Cybersecurity: Legislation

The New White House Information Sharing Executive Order

By Paul Rosenzweig
Wednesday, February 18, 2015, 8:30 AM

Last Friday, as part of the Cybersecurity summit at Stanford, President Obama announced a new information sharing initiative, and issued an Executive Order that was tied to the initiative.  The EO will, in the end, do some modest good, but not nearly enough to really stem the tide.  Put prosaically, my best sense is that had this order been in place and fully implemented last year, it would have done nothing to help Sony avoid the North Korean hack of which it was a victim.

You know that a policy is more hortatory than directive when it begins from the premise that DHS is supposed to "strongly encourage the development and formation of Information Sharing and Analysis Organizations (ISAOs)."   I suppose that is better than just "encourage" or "weakly encourage" but still .... it's just a good idea, not something that can be forced upon anyone.  And therein lies the main rub.  The private sector has said, over and over again, that it sees legal barriers to information sharing.  These range from liability risks to fear of running afoul of privacy laws.  The Obama Administration can't get rid of those problems through Executive Order and until they do, all of the "strong encouragement" in the world will fall on deaf ears.  Legislation is required -- and it is mired in conflict in Congress.

More promising is the ISAO Standard Organization contemplated in section 3 of the EO.  It is a common place in the domain that one of the barriers to sharing is that everyone does it differently.  One of the unsung efforts by DHS and US-CERT has simply been to try to get everyone on the same page as to formatting and protocols so that information sharing can happen seamlessly and in an automated fashion.  By setting up such a standard organization the Administration is, wisely, hoping to bring everyone to a procedural consensus.  And by insisting that the standards be set by an NGO they are also a) limiting the fear of government control and b) reducing the profit-based monopolistic impulse.   Since the idea is close to something I wrote about several years ago, I have a soft spot in my heart for this aspect of the EO.

Another positive step in the EO is its decision to designate DHS as the central point within the US government for working with the ISAOs.  For years there has been some debate about whether it is better to have this central point at DHS or at NSA.  And, candidly, there are good reasons to be concerned that DHS may not have the capability to do the job well.  But in the end, the network is a mostly civilian enterprise and it is far better to have a civilian government agency as the locus for USG interaction.  The right answer is to improve DHS capabilities to get the job done.

Finally, though I have written positively about the value of information sharing in the past, I am increasingly coming to the view that perhaps all of the effort to enhance the use of ISAOs is a bit of a distraction.  The more sophisticated forms of APT attacks are unlikely to be materially deterred by information sharing.  Information sharing, after all, is about widely dispersing the signatures of an attack -- protocols used; IP address blocks; etc.  But higher level APT-type attacks are one-offs.  They have no pre-existing signature.  Whether we are talking about the recently disclosed attacks by the Equation Group; the recent $1 billion bank heist; or last year's Sony hack, the one thing they all have in common is that information sharing probably wouldn't have helped in the least.  In fact, there is at least some suggestion that we can have TMI in information sharing.

So, I'm left to wonder about this effort at a broader level.  Of course, sharing information will be good.  It will help eliminate the minor criminals who are replicating old attacks and take some of the hay off the haystack.  But it is passing strange that the hallmark of the Administation's effort AND the locus of almost all the fight in Congress (see last year's debate over CISPA and CISA) is a sidelight to the depth of the real problems.

Bottom line:  The EO will help a bit -- especially with its standard setting initiative.  But it is no panacea.