“Identity has become the attack vector of choice for cyber criminals. It is the single unifying control point in the application economy, critical to accessing all apps, devices, data and users,” said Rosen. “The Cybersecurity Act of 2015 includes guidance that addresses the need for identity protection, multi factor authentication, and least-privilege access controls to better protect the critical systems and infrastructure of our nation and our industries.”
Three core questions around the Act’s information sharing authorization relate to the timeliness and security of the information, and the liability protections afforded to participating organizations.
“To effectively thwart attacks, organizations will need to know that the information they receive through this program will be timely, accessible and actionable,” Rosen said. “Just as important as the timeliness, they will need to know that the shared information is secure. Trust is vital to the success of this program, and industry needs to know that the participants in the program are authenticated and that the data they share and receive is legitimate.
“Finally, further clarification is desired around the liability protections for sharing information with other private sector organizations and the automated removal of personally identifiable information,” Rosen added.
Rosen also outlined three recommendations related to specific provisions within the Cybersecurity Act of 2015:
- Liability protection. “Cybersecurity information sharing is based on trust, and this trust needs to be underpinned by a strong understanding and certainty for participating companies that they have targeted liability protection for the data they share or receive. We encourage the DHS to actively engage with industry and legal groups to help them better understand the information sharing program, the responsibilities of participating organizations, and the liability protections that will be afforded participants.”
- Preserving privacy. “The Cybersecurity Act of 2015 requires organizations and government to remove personally identifiable information (PII) of individuals not related to the threat from any threat information shared. The global IT industry is sensitive to issues of protecting privacy and enhancing trust in the solutions we deliver. Therefore, we believe the DHS and the Administration should remind constituents that the purpose of cyber threat indicator information sharing is to protect networks and not to collect information about individuals. Additionally, it’s important to help organizations understand there are tools to help them remove PII automatically, helping to lessen concerns about liability and enhance confidence in these programs. Finally, the DHS can work with sector-specific agencies to promote best-practice workshops on privacy protection, and encourage participation in the information sharing standards development process.
- Automated indicator sharing. “Any successful information sharing program must depend heavily on the authentication of the individuals and organizations that participate, and on the validity and integrity of the shared information. CA Technologies has been working with the DHS and other industry partners to help enable a secure, automated exchange of information across a wide range of different organizations. In support of this, we recommend that the DHS continue to leverage key outreach and partnership programs to help organizations understand the technical and procedural steps they need to take in order to participate. Finally, we recommend that the DHS and the federal government continue to promote the STIX/TAXII protocols with global standards development organizations. Cybersecurity is a global challenge; sharing threat information across borders is critical to combatting global cybercrime.”
CA Technologies is available to speak further about this topic. Please call or email the press contact below.