On Tuesday January 13th, 2015, the White House published several legislative proposals concerning cybersecurity. The purpose of one of the initiatives is to “codify mechanisms for enabling cybersecurity information sharing between private and government entities, as well as among private entities, to better protect information systems and more effectively respond to cybersecurity incidents.” How should Americans think about this proposal?
Cybersecurity Information Sharing
In my March 20, 2013 testimony to the House Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies on “Cyber Threats from China, Russia and Iran: Protecting American Critical Infrastructure” I stated that accurate and timely threat intelligence is often unavailable. Without an effective framework for sharing information among commercial entities, and between corporate America and the government, cyber defenders are deprived of one of the most valuable resources in detecting and responding to attacks.
Subsequently, I argued that the government should promote policies that encourage sharing threat intelligence between the private sector and government and among private sector entities. Threat intelligence does not contain personal information of American citizens, and privacy can be maintained while learning about threats. Intelligence should be published in an automated, machine-consumable, standardized manner.
The stated purpose of the information sharing proposal shows many paths for sharing data:
- From the private sector to the government;
- From government to the private sector; and
- Within the private sector. Critics have voiced concerns, especially with the first form of data sharing. They appear to be worried that the private sector will transform itself into an apparatus for Internet-wide surveillance. Whether this will happen or not depends in part on the nature of the shared data.
Cyberthreat Indicators and Personal Data
The White House proposal defines the information to be shared as a “cyber threat indicator”:
“The term `cyber threat indicator’ means information —
(A) that is necessary to indicate, describe or identify–
(i) malicious reconnaissance, including communications that reasonably appear to be transmitted for the purpose of gathering technical information related to a cyber threat;
(ii) a method of defeating a technical or operational control;
(iii) a technical vulnerability;
(iv) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system inadvertently to enable the defeat of a technical control or an operational control;
(v) malicious cyber command and control;
(vi) any combination of (i)-(v).
(B) from which reasonable efforts have been made to remove information that can be used to identify specific persons reasonably believed to be unrelated to the cyber threat.”
By this definition, it is not clear how the critics’ privacy concerns match the sort of information defined as a cyberthreat indicator. The second type of data sharing, from government to private sector, may shed light on the form this information might take. Should the private sector encounter a new attack vector or tool, the discovering entity may wish to share what it finds with the government. So what does this data look like?
In early December 2014, Shaun Waterman, cybersecurity editor for Politico, published an unclassified bulletin that was released by the FBI on December 1, 2014. The document provides technical details on destructive malware, and features the sort of threat intelligence covered by the White House proposal. For example:
“The malware has the following characteristics:
Size: 268579 bytes (262.3 KB)
PE Compile Time: 2014-11-22 00:06:54
Language pack of resource section: Korean
The original filename of this file is unknown, but it was likely “diskpartmg16.exe”. This file serves as a dropper. It drops destructive malware, “igfxtrayex.exe”. When the dropper file was executed, it started a second instance of itself with “-i” as an argument, then terminated…
The “-s” instance dropped and executed “igfxtrayex.exe”, created “net_ver.dat”, and began generating network traffic over TCP ports 445 and 139 to victim IP addresses.
The following files were added:
C:Documents and SettingsUserDesktopigfxtrayex.exe
The following strings of interest were in this dropper file:
– – – BEGIN STRINGS – – –
These sorts of cyberthreat indicators should not trigger privacy concerns, whether shared between the private sector and the government or within the private sector. They do not contain any information about American persons. Furthermore, the proposal includes privacy protections to “reasonably limit the acquisition, interception, retention, use and disclosure of cyberthreat indicators that are reasonably likely to identify specific persons.” However, as demonstrated above, technical details are unlikely to reveal personal data.
Avoiding Privacy Concerns
Cases which might reveal information on U.S. persons, and which therefore should be removed from cyberthreat indicators, include the following:
• Details of compromised accounts of U.S. persons: For example, cyberthreat indicators should not include names, email addresses or other personally identifiable information (PII).
• Details created by intruders which hint at PII of U.S. persons: For example, an intruder might create a computer domain record called “i-hacked-john-doe-012-34-5678.hacked-company-name.com.” Revealing a U.S. person’s name and Social Security Number when sharing information with the government should be prohibited.
• Personal information stolen from U.S. persons: If an intruder steals the contents of a U.S. person’s cloud account or computer hard drive, the private sector entity hosting that data should not be allowed to provide that information to the government.
Private Sector Worries
In addition to information on new attack vectors or tools, private sector entities may wish to report that they have been compromised by various malicious parties. Many private sector organizations refrain from contacting law enforcement or government agencies for fear of exposing sensitive internal information. To address these concerns, the White House proposal features a section on limited liability that restricts punishing entities for voluntary disclosure or receipt of a cyberthreat indicator.
Similarly, private sector entities fear that if they disclose security incidents to the government, they could be penalized. Accordingly, the White House proposal prohibits the use of cyberthreat indicators in any regulatory enforcement action.
Once the private sector understands that the data it shares will not expose it to regulatory enforcements, solely based on information sharing with the government, compromised entities may be more willing to approach government agencies.
Why Are Cyberthreat Indicators Needed?
Based solely on the above FBI bulletin on destructive malware, one might reasonably conclude that there is no need for the White House information sharing proposal. And in fact, for the case where the government provides cyberthreat indicators to the private sector, the bulletin is a persuasive case against the proposal. The bulletin demonstrates that it is possible for government entities to provide threat intelligence to the private sector. Unfortunately, the format – human readable text in a Portable Document Format (PDF) file – fails to live up to the expectations I laid out in my 2013 testimony. (For an example of formats to share threat intelligence in machine form, see www.openioc.org. For free options for access to threat intelligence, see intel.criticalstack.com.)
The proposal likely includes government-to-private sector sharing as an incentive for private sector-to-government sharing. It is no surprise that the government wants to better understand the nature of threats and breaches affecting the private sector. However, the government does not want to infringe the privacy of American organizations by conducting widespread Internet surveillance. Therefore, the government provides liability and regulatory incentives to encourage voluntary reporting by the private sector.
The government includes language about private-to-private information sharing to remove the threat of prosecution for cartel-like behavior. The White House proposal cautions that it does not “permit price-fixing, allocating a market between competitors, monopolizing or attempting to monopolize a market, boycotting or exchanges of price or cost information, customer lists, or information regarding future competitive planning.”
However, by including private-to-private sharing within its scope, the proposal may address the private sector worry that simply meeting with other companies is an anti-competitive behavior.
Will Information Sharing Work?
The biggest question is whether this information sharing proposal will contribute to the stated purpose, namely “to better protect information systems and more effectively respond to cybersecurity incidents.” In this case, an example from business sales is instructive. Threat intelligence, in some ways, is like a set of qualified sales leads provided to two companies. The first has a motivated sales team, polished customer acquisition and onboarding processes, authority to deliver goods and services and quality customer support. The second business has a small sales team, or perhaps no formal sales team. Their processes are broken, and they lack authority to deliver any goods or services, which in this second case aren’t especially valuable.
Now, consider what happens when each business receives a bundle of qualified sales leads. Which is going to make effective use of a list of profitable, interested buyers? The answer is obvious, and there are parallels to the information security world. A company with a mature defensive posture, focused on incident detection and response, and empowered to protect the enterprise can make excellent use of threat intelligence. This first entity will enjoy faster identification and removal of cyberthreats, thereby benefitting from the government’s provision of threat intelligence. A company with little to no security, focused only on its core business functions, is not going to put threat intelligence to effective use. Until the second company invests in sound defensive strategy, processes, people and technology, no amount of information sharing will help it.
To this end, private sector organizations should focus first on improving their own defenses before expecting that government assistance will mitigate their security problems.