A bill that encourages businesses to share threat intelligence with each other and the government is closer to becoming a law than it has been for years now that it offers businesses near immunity from liability if the data they share is stolen and causes harm, but such sharing is still fraught with problems.
内森·泰勒(Nathan Taylor)
The proposed Cybersecurity Information Sharing Act (CISA) proposal doesn’t force anyone to participate in sharing, but it creates incentives for businesses to do so willingly, says Nathan Taylor, a partner in the law firmMorrison & Foerster, who is following the bill as it wends its way through Congress.
The Senate has approved a version of the bill, which must be consolidated with two versions passed already by the House, and then signed by President Obama before it becomes law.
泰勒说,如果共享信息被滥用,但符合法律,这意味着可以剥夺了个人身份信息或剥夺该法律的自动化系统。
Threat intelligence sharing is considered a good thing by a broad range of security pros who practice it in Information Sharing and Analysis Centers (ISAC) and in informal associations with trusted peers.
Ari Schwartz
But sharing with a central government clearinghouse worries privacy advocates who fear agencies such as the NSA will scoop up the shared data and somehow de-anonymize it, putting at risk the privacy of data businesses were entrusted to keep, says Ari Schwartz, the former White House Senior Director for Cybersecurity, now Managing Director of Cybersecurity Services forVenable.
The Senate-passed version of the bill would put the Department of Homeland Security in charge of creating and maintaining a portal for submission of data, sorting it, deciding what other federal agencies ought to see it and distributing it. DHS is a civilian agency, so was a less divisive choice than, say, the CIA or NSA.
Despite that, if the law passes and keeps intact the liability protections it will make it more difficult for businesses to resist sharing. They couldn’t say the risk of privacy lawsuits is too high because the new law would override privacy laws for cyber-threat information sharing. “It’s harder to say no now,” he says. “You have to give information to get information.”
他说,受严格管制的电信和医疗保健行业担心遵守隐私规则。然而,由于今年医疗保健提供者的重大违规行为,该行业可能会从交换威胁信息以识别和避开攻击的情况下受益。
The bill leaves some gray areas. For example, what happens if a service provider monitoring a customer’s network detects cyber threat information? Can it share the information and be protected from liability? “I don’t think the issue is squarely addressed in the bill,” says Taylor. “I don’t think the bill was intended to trump a company’s ability to control its own service providers.”
Tech industry trade groups Computer and Communications Industry Association (CCIA) and the Business Software Alliance (BSA) oppose CISA, saying it lacks privacy assurances and fails to limit the uses to which the information can be put. Apple, Salesforce, Twitter and Reddit are among individual companies opposed. It is supported by the U.S. Chamber of Commerce.