INFORMATION SHARING

For information sharing to work we need the following:

We Need a Safe Harbor or Liability protection

A safe harbor is a provision of a statue or a regulation that specifies that certain conduct will be deemed not a violation given the rule. 

"The Internet is borderless"

Internet security problems are going to be borderless. Any solution to our Cyber Security problems will need to be borderless.

Cooperation with non-US entities, is critical and they must have the same access and status as US citizens to be effective in any information sharing agreement.

 

  • Modeled on the National Counterterrorism Center –responsible for analyzing and integrating cyber threat intelligence
  • Will focus on rapid information analysis and sharing
  • Share Cyber threat indicators “reasonable efforts to remove identifiable information
  • Policy governing the receipt, retention, disposal, use and disclosure of information

What do we already have? – Are we re-inventing the wheel?

We already have the National Cybersecurity & Communication Integration Center

  • Fusion center for entire government
  • Central hub for cyber threat intelligence
  • Collaborates with ISACs for better situational awareness
  • Prevent detect or block an attack
  • Tactics techniques and procedures

Simply put:

  • Information allows for immediate containment of an on-going cyber attack
  • Prevent potential cyberattack & mitigate on-going attacks
  • Relying on compliance – based information security strategies alone does not adequately protect organization against increasingly sophisticated attacks by increasingly sophisticated threat actors
  • Criminals collaborate to perpetrate cybercrimes and so companies and the government should also collaborate to reduce the overall effectiveness of the criminals
  • Deepen their knowledge on security threats and trends
  • Bolster and speed identification and detection of threat

Legal obligations:

    1. Concerns: Violation of legal obligations related to Privacy Protections.
    2. Liability concerns are often most cited by the private sector
    3. Privacy related information that companies are hesitant to disclose
  • Protection of Personal Information
  • Antitrust concerns ( sensitive information related to price, cost and output) harm competition
  • Confidential information discoverable through the Freedom of information Act
  • Exchange could lead to regulatory action or civil liability
  • Is sharing information covered as privileged
  • S.E.C –to disclose cyber risk to investors
  • If you create an industry standard some think you can be held liable if you don’t follow them
  • Violation of federal law governing the disclosure of information

Under the Stored Communication Act (SCA) prohibited from disclosing customer information
DOJ outlined its interpretation of SCA is enforced

  • Companies express Antitrust Concerns

Sharing information on cyber threats could be interpreted by the government regulators as anti-competitive behavior
DOJ and FTC issues policy statement for assurance- technical shared information is generally unrelated to competitively sensitive information

SEE NIST: INFORMATION SHARING


Framework for Improving Cybersecurity Critical Infrastructure

The document is in the same spirit as the framework NIST issued in February to help implement President Barack Obama’s executive order on cybersecurity. That is, the new document encourages agencies to shift from ad hoc and reactive approaches to cybersecurity to “formal, repeatable, adaptive, proactive, risk-informed practices.”

Among the dozens of recommendations made in the guide are that organizations:

  • Use "open, standard data formats and transport protocols" to facilitate information-sharing.
  • Use a cyberattack life cycle to devise a plan for an active defense that makes use of external and internal information.
  • Do an "information inventory" that catalogues various types of information on the organization's network, by sensitivity, owner and other labels.
  • Share information on all intrusion attempts, even if they were unsuccessful. Information on unsuccessful intrusions is often less sensitive and therefore can be shared more quickly. 

There are other avenues of sharing information.

  • Informal sharing with peers
  • Phone- email or in –person
  • Post it all model – listserve  - must take the added time to evaluate to identify how it will affect their system



Incident Response Organizations