University Says Government's Pretty Terrible At Sharing Cyberthreat Information

from the welcome-to-Threat-Club dept

Multiple government agencies have gone all-in on cybersecurity. CISA was pushed through late last year -- dumped into the back pages of a "must pass" omnibus spending bill. Just like that, the government expanded its surveillance power and cleared its cyberthreat inboxes to make way for all the information non-governmental entities might want to share with it. It promised to share right back -- making this all equitable -- but no one really believed the government would give as much as it would take.

Right on cue, a university heavily involved in scientific research says the government really isn't interested in sharing information.

Virginia Tech is no stranger to hackers. Randy Marchany, the school's chief information security officer, says he assumes the attackers are already inside the networks. The university's attack space includes power generation networks, campus police databases, research files, student records and retail payment systems, among other sensitive digital operations, he said.

[...]

Marchany lamented what he says has been a growing trend during the last couple of years of the government restricting information about ongoing hack campaigns — information that could help his staff identify the suspicious activity they already glimpse on systems.

"The federal government now has this tendency to try to put a classified label on everything, and so I have to sometimes go to a dark room and have people hand me information that I can only look at," he said.

The government wants to have its secrecy and eat its portion of the "sharing" cake, too. Oh, it may be "sharing" in the sense that it's not completely withholding some information pertinent to its partners' interests. But it doesn't share information. It holds onto the information, delivers it only on its terms, and any entities it does decide to share info with should consider themselves lucky its hasn't decided the information is so "sensitive" as to be withheld completely.

Not only will sharing partners need to pass intrusive background checks and obtain security clearances, but they'll also need to have superhuman retention skills, seeing as they aren't allowed to make copies or view information for any longer than the government feels is necessary.

Marchany notes that information he's been allowed to glance at in underlit rooms has been useful in correlating unusual events witnessed on Virginia Tech's end, but still feels the government could do a much better job disseminating information.

This is what tech companies and other entities feared: that the government's idea of sharing was mostly one-way. Private entities would be considered too insecure to trust with the government's threat info, but are expected to pass along anything of interest to a government which has proven multiple times it's far less secure than its sharing partners.

Filed Under: cybersecurity, cyberthreat information, information sharing

President Obama To Encourage Cybersecurity Information Sharing, Highlighting Why We Don't Need CISPA

from the don't-destroy-privacy-in-the-name-of-cybersecurity dept

There's a big "White House Cybersecurity Summit" down the road at Stanford today, where the President will release the details of a new executive order promoting "a framework for sharing information about cyber threats" which the administration hopes will lead organizations to better protect their data from malicious hacks.

The new executive order encourages businesses to form "information sharing and analysis organizations," or ISAOs, which would gather data about hacking attacks and share it with companies and the government.

And, of course, a bunch of companies are going to announce that they're doing just that:

A number of companies will announce Friday that they are incorporating the administration's cybersecurity framework, which was created after a 2013 executive order, into their companies. The framework helps businesses decide how to use cybersecurity investments, ways to implement cybersecurity for new companies and measure their programs against others. Intel, Apple and Bank of America use framework and will announce that they will require all vendors to use it. Both QVC and Walgreens will say they will employ the framework in their risk management practices, while Kaiser Permanente will commit to using it as well.

Of course, if you've been following the big fights over the past few years on cybersecurity legislation, you'll know that such "information sharing" has been a key component in most of the proposed bills, none of which have become law. Most of the bills have focused on one key thing: giving companies liability protection, so that they can't be sued over the information they share. From the beginning, however, we've asked a pretty simple question that no one has answered: what is currently preventing companies from sharing such threat information?

The answer, as reinforced by this move today by the White House, is absolutely nothing. Companies can (and in some cases already do) share "threat" information, and having them do so in a more organized fashion to prevent malicious attacks is, in fact, a good idea. What's not needed is a law that basically gives blanket immunity for companies to share almost any information to any government agency. That's been the problem with CISPA, CISA and similar bills: they're not about truly making information sharing about threats easier, since that can be done already. They're about giving blanket cover for companies to share even more information with government agencies such as the NSA.

With this new executive order and companies adopting the suggested framework, many of the "benefits" backers of cybersecurity legislation talk about will happen without the need for any new legislation. True threat information can be shared and companies can get wiser about protecting their information. But it doesn't give them blanket immunity if they start handing over other information to the government for other purposes, such as surveillance. That's important.

Yes, working together to prevent the growing number of online attacks is important. But that should never be used as a backdoor process to enable greater surveillance. Doing it this way, rather than by passing a questionable law, seems like a much more reasonable first step.

Filed Under: cisa, cispa, cybersecurity, cybersecurity summit, cyberthreat information, dhs, executive order, information sharing, obama administration, president obama, white house