Blog

Cybersecurity data sharing: you're doing it wrong

One aspect of cybersecurity that StopBadware routinely emphasizes as essential to collective defense against malware is data sharing. As we've pointed out in the past, there are few incentives favoring, and many opposing, the sharing of malware attack-related data among private ecosystem participants like ISPs and web hosting providers, which makes tackling malware threats collaboratively prohibitively difficult. Apparently, data sharing problems are on Congress's mind as well. Last week, the House Intelligence Committee considered and passed HR 3523, the Cyber Intelligence Sharing and Protection Act of 2011, one of Congress's most visible efforts to confront computer security issues, which specifically addresses the sharing of "cyber threat intelligence". Unfortunately, the bill's sponsors appear to perceive all forms of cyber threat intelligence -- everything from a RSA-style infiltration to a blind SQL injection -- as (a) presumptively classified and in desperate need of control and (b) something from which private companies like ISPs and web hosting providers need protection.

First off, it seems the height of ridiculousness to assert that the intelligence community requires Congress's special permission to share information with important private sector infrastructure companies (like telcos and ISPs) if it possesses information that demands action. Federal intelligence and law enforcement agencies share, and are certainly not statutorily barred from sharing, malware- and cyberattack information with private parties already; specifying a system of temporary security clearances presumes that the disclosure of much of such information will place the national security of the United States in jeopardy. So either the status quo is somehow a dangerous threat to our nation, or the bill's solution is in search of a problem.

Moreover, the bill fails to address the actual collective action problem at the core of malware data sharing. By allowing companies to specify how malware data is shared with other private parties, the broader cybersecurity community, whose operations dwarf those of the federal government, need not be materially enriched in any way. In essence, the government seeks to establish a cybersecurity clearinghouse that need enrich only itself. The government should provide additional resources and tools to companies willing to make common cause with one another in the cybersecurity fight, not reward companies that share data -- which is very loosely defined by the bill, is exempt from the Privacy and Freedom of Information Acts, and may include PII and customer-created content -- with it and it alone.

Secondly, the bill takes the extraordinary step of immunizing all participating companies from any criminal or civil liability as a result of sharing information or failing to act on information they receive. Content providers like ISPs and hosting providers are already immunized for failure to take action on malware reports under section 230 of the CDA as courts have interpreted the law; further grants of immunity should be conditioned on at least a minimal standard of accountability for gross negligence in the handling of such data.

The Washington Post has reported that in response to objections from privacy advocates and concerns from the White House, the bill has been amended to include protections against coercive data sharing practices and oversight by the intelligence community Inspector General. It's a step in the right direction, but does little to cure the bill's other flaws, including facilitating sharing of irrelevant, private information and use of data submitted for purposes other than cybersecurity defense. While increased sharing of cybersecurity information within the Internet ecosystem is a laudable goal, Congress should seriously consider an approach that emphasizes data sharing within the private sector, and better protect the general public from abuse.