Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Security experts mostly critical of proposed threat intelligence sharing bill

Maria Korolov | Sept. 11, 2015
This fall, the Senate is expected to take another look at the Cybersecurity Information Sharing Act, or CISA.

"I haven’t heard of any security experts supporting the bill," he added. "Those who support it either don’t know that much about threat intelligence sharing or they don’t know enough about the bill."

Clumsy and ineffective

Meanwhile, when it comes to actually improving security, CISA is so badly written that it won't do any good, experts say.

"Privacy issues aside, it will be totally ineffective for a variety of reasons," said Jason Polancich, founder and chief architect at Sterling, Va.-based SurfWatch Labs. "The biggest reason is the issues being legislated around are not at all understood by Congress. Information sharing is difficult -- there isn’t one model that works for everybody and our government is simply not equipped to move as fast as the cybercriminals are moving now."

CISA will be a waste of time and taxpayer money, he added.

"CISA requires little to nothing in terms of actual security protections," said AlienVault's Manoske. "In fact, in a particularly comical oversight, the lack of a listed reporting standard means that threat indicators reported in CISA will require organizations to manually sift through indicators -- arbitrarily introducing a time delay."

In fact, CISA might even create new security problems, said Ben Johnson, chief security strategist at Bit9.

"The fact that a lot of private and personally identifiable information could be shared sets up yet another lucrative target for cyber attackers," he said.

Several security experts pointed out that the federal government doesn't exactly have a good reputation at protecting data.

The recent breach of the Office of Personnel Management "showed everyone how porous and vulnerable our government networks are," said Ron Gula, CEO at Tenable Network Security. He suggested that what we need is more information about security practices at federal agencies.

Another problem with the bill is that some of the amendments added on to make it better actually make it worse.

For example, one amendment is intended to help prosecutors take down botnets, but does a bad job at explaining just what a botnet is.

"A overzealous prosecutor could use it to target any behavior that the government didn't like," said Ryan Kalember, senior vice president of cybersecurity strategy at Proofpoint. "That includes many examples of legitimate peer-to-peer software."

There's already sharing going on

There are already more than a dozen Information Sharing and Analysis Centers, for aviation, defense, finance, IT, healthcare, energy, real estate, education, transportation, and other industry sectors.

"Given the number of ISACs being formed, I'm also concerned with whether an information sharing bill is really needed," said Todd Inskeep, advisory board member at the RSA Conference. "There is already a tremendous amount of information sharing across corporations and with the government. It’s not clear there's a real need for new rules."


Previous Page  1  2  3  Next Page 

Sign up for Computerworld eNewsletters.