Could Costs Impede Info-Sharing Plan?Scrutinizing Obama's Cyberthreat Information Sharing Strategy
Small and mid-size businesses might not be able to afford participating in voluntary programs to share and receive cyberthreat information, as President Obama has proposed, industry representatives told Congress at a March 4 hearing.
Smaller companies - generally those with fewer than 1,000 employees that cannot afford to hire CISOs, buy tailored cybersecurity tools and furnish employees with customized IT security training - also would lack the funds to participate in new information-sharing efforts, Rand Corp. cybersecurity expert Martin Libicki told the House Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies.
The hearing was convened to seek businesses' perspectives on Obama's cybersecurity information sharing plan, which, among other things, calls for is the creation of information sharing and analysis organizations, or ISAOs, industry-sponsored entities that would share cyberthreat information with the federal government and each other (see How New Information Sharing and Analysis Organizations Work).
Priced Out of the ISAO Marketplace?
No one knows how much ISAO memberships would cost, since the organizations have yet to be officially formed. Still, similarly fashioned information sharing and analysis centers, or ISACs, carry membership fees that many smaller organizations contend they cannot afford.
"ISAOs, laudable as they may be, are oriented toward organizations that can afford their membership fees; at $10,000 a year, most small- and medium-sized organizations are priced out of that market," said Libicki, senior management scientist at Rand. "Consider the likelihood that these ISAOs become the primary - or worse, exclusive - conduit for information sharing between the government and private organizations. If so - and in the absence of other mechanisms to share information with the broader public - the smaller organizations are going to be left out. Whatever advantage they reap from information sharing rests on the hope that the existence of ISAOs as conduits for shared information does not detract from paths more suited to smaller enterprises."
Other costs of the Obama plan could prove unaffordable for smaller businesses, too. For example, Obama's cyberthreat information sharing legislation would require businesses to strip personally identifiable information from data before it's shared. Such provisions could have "the small and midsize guys sit on the sidelines because they feel like they can't scrub personal information adequately or do it, at least, under the terms of any future bill," testified Matthew Eggers, U.S. Chamber of Commerce senior director for national security and emergency preparedness.
Mountain to Climb
That brought a response from subcommittee member Curt Clawson, R-Fla., who said it would be difficult to gain support for legislation that would financially penalize small businesses that participate in a voluntary program. "It just feels like a mountain to climb to get it just right where you don't make it so onerous that no one signs up," he said.
Another problem the Chamber has with Obama's proposal is that it doesn't provide sufficient liability protection to businesses to share cyberthreat information, especially with one another. The president's legislation, as reflected in Senate Bill 456 - introduced by Sen. Tom Carper, D-Del., limits liability protections to organizations that share data with only the Department of Homeland Security's National Cybersecurity and Communications Integration Center, known as NCCIC, or through ISAOs.
"These two protected avenues for sharing CTIs (cyberthreat indicators) are far too narrow and limiting and do not reflect the information-sharing relationships that businesses have built up over time, for instance, with DHS, the departments of Energy and Treasury, and law enforcement agencies," Eggers said. "Unlike CISA, businesses would not be protected under S. 456 when monitoring information systems and sharing or receiving countermeasures. The lack of safeguards in these area is a fundamental weakness of the White House proposal and S. 456."
CISA is the Cybersecurity Information Sharing Act, legislation introduced in the Senate last year that never came up for a vote on the chamber's floor (see Senate Panel OK's Cyberthreat Info Sharing Bill). Several lawmakers are drafting bills this year based on CISA.
Limits to Sharing Information
Regardless of the type of cyberthreat sharing bill that might get enacted, Libicki contended that information sharing has many limits, with shared cyberthreat information having questionable value in some instances. He pointed out that success in cyberthreat sharing relies, in part, on black-hat hackers generating a consistent set of signatures that recur in multiple attacks, are detectable and won't evolve significantly over time. But, he said, hackers often change their signatures to avoid detection.
Libicki drew an analogy with the anti-virus industry, whose model of gathering feedback from customers and sensors placed throughout the Internet has been foiled over the past five years by ever-shifting signatures and the practice of attackers testing malware against anti-virus suites before releasing them into the wild.
"Although threat-centric information-sharing deals with a broader range of indicators than anti-virus companies do," he said, "the same dynamic by which expensively constructed measures beget relatively low-cost countermeasures argues against being terribly optimistic about the benefits from pushing a threat-centric information sharing model."