CSOs aren’t waiting for cyber sharing legislation

If Congress does pass, and President Obama signs, legislation governing the sharing of cyber threat information among private organizations and with the government, those who will be the most directly affected will likely by those in IT security leadership – CSOs and CISOs.

And, based on the debates on bills now pending in Congress, it would seem that their biggest challenges would be increased pressure to protect personally identifiable information (PII), to make sure that trade secrets or other intellectual property doesn’t get inadvertently “shared” along with threat information, and to make sure that the organization doesn’t ignore threat information from others that then leads to a breach.

Those bills may not get any serious attention at least until next month, and there is no guarantee that anything will get completed – the Senate bill is stalled at the moment and has at least 22 proposed amendments pending. But Ari Schwartz, director of cybersecurity for the National Security Council at the White House, told attendees at the Senior Executive Cyber Security Conference in Baltimore last Thursday that he was optimistic that conflicts over differing provisions in the bills could be sorted out in conference committee negotiations.

Is that possibility making the CISO/CSO community thrilled or nervous about impending drastic changes to their jobs?

Apparently neither at least in part because, based on the track record of previous Congressional efforts, it is almost impossible to predict what might end up on the president’s desk.

[ ALSO ON CSO: REVIEW: Threat Intelligence could turn the tide against cybercriminals ]

As Rick Howard, CSO of Palo Alto Networks put it, “trying to discern what will come out of Congress is a fool’s errand. As a body, they seem to always fumble the ball before they get it across the goal line.”

Indeed, Howard said he and other IT executives have, “grown weary of waiting for the government to come up with something. We have decided to do something ourselves.”

That “something” is the creation of the Cyber Threat Alliance, a group of security vendors that have agreed to share threat information with one another. So far, it includes Palo Alto, Symantec, Intel, Fortinet, Barracuda, zScaler, Telefonica and Reversing Labs.

It was launched about a year ago, and Howard said, “we have a long ways to go, but I am hopeful that this kind of arrangement will work more quickly than anything that comes out of the government.”

The Alliance, along with other, longer-established organizations like ISACs (Information Sharing and Analysis Centers) and ISAOs (Information Sharing and Analysis Organizations) that are promoted by DHS, are examples of what several speakers at the conference said is happening voluntarily, without any legislation.

[ ALSO ON CSO: Silicon Valley wary of U.S. push for cyber security info sharing ]

“Information sharing is moving forward,” said Robyn Greene, policy counsel of the New America Foundation’s Open Technology Institute, adding that the pending bills deserve scrutiny, “but I don’t think they will improve it (sharing).”

Kim Jones, CSO at Vantiv, who stressed he was speaking for himself and not his company, said he is not familiar enough with the details of the legislation to comment on it specifically, but did not think it will substantively change his job. “I deal with regulatory and legal compliance every day; this will be just another requirement,” he said. “Figuring out the mechanics of complying will be a long discussion with my legal team, my compliance team, and my regulators.”

Jones said he is, in general, a proponent of data sharing. “In security, the problem that you have today, I will most likely have tomorrow,” he said. “Sharing data around threats and issues can help us get ahead of the bad guys.”

But he said problems can arise, “when you legislate that sharing.”

First, he said, it is easy to get “bogged down” in definitions and interpretations of terms like “threat” or “incident.” Those issues then, “get decided by corporate counsel versus security professionals.”

Second, he said, is that ensuring complete anonymity of data becomes “hyper-critical.”

“Once the data is amassed, what’s to prevent it from being pivoted and analyzed in a way that was not anticipated by the legislation?” he said. “If it is truly anonymized there’s no issue, but if there’s any traceability back to companies or individuals, the possibilities for misuse or abuse are only limited to the creativity and imagination of our thoughts.”

Finally, he said sharing mandates could cause legal trouble for CSOs, and could reduce incentives to share.

“What happens when Company A refuses to share a nugget of data with the government but wants to share with his fellow CSOs? Potentially, Company A is breaking the law – and now the CSOs of Companies B and C are complicit in that action.”

According to Howard, the sharing rules of the alliance are simple and effective. “You have to give as much as you get,” he said. “To get intelligence, you have to share intelligence, and we measure it every day.”

And he said it is useful. “Whatever I get from other alliance members, I dump right into the product. Whatever I give the other members, they do the same.”

The goal is to grow the alliance to the point that, “every Internet-capable organization on the planet will have access to the latest and greatest real-time threat intelligence security controls.

“It is a pretty big idea and we have some hurdles to get over,” he said, “but I am hopeful.”