Monday, January 4, 2016

Security through sharing

On December 18, 2015, President Obama signed off on the 2,000 plus page omnibus budget bill, that amounted to spending $1.8 trillion in a combination of government allocation and tax breaks. Among the items packed into this gargantuan package is the Cybersecurity Act of 2015, also known as the Cybersecurity Information Sharing Act (CISA). Set to stay in effect until September 30, 2025, it's a bill that will keep on giving for a decade. But not all regard it as a gift.

The bill had some vociferous opposition, most notably from the group called Fight for the Future. As late as December 16, the organization appealed for a veto on the law. Its campaign director, Evan Greer, declared that the bill is "a disingenuous attempt to quietly expand the U.S. government's surveillance programs, and it will inevitably lead to law enforcement agencies using the data they collect from companies through this program to investigate, prosecute, and incarcerate more people, deepening injustices in our society while failing to improve security."

The part that critics of the bill are most uncomfortable with is the permission granted to monitor networks. That makes up the first of three components of the bill's effects that comes under the heading "Authorizations for Preventing, Detecting, Analyzing, and Mitigating Cybersecurity Threats," presented in the analysis of the bill by Orin Kerr, Research Professor at The George Washington University Law School. He sums it up as: "First, network operators can monitor; second, they can operate defensive measures; and third, they can share information with others."

The third part of the mitigation formula is the equation of forewarned is forearmed. The idea is that putting out updates about the latest cyber threats in real (or very near real) time would give a heads up to other organizations that can take preventative action to avert attacks. The same assumption underlies IBM X-Force Exchange (XFE), a cloud-based platform for accessing information about cyber threats.

Read more in: 
Not everyone believes the new cyver security law passed on December 18 as part of the omnibus bill will prove effective. What do you think?