White House efforts to push companies to share sensitive security information intensified this week, with an executive order from President Barack Obama on February 12 and a conference of industry leaders in Silicon Valley the next day.
But quite a few of the industry’s most prominent leaders — including Facebook’s Mark Zuckerberg, Yahoo’s Marissa Mayer and Google’s Larry Page — boycotted the event, highlighting the fact that many in the industry disagree with the Obama Administration’s approach to security.
One of the demands corporate leaders are making is that any information sharing has to coincide with liability protections. The White House has promised to deliver that protection, but the specifics — both in language proposed by The White House as well as in language from the Senate bill meant to start the process of codifying it into law — don’t come anywhere close to what companies want.
That may not be simply because the White House isn’t listening. Actually, there are significant pragmatic difficulties, especially in protecting companies that have actually created major security holes.
The corporate fears of participating in these security-sharing forums — which the acronym-loving government is calling Information Sharing and Analysis Organizations (ISAOs) and Information Sharing And Analysis Centers (ISACs) — are many.
First, there is the fear that the government may not adequately protect the sensitive information in these forums. That would make the forums a tempting target for cyberthieves, terrorists, and even the direct competitors who also participating in the forums.
Second, if the information later leaks out (either directly from the forums or from a participant or an unauthorized observer), it could hurt the participants in many ways.
Here’s the Senate language — which is quite similar to the White House’s suggested language — that was crafted to protect participants:
“A civil or criminal action may not be filed or maintained in a Federal or State court against an entity for the voluntary disclosure or receipt under this section of a lawfully obtained cyber threat indicator, that the entity was not otherwise required to disclose.”
In terms of civil liability protection, that’s it. The problem is that it is protecting against a fear almost no one had. The worry was not that Toyota or Walmart would share security data and a leak would cause them to be breached and they would then be sued for sharing that data. No, they would be sued for allowing the security hole to exist in the first place. Meaningful liability protection would shield them from that latter threat.
There is one other liability protection the Senate bill offers. It prohibits a federal entity from using anything disclosed in these forums against the companies in a regulatory enforcement action. But the bill then negates much of that protection by spelling out a key exception: A federal agency can use that information against the company as long as it was obtained elsewhere “through lawful means.”
Given that the data exists on the company’s servers, it wouldn’t be hard for the government to establish it through independent means, now that they know where to look.
One Senate committee aide who was involved in drafting the language, who asked to not be identified by name, said it became clear that “the spectrum of security is a little more nuanced” than typical Senate bills, which means that the Catch-22 of encouraging companies to reveal everything while offering them very little protection is remarkably difficult.
Earlier Senate efforts to create liability standards for security have proven “a little more dicey.”
“Even incremental legislation helps,” the Senate aide said. “If this encourages at least some sharing,” he said, it will be better than what is happening today.
Who do you trust?
Whether or not such forums make fundamental sense in terms of protecting the data depends on your perspective. The government’s argument is that the top security minds at the NSA, the FBI, and Homeland Security should do a better job of creating ultra-secure data depositories than the typical hotel chain or laundry detergent manufacturer.
Hence, the loaded question: Who does Silicon Valley think is more capable? Federal employees (at protecting the data) or well-financed global cyberthieves (at breaking in)?
There’s also an issue of competitor trust. Nothing in the bill would punish a member of the group from using security data from a direct rival against them in the marketplace. Not directly, by announcing it, but indirectly, by leveraging the knowledge.
One way to address that concern is by making the information sharing in these forums anonymous. But that may cause other problems. For instance, if the names of the companies involved in an attack are withheld, how would other companies know enough to defend themselves? Part of the value of such a forum is to give a heads-up to other potential victims.
Some attackers might be targeting specific kinds of companies or companies in specific geographies or associated with specific countries. By denying access to information beyond the tactics of the attack, it could make the sharing far less effective as a security device.
Ultimately, it may not be possible to protect companies that choose to share sensitive security information, which means that very few will try. That fact alone may doom this legislative effort far more than an uncooperative Congress controlled by the opposition party.