Cybersecurity data sharing: you're doing it wrong

Posted on December 9, 2011 - 11:06 by imeister

One aspect of cybersecurity that StopBadware routinely emphasizes as essential to collective defense against malware is data sharing. As we've pointed out in the past, there are few incentives favoring, and many opposing, the sharing of malware attack-related data among private ecosystem participants like ISPs and web hosting providers, which makes tackling malware threats collaboratively prohibitively difficult. Apparently, data sharing problems are on Congress's mind as well. Last week, the House Intelligence Committee considered and passed HR 3523, the Cyber Intelligence Sharing and Protection Act of 2011, one of Congress's most visible efforts to confront computer security issues, which specifically addresses the sharing of "cyber threat intelligence". Unfortunately, the bill's sponsors appear to perceive all forms of cyber threat intelligence -- everything from a RSA-style infiltration to a blind SQL injection -- as (a) presumptively classified and in desperate need of control and (b) something from which private companies like ISPs and web hosting providers need protection.

First off, it seems the height of ridiculousness to assert that the intelligence community requires Congress's special permission to share information with important private sector infrastructure companies (like telcos and ISPs) if it possesses information that demands action. Federal intelligence and law enforcement agencies share, and are certainly not statutorily barred from sharing, malware- and cyberattack information with private parties already; specifying a system of temporary security clearances presumes that the disclosure of much of such information will place the national security of the United States in jeopardy. So either the status quo is somehow a dangerous threat to our nation, or the bill's solution is in search of a problem.

Moreover, the bill fails to address the actual collective action problem at the core of malware data sharing. By allowing companies to specify how malware data is shared with other private parties, the broader cybersecurity community, whose operations dwarf those of the federal government, need not be materially enriched in any way. In essence, the government seeks to establish a cybersecurity clearinghouse that need enrich only itself. The government should provide additional resources and tools to companies willing to make common cause with one another in the cybersecurity fight, not reward companies that share data -- which is very loosely defined by the bill, is exempt from the Privacy and Freedom of Information Acts, and may include PII and customer-created content -- with it and it alone.

Secondly, the bill takes the extraordinary step of immunizing all participating companies from any criminal or civil liability as a result of sharing information or failing to act on information they receive. Content providers like ISPs and hosting providers are already immunized for failure to take action on malware reports under section 230 of the CDA as courts have interpreted the law; further grants of immunity should be conditioned on at least a minimal standard of accountability for gross negligence in the handling of such data.

The Washington Post has reported that in response to objections from privacy advocates and concerns from the White House, the bill has been amended to include protections against coercive data sharing practices and oversight by the intelligence community Inspector General. It's a step in the right direction, but does little to cure the bill's other flaws, including facilitating sharing of irrelevant, private information and use of data submitted for purposes other than cybersecurity defense. While increased sharing of cybersecurity information within the Internet ecosystem is a laudable goal, Congress should seriously consider an approach that emphasizes data sharing within the private sector, and better protect the general public from abuse.

Obama administration supports cyber security month

President Obama recorded the following video (also available here) promoting National Cyber Security Awareness Month and reminding all Americans of our shared responsibility to keep the 'net safe.

In addition, Janet Napolitano, Secretary of Homeland Security, will be delivering a live webcast tomorrow (Tuesday, Oct. 20, 11 a.m. EDT) on the issue of cyber security and the role that the Department of Homeland Security is playing in this field. The webcast will be available from

Goldsmith: Govt. should set PC security standards

In a New York Times op-ed piece today, Harvard Law School Professor and Berkman Center Faculty Co-Director Jack Goldsmith called on the federal government to regulate consumer-level PC security:
Our digital security problems start with ordinary computer users who do not take security seriously. Their computers can be infiltrated and used as vehicles for attacks on military or corporate systems. They are also often the first place that adversaries go to steal credentials or identify targets as a prelude to larger attacks.
President Obama has recognized the need to educate the public about computer security. The government should jump-start this education by mandating minimum computer security standards and by requiring Internet service providers to deny or delay Internet access to computers that fall below these standards, or that are sending spam or suspicious multiple computer probes into the network.
Obviously we at StopBadware agree strongly with the first paragraph. Rather than taking a position on the second, I pose these questions that would have to be answered about Prof. Goldsmith's policy recommendations:

  • Would computer security standards be based on technology (e.g., computers must have real-time anti-virus scanning), principles open to interpretation (e.g., computers must be kept updated with security fixes), or something else? In any case, who decides on these standards and how do we ensure that they are kept current and do not benefit the software industry more than they benefit national security?
  • If ISPs are expected to play gatekeeper, how do we build transparency and a fair, responsive appeals process into the system? What happens when an ISP blocks my connection because they think I'm sending spam, when in fact I'm operating a high-volume, opt-in mailing list?
  • If the government "jump-starts this education," who will actually provide the education? After all, blocking a user from the Internet because his computer is infected does not educate the user, it just creates a motivation for the user to become educated. Is the responsibility of helping the user to clean up and protect his PC the ISP's? The government's? StopBadware's? Or is the user just expected to be on his/her own?

These are not trivial questions, but there is precedent for answering all three successfully. Our Badware Guidelines have been a helpful tool in identifying applications that dip below a certain level of community expectations. Our independent review process keeps a check on our data partners' autonomous detection of badware websites. And our community and StopBadware security tips have proven a useful educational resource for website owners with compromised sites.
Despite these successes, there are many differences between Prof. Goldsmith's proposal and StopBadware's independent, voluntary system. And setting minimum security standards for computers is a different animal than setting behavioral standards for applications. It remains to be seen whether the questions above can be adequately answered within a system like the one described by Prof. Goldsmith.