CISA: Hope and Reality
Moderated by Chris Inglis, Venture Partner at Palladin, and former Deputy Director, National Security Agency, this panel took up "Implementing the Cybersecurity and Information Security Act (CISA) Challenges and Opportunities." CISA, passed in March of this year, intended to make it easier for industry to share information with the Government, and deliberately stopped short of requiring such sharing. The panel discussed how this law has worked out so far.
Panelists included Michael Allen (Partner, Beacon Global Strategies), Chris Boyer (Assistant Vice President for Global Public Policy, AT&T), James Katavolos (Senior Vice President—Cyber Intelligence Center, Citibank), and James Touhill (Deputy Assistant Secretary of Cybersecurity and Communications, Department of Homeland Security).
Touhill (who yesterday was also announced as President Obama's choice for the newly created position of Federal CISO) described himself as the "captain of the cyber neighborhood watch," and therefore obliged to say, "If you see something, say something." He characterized a significant part of CISA's motivation as an attempt to facilitate the sort of culture of mutual aid and assistance we expect (and in some ways achieve) of one another as citizens facing ordinary crime.
Touhill, a retired US Air Force Brigadier General, didn't address his new role as Federal CISO. That role was created as one of the results of the Cybersecurity National Action Plan (CNAP). It also comes with funding: the Federal CISO will manage the Information Technology Modernization Fund (ITMF) whose $3.1 billion are intended to be used to wean the Government from its legacy IT systems.
Allen noted another goal of CISA. Recognizing that conventional exchange of intelligence often proved too slow to cope with rapidly moving threats, CISA envisioned a system of streamlined, machine-to-machine sharing. But, due in part to public reaction to the Snowden leaks, the system hasn't proved to be either as "fast or pure" as hoped. Still, Allen thought, the concept is being tested. There remain many skeptics—they note among other things a burden on small business to strip out PII, etc.—and many details remain to be worked out. He saw three issues with CISA's information-sharing system as it currently exists:
- A corporate cultural mindset that's "naturally disinclined to share information" with the US Government. "We have to assure them that they won't face regulatory blowback," and the Department of Homeland Security, to help this law succeed, should "absolutely live up to CISA's spirit and intent."
- It's got to be as easy as possible to join. "Err on the side of simplicity."
- The quality of the information being shared is often simply not good enough. The strength of the program implemented under CISA will lie in the value of the information industry received.
AT&T's Boyer saw two aspects of CISA that are particularly important to the communication industry. The first is authorization—the bill authorizes companies to perform network monitoring and deploy measures to deter attack. This gives a clear and valuable legal framework for what communication companies do to promote cyber defense. The second aspect is CISA's information sharing component. A lot of private-to-private sharing predates CISA, but CISA now enables more private-to-private sharing. It does so by reducing some of the legal ambiguity of such sharing. He thought that the ultimate success of the information-sharing portal would come down to how that portal would add value.
Katavolos took the financial sector's response to DDoS attacks as an instructive example. A number of companies got together to share information through the ISAC, and this, he said, wound up diminishing the effects of the attacks. The ISAC worked because it was established, and trusted. It shared both context and threat indicators—context being particularly important to users. And it also shared defensive measures. All of this, Katavolos said, happened pre-CISA. CISA sought to scale this sort of sharing, and to do so most obviously through AIS, the Automated Indicator Sharing platform DHS has rolled out. But industry wonders, if the AIS is so wide open, can it really be trusted?
Establishing such trust has so far proven an obstacle to CISA's success: companies have to this point been reluctant to sign up for AIS.