Former Obama Cyber Advisor Says Privacy Concerns Loom Over New DHS Program
Get to know the Automated Indicator Sharing (AIS) initiative…
The Department of Homeland Security (DHS) has officially begun to share cybersecurity threat intel with other federal agencies in addition to private companies. The move comes after the passage of legislation late last year, underlined by the Cybersecurity Act of 2015. And while the regular news cycle didn’t highlight the program’s launch on Thursday, Homeland Security Secretary Jeh Johnson told the Associated Press that it “is a big deal.” But a cohort of prominent area cybersecurity firms are less sure, according to multiple interviews conducted by DC Inno.
The voluntary program, named the Automated Indicator Sharing (AIS) initiative, establishes a secure online portal to share data that could potentially help stop a breach from happening. This information, related to known and recorded threats across multiple private and public networks, could be vital in realizing the vulnerabilities that specific hacker groups are targeting. In the past, rather surprisingly, the same suspect could be attacking both the DHS and another agency, like the EPA, but there was no way to coordinate a defensive via the shared intelligence.
“Government can have a positive role in this space and the NVD (national vulnerability database) and CVE (common vulnerabilities and exposures dictionary) from US CERT are [already] unquestionably useful resources,” said Scott Petry, co-founder of secure cloud-browser developer Authentic8. He added, “it’s like see something say something applied to computer security. I doubt that companies will assign the manpower to collect and report useful data consistently to the system. Which means that the quality of the output may be questionable.”
But because private industry—especially high cap corporations with sensitive and valuable files like the Anthem Insurances of the world—are increasingly targeted by the same sort of nation state-backed technicians that hope to break into federal systems, the AIS appears at face value to be a step in the right direction.
At the moment, there are 6 unnamed companies involved in sharing data through the initiative, DHS assistant secretary for cybersecurity and communications Andy Ozment told the Wall Street Journal. Importantly, the Cybersecurity Information Sharing Act (CISA), passed in December 2015, also gives these parties liability protection enabling them to share indicators with the government. For reference, the liability protection, backed by the Fed, can shield participants from turmoil if their related Clients/user data is leaked during the course of coordinated sharing.
Under the law, the DHS is expected to scrub proprietary, identifiable user information that companies may contribute. But that responsibility also comes with a caveat: if the DHS finds data that pertains to a specific threat of death, serious injury or potential for economic damage, then tied user info may be passed on. This is a decision and right held by the DHS, alone.
Nathan Shea, a managing partner at cybersecurity consulting firm SecureStrux, said that his biggest concern with AIS continues to be focused on privacy. “Privacy is the big challenge, people want to help but giving up their potentially private information and giving over PII (Personally identifiable information) data, and how that’s going to be used is tough. If they [a private company] have been attacked and their info is given up, they are now at risk because they tried to help.”
Read the full article here: http://dcinno.streetwise.co/2016/03/22/cybersec-execs-criticize-dhs-threat-data-sharing-program-ais/
SecureStrux, LLC is a woman-owned, small cybersecurity consulting firm which focuses on providing specialized services in the areas of compliance, vulnerability management, cybersecurity strategies and engineering solutions. SecureStrux offers a comprehensive range of services that provides clients with proven methods and common-sense approaches to secure their data, build trust with their Clients, and remain compliant with DoD, Federal, and Industry standards.