What it takes to protect the nation’s critical infrastructure and data

The Cybersecurity Act of 2015 is underway, but additional clarity is required if organizations are to participate in this important cyber threat info-sharing program.

Last week I had the honor of testifying as an IT industry representative before the U.S. House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies.

I shared with the committee insights and views on what it will take to increase industry participation in cyber threat information sharing programs authorized under the Cybersecurity Act of 2015.

There are no organizations more supportive of protecting our nation’s critical infrastructure information systems than companies in the IT industry. And the elements within the Cybersecurity Act 2015 put forward substantial measures for protecting our country and its citizens.

The Department of Homeland Security, with whom we work closely, has implemented important aspects of the Act under tight deadlines. But there is more to do.

To share or not to share

We know based on recent and past events, information sharing can only help our security posture. The DHS Automated Indicator Sharing Program (AIS) is designed to enable the government and private sector to exchange cyber threat indicators in close to real time.

This information helps organizations mitigate the effects of cyber attacks as they are unfolding and happening, and target defenses against newly discovered cyber threats. Think of it as zero-day defense enablement.

Organizations want to participate in a program like this; they see the value it can afford their businesses and operational defenses through collaboration. But in order to increase participation, a few key items are required:

  1. Trust in the automated system. Ultimately, for the AIS program to work, participants will need to have trust in the system.  Therefore, it is crucial to authenticate users that share or receive information under the AIS program. For example, DHS must be able to confirm that a participant sharing information is a real entity, not a front for hackers.  In addition, participants will need greater certainty that the data being shared and received under the program is valid.
  2. Clarity on liability protections. Organizations will want assurances that they are facing no additional liability risks for participating in this program.  Participants will be receiving a wealth of data under this program. It will be helpful to provide more clarity on liability protections for organizations that take good faith actions based on the data they receive, or what the liability protection is if they choose not to take action based on the data shared.
  3. Parameters around privacy and personally identifiable information. This item may be the most critical of all, and also the hardest to achieve. A clear definition of what privacy and personally identifiable information (PII) means – what it is and any special circumstances around it – must be established. We live in a global, application economy. Businesses around the world engage with consumers from others countries every day, and we want to ensure that we are properly protecting the personal data of these global customers. This is a significant challenge as new regulations unfold in regions around the world (GDPR, Privacy Shield, etc.) with varying parameters around privacy and PII.

 

Last week DHS released updated guidance around the Act and it further addressed the liability issue, particularly where sharing information between private entities is concerned.

We are encouraged and look forward to working further with DHS on this security initiative that affects every single citizen in the U.S. and abroad.


Mo Rosen is the general manager for the cybersecurity business at CA Technologies. He joined…

Comments

rewrite

Insights from the app driven world
Subscribe Now >
RECOMMENDED
The Sociology of Software >How (Not) to Lie with Data Visualization >DevOps and Cloud Computing: Exploiting the Synergy for Business Advantage >