Long-running tensions between corporate defenders of data privacy and the federal government are heating up — or cooling down, depending on your point of view.
In a case with arguably national implications, a lengthy legal battle between lawyers representing the Obama administration and Apple came to a head on February 16, when a federal judge ordered Apple “to build a backdoor to the iPhone,” in the words of Tim Cook, the company’s chief executive. The judge ordered the company to supply FBI investigators with access to encrypted data on the iPhone of one of the shooters in the San Bernardino, California, attacks that killed 14 people in December.
“Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation,” Cook wrote in an open letter on the day of the ruling. Contending that the ruling sets a “dangerous precedent” that could provide the government with “the equivalent of a master key” unlocking the encrypted business and personal data of mobile phone users, the Apple CEO wrote that his company opposed the order, “which has implications far beyond the legal case at hand.”
Many observers believe that the battle over iPhone data marked the opening skirmish in a debate on the tradeoffs between data privacy and national security. But in December 2015, President Obama signed into law an act that its proponents say offers a framework for resolving a debate on a related matter: the ability of companies to share information about cyber threats with each other and with the federal government.
Despite a widely held assumption that businesses can better defend themselves against hackers collectively than they can alone, many companies have been wary of revealing data about potential attacks to their peers or governmental bodies. One reason is the risk of inadvertently divulging trade secrets. And even if they’re able to keep their intellectual property secure, companies worry about accidentally exposing their customers’ personal information and fear being hit with antitrust charges for erroneously sharing pricing information with competitors.
Enter the Cybersecurity Information Sharing Act of 2015. A good six or seven years in the making, CISA enables companies to voluntarily share facts and data about impending cyber threats with the federal government and with other companies. If they properly scrub their data of personally identifiable information that’s irrelevant to the threat, they’ll be immune from certain liabilities and won’t be charged with violating antitrust laws.
The act “helps to resolve some of the lingering privacy and regulatory issues that may have inhibited some companies from engaging in sharing of cybersecurity information,” says Ed McNicholas, a law partner at Sidley Austin. “But I think the real benefit that you’ll see for cybersecurity is that because more companies will start sharing more information, we will see a stronger defensive network spring up, and that will lead to more cybersecurity,” he adds.
The rules of how CISA will work still have to be developed under the auspices of the act’s primary administrator, the Department of Homeland Security (DHS). Some lawyers say definitions of terms in the law such as “cyber threat indicator” and “cybersecurity” need more specifics.
Further, even though the act is voluntary and contains a number of barriers to excessive government prying, the privacy concerns of Apple and other information technology organizations that held up the law for years don’t seem to be going away any time soon. In short, a full picture of the benefits and risks for corporations in the sharing of cybersecurity information is a long way from completion.
Coordinating a Defense
Nevertheless, the case for mounting a widely coordinated corporate defense against cyber attacks has grown more compelling as the coordination of hackers and the scope of hacking has grown. “It’s been a problem for cybersecurity defense in corporate America that the attackers are often more organized,” says McNicholas, noting that hackers now share information and techniques and make use of entities that finance their operations and create markets for stolen information.
“The attackers are organized,” he adds. “The defense has not been as organized.”
One of the most important hoped-for advantages of coordinated corporate information sharing is that it will significantly cut response times to cyber attacks, which can often proceed undetected for months. In 2014, for example, the median amount of time that hackers were present on a victim’s network in 2014 was 205 days, according a report based on the cybersecurity investigations of Mandiant Consultants.
To be sure, that represented a decrease in days from 229 in 2013 and 243 in 2012. But the worst-case scenario still represents a corporate nightmare. “Breaches can go undetected for years,” declared a press release on the report. “In an extreme case, one organization that Mandiant responded [to] in 2014 to had been breached for over eight years unknowingly.”
Indeed, despite considerable advances in computer threat detection, the notion that hackers can lurk undetected on a company’s network for as long as six months suggests the “enormous potential damage” corporations face if they’re attacked, according to Matt McCabe, a senior vice president in the cyber practice of Marsh, the big insurance broker.
But another company may pick up signals of an attack in progress earlier than the company that’s being hacked. And if it can freely share such threat information with the company under attack, a great deal of damage presumably could be averted. “From a CFO’s perspective, if I can detect and mitigate that threat within weeks instead of months — maybe within days instead of weeks or months — I have a real chance to preserve the value of my company,” says McCabe.
The ISAC Model
Working on such assumptions, companies have been sharing information on cyber threats long before CISA, although on a much more limited basis that what’s envisioned under the act. In particular, the activities of Information Sharing and Analysis Centers (ISACs) have provided a model for companies to share cybersecurity information amicably and without fear of revealing trade secrets, experts say.
In a typical ISAC, a group of the chief information security officers and other information security operatives within a given industry share information on a secure online portal and periodically meet in person, according to McNicholas. “It’s a way that the companies can interact with each other and with the government in a secure manner, dealing with people who are known and trusted,” he says.
“This also allows the government to vet the people who are involved so that you don’t have a rogue element get into the middle of the ISAC, which would be in no one’s interest,” he adds.
Created under a presidential directive in 1998 and updated in 2003 to reflect the involvement of the recently formed DHS, the ISACs are nonprofit, sector-specific groups of companies that share information about cyber threats and physical threats. Currently, the 24 centers include ones coordinating the efforts of the retail, real estate, electricity, water, and — most notably — financial services industries.
Formed in 1999 and funded by its member companies, the Financial Services ISAC is widely regarded as the most firmly established of the centers. “The FS-ISAC gathers threat, vulnerability, and risk information about cyber and physical security risks faced by the financial services sector around the world,” the group’s website states. “After analysis by industry experts, alerts are delivered to participants based on their level of service.”
What that means is that an employee of a center member can create a notification profile on the FS-ISAC website that identifies specific areas of interest or receives all alerts. The alerts describe the threat or vulnerability, its severity, and recommended solutions.
The sources for the alerts include vendors, academics, community emergency response teams, and government and law enforcement agencies. “However,” FS-ISAC says in boldface on its website, “it is a one-way flow of information: NO government agency of any type or law enforcement agency has any access to member-submitted events without prior approval of the submitting financial institution.”
CISA, however, does not appear to mention prior or written approval for government access to company information, although the act aims to “incorporate” the existing processes, roles, and responsibilities of ISACs. Nor, apparently, does the law address how a company can indicate that it’s volunteering to participate under the act. That will likely have to wait until the DHS rolls out its final CISA policies and procedures, which it is required to do no later than May.
Through their participation in ISACs, many companies have already seen such benefits as the ability to communicate with “companies in the Internet ecosystem that have a higher perch, that can see broader traffic patterns,” says McNicholas.
For instance, by picking up and sharing information from Internet service providers that provide Web access to wide geographic areas, ISAC members can detect many more threats than they could on their own. “ISPs can see traffic going across the network and can spot patterns of malicious traffic and isolate it faster than individual companies can,” McNicholas notes.
“Likewise, individual companies that might be hit by a particular piece of malware have often found it useful to compare their experiences with others in the industry and frequently discover that others in the industry have had the same problems,” he adds.
Outside the realm of ISACs, two cybersecurity firms are joining together to share information in the hopes of providing their clients with a more comprehensive defense against hackers. In January, Proofpoint, a firm that sifts through corporate emails to catch hackers, and Palo Alto Networks, which builds firewalls, launched a partnership in which they would be “sharing data in real time” to make each of their products more effective, says Paul Auvil, Proofpoint’s CFO.
Neither firm’s product is “infallible,” Auvil explains. “You need a combination of knowledge about the email sender and about the network URL link to effectively identify and block an attack.”
Yet while such targeted approaches may be paving the way for cyber-information sharing across the economy, companies have been holding back from that final step for two legal reasons: the fear of being sued for mishandling cyber-threat information, or being charged by the government for price fixing.
CISA appears now to have removed those final barriers. If companies comply with its provisions, the law forbids lawsuits against companies based on their monitoring of information systems or sharing indications of a cyber threat.
Under its section on antitrust exemptions, the law also states that “it shall not be considered a violation of any provision of antitrust laws for 2 or more private entities to exchange or provide a cyber threat indicator or defensive measure, or assistance relating to the prevention, investigation, or mitigation of a cybersecurity threat, for cybersecurity purposes.”
Yet, while those advantages seem clear enough, actual technical and legal compliance with certain provisions of the act may end up being a hard slog. One sticking point in particular may be “the removal of certain personal information before it’s shared with other entities,” according to Stephen Lilley, an associate at law firm Mayer Brown.
For one thing, a company must determine what a “cyber threat indicator” is within the meaning of the law — a definition that’s already giving some attorneys fits. And then it must remove “any information not directly related to a cybersecurity threat that the entity knows at the time of sharing to be personal information,” according to the act.
“Companies will need to think quite carefully about how they go about removing personal information consistent with the bill,” says Lilley.
The company won’t need to remove that information if the information is directly related to a cybersecurity threat, however. For example, if companies have identified a malicious file and the malicious file can be identified by a filename that’s the name of an actual person, they won’t have to remove that name, according to the attorney.
While cyber-information sharing is now the law of the land, one can sense fresh objections arising from the likes of Tim Cook about the ability of companies to reveal personal information, even when it’s tied to a threat to cybersecurity. Will that lead to charges that a corporation has violated someone’s privacy rights? Stay tuned.