said, especially in the nation's critical infrastructure and the voluntary sharing of threat information.
That led to DHS building an automated information-sharing platform that, "contains the same language that banks, energy companies use to share information," and limits the collection of PII. "There's no way to share name, addresses, etc.," he said.
Those orders, he said, have already led to better risk management and incident response.
Schwartz contended that the bills in Congress are better than earlier ones and warned that said some liability protections go too far. "There can't be blanket liability protection," he said. "We don't want it for those who don't take action on threat information."
Bruce Heiman, a partner at the law firm K&L Gates, offered up a short list of reasons why companies should trust government enough to share information, including its capacity to provide threat information and foreign intelligence, and its power to pursue cybercriminals.
But he had a much longer list of reasons why it could be risky, including:
- Loss of control of the investigation and response
- Damage to reputation Regulatory enforcement - both civil and criminal
- Actions by state attorneys general
- Civil class action suits by those whose data is compromised and/or by shareholders
- Congressional investigations
The way to get the benefits without suffering the risks, he said, is to, "provide protection to companies to incentivize the voluntary sharing of information."
As both Greene and Schwartz noted, voluntary information sharing is already happening. Michael Echols, of the DHS Office of Cybersecurity and Communications, said his agency's information-sharing hub, "shared 97,000 indicators in 2014 - half from malware and issues that we knew about five years ago - and turned reports into actionable alerts - 12,000 of them in 2014."
Adding support for information sharing was Curtis Levinson, U.S. cyber defense adviser to NATO. He called himself a "huge fan" of the effort, and noted that he is working on a threat information sharing system, "with 28 countries that don't like or trust each other, but are allies in this area."
A system that shares the threat data while scrubbing perosnal information is, "the only way we can get a leg up."
Bob Butler, senior adviser at The Chertoff Group, agreed. He called sharing "a key element of any cybersecurity program. Threat intelligence helps - especially the smaller players."
"It doesn't get at where greatest threats are coming from," Greene countered. "Ninety percent are defensible with solutions that are already out there - that's why I call information sharing the '10% solution.'"
Matthew Green, research professor at Johns Hopkins' Information Security Institute, called information sharing the equivalent of "focusing on what neighborhood kids are throwing rocks at our houses, instead of fixing our houses."
He said the entire online system, from software to firmware to networks is, "catastrophically vulnerable (because) the tools we are using are a disaster."
If government wants to do something constructive, "it ought to take a "Manhattan Project approach to fixing software," Green said.
Even that, Echols reminded the audience, will not eliminate the problem. "If I left a bunch of USB drives in the parking lot, half of the people would pick them up and put them in their computers," he said, in an oblique reference to how the Stuxnet worm was introduced into an Iranian nuclear facility. "That's not a technology problem, that's an education problem."