CISA Review: Learning how to share

High-profile cybersecurity breaches at organisations such as Sony Pictures, Home Depot and the Office of Personnel Management made the news in 2015.

So, with today’s high interconnectivity it is no surprise that governments have made a point of including cybersecurity as an integral part of their overall strategy to fight online fraud, potential cyberterrorism and criminal behavior.

On 18 December 2015, President Barack Obama signed the US budget into law, and amongst its 2,000 pages was the US Cybersecurity Information Sharing Act (CISA) of 2015. The CISA aims to improve public and private cybersecurity efforts by allowing companies to share information about cyber threats with the U.S. government, and also to respond directly to some of those threats.

It is a bill that intends to make it easier for private businesses to warn the government about detected cyberattacks, and the indicators that show what the hackers are doing now and planning to do in the future.

Learning to share
In 2012, a malicious cyber group launched a major cybersecurity attack called Distributed Denial of Service (DDoS) against Bank of America, JP Morgan, US Bank, Wells Fargo, among others. The attack flooded the banks’ communication lines with fake information, preventing real information, such as money transfers and online payment of bills, from taking place and stopping customers from using basic online banking services.

The attack was well-reported and later discussed by the affected companies in a panel of bank security executives at the cybersecurity symposium on the University of North Carolina at Charlotte. Surprisingly, when recounting the event and how it affected their businesses, each of the financial institutions performed different analysis and observed different information in real time.

The representative from Bank of America talked about how large scale the flood was, BB&T about the many locations the attack was happening in, Wells Fargo about how the code of this attack changed in real time, and so on. However, even though a combined full picture would have helped the organisations tackle the problem in an easier and faster way, regulations prevented the cyberattack information being cross-shared.

Believing in the effectiveness of a collaborative fight against cyberattacks, the CISA now “allows entities to share and receive indicators and defensive measures with other entities or the federal government”, to share threats, solutions, analysis and best practices.

These “cyberthreat indicators” are key to building a system to repel cyberattacks. Just as doctors look for early signs of a disease, the indicators of malicious computer activity allow entities to put in place preventive measures and batten down the hatches before it is too late, as well as setting up clues to look out for similar attacks in the future.

Privacy Vs Security
Research conducted by the Pew Research Center on Global Threats last year, showed that 34 percent of UK and 59 percent of US citizens are “very concerned” about cyberattacks. While voluntary information sharing between organisations to improve online defences appears to be the breakthrough we’ve been waiting for, the Sharing Act is still opposed by consumers and big technology names.

Major tech firms, such as Apple, Reddit and Twitter, echo these sentiments and believe that the CISA will make users more reluctant to share their personal information with companies, believing their data will be shared with the NSA, CIA and IRS. In the same way, questions will be raised about how the government intends to store and, more importantly, keep secure all the information it collects, and how it will be used.

The bill contains warnings that the government’s procedures should be written to “limit the impact [of cyber-sharing behaviour] on privacy and civil liberties”, but specific protections are not enumerated.

So, is the CISA good?
Not sharing information between entities, particularly for the financial industry, is preventing the ability for both private and governmental entities to protect themselves in the most effective way. And this is a worldwide tendency.
In the UK, we have the Cybersecurity Information Sharing Partnership (CiSP) since 2013 to increase overall situational awareness of the cyberthreat and therefore reduce the impact on UK business. This joint industry government initiative allows members from across sectors and organisations to exchange cyberthreat information in real time, on a secure and dynamic environment that protects the confidentiality of shared information.

The CiSP doesn’t appear to have made individuals in the UK more reluctant to share their information with companies. On the contrary, the European Commission has devised a new regulation that would result in greater sharing of consumer’s information regarding electronic payments, which would bring significant benefits to the ecosystem. However, there hasn’t been any concerns over the reluctance of consumers to share this information, which suggests that any worries may be over stated.

The new EU Payment Services Directive (PSD2) will bring about significant changes to the European payments landscape. It is making access to accounts a key driver to open markets for new entrants, allowing account aggregators, ASIPs, to compile together information for various accounts into one portal. In this environment participants can share customer data, when explicit consent has been granted with each other, in a secure automated fashion.

So, with PSD2, consumers will potentially be sharing a lot more of their information with companies, but they will be benefitting from the increased levels of security which the Directive is putting in place. For instance, PSD2 also requires Payment Service Providers (PSPs) to provide strong multi-factor authentication when consumers access their accounts or initiate transactions.

The CISA may not be perfect, details need to be added regarding what the government considers cyberthreat indicators, sharing and storing procedures and the kinds of information that still cannot be shared because of existing privacy laws, but it definitely is a step forward to fight fraudsters and hackers.

In the meantime, consumers cannot wait. While governments and regulators try to react and put defensive methods in place to fight the current threats and challenges to keeping information safe, consumers will find it difficult to trust companies with their data, especially when it comes to financial and banking details.

Tech companies, such as myPINpad, are jumping in to fill the gap, fighting the resources of cybercriminals’ resourcefulness and the ever-developing new attacks and malicious software to promote and maintain consumers’ trust.

The threat of cyberattacks is a real and omnipresent danger to the financial services sector and to other critical infrastructure providers.

The maintaining of high security levels and the investment on IT security and the possibility of quickly and effectively fighting security threats is a must, regardless of size or business. Having the right security systems in place to protect data against breaches has never been more important.