By David Poole, Business Development Director at myPINpad
On 18 December 2015, President Barack Obama signed into law the US budget, and amongst its 2,000 pages was the US Cybersecurity Information Sharing Act (CISA) of 2015. The Act allows companies to consensually share information about cybersecurity threats with the U.S government, in an effort to improve public and private cybersecurity efforts.
With high-profile cybersecurity breaches at organisations such as Sony Pictures, Home Depot and the Office of Personnel Management, it isn’t surprising that cybersecurity is becoming the focus of government policy. This is part of an overarching strategy to fight online fraud, cyberterrorism and other criminal activities.
The Act is designed to facilitate information sharing between private and governmental entities regarding a potential hostile cyber-attack, without breaching data confidentiality regulations.
Sharing information as a defensive measure
While many will be concerned about the privacy implications of such legislation, it’s important to remember that such information sharing can aid governments and organisations when combating cyber threats.
In 2012, Bank of America, BB&T and Wells Fargo, among others, fell victim to cyber-attacks which caused them day-long slowdowns and left them sporadically unreachable for many customers. The cyber-attack was a Distributed Denial of Service (DDoS) attack that flooded the banks’ online systems with fake information, preventing customers from using basic online banking services.
Whilst the attack was well reported at the time, it was only later, at a cybersecurity symposium in the University of North Carolina at Charlotte, that the executives from the affected companies fully discussed its ramifications. It was quite interesting to see that, when recounting the event and how it affected their business, each of the companies had made different observations and analysis at the time of the attack.
The Bank of America had focused on the large scale of the attack, BB&T on the many locations the attack was emanating from and Wells Fargo on the real time changing of the code during the attack. Clearly, each company had focused on a different aspect and that alone didn’t provide them with enough information to combat the attack. Even though having a full picture would have helped the organisations fight against it quicker and more efficiently, this was prevented by various data sharing regulations.
This is what the CISA is aiming to facilitate, and by doing so, help to prevent and tackle such cyber-attacks. The CISA now “allows entities to share and receive indicators and defensive measures with other entities or the federal government”, to share threats, solutions, analysis and best practices.
Such “cyber threat indicators” allow the relevant entities to form an early diagnosis of a potential cyber-attack and in turn, put in preventative measures before it is too late. These are also essential in building a system with clues on how to look for such cyber-attacks in the future.
Privacy VS Security
Although such voluntary information sharing between organisations and governments appears to be a very effective remedy in the fight against hostile cyber intrusions, there is still much opposition from both consumers and global technology giants.
Companies such as Apple, Wikipedia and Google have already publicly opposed the CISA as they are concerned that it will make their users less reluctant to share their personal information.
Concerns have also been raised about how the government intends to store and, more importantly, keep secure all the information it collects. Senator Ron Wyden, who has been a big opponent of the bill, voiced his opposition to President Obama, “There is a saying now in the cybersecurity field, Mr President: if you can’t protect it, don’t collect it. If more personal consumer information flows to the government without strong protections, my view is that’s going to be a prime target for hackers.”
How beneficial is the CISA?
The lack of information sharing between private companies and governmental entities is undoubtedly preventing both private and governmental entities from being able to protect themselves in the most effective way. This is an issue that is effecting companies worldwide.
The UK has already adopted similar provisions in the form of the Cybersecurity Information Sharing Partnership (CiSP), which was introduced in 2013 to increase overall situational awareness of cyber threats. The CiSP allows members from across sectors and organisations to exchange cyber threat information in in real time, on a secure and dynamic environment that protects the confidentiality of the shared information.
However, the CiSP does not appear to have made individuals in the UK more reluctant to share their information with companies. In addition to the CiSP, the European Commission has proposed a new regulation that brings significant benefits to the payments ecosystem, but also demands greater sharing of consumers’ information. There have yet to be any major concerns on behalf of consumers over these proposals, suggesting that any worries may be over stated.
The second EU Payment Services Directive (PSD2) will bring about significant changes to the European payments landscape, by providing Access to Accounts (XS2A) and introducing Account Information Service Providers (AISPs). PSD2 will mandate more information sharing for consumers while providing them with increased levels of security, in the form of mandatory strong multi-factor authentication whenever consumers access their accounts or initiate transactions.
Updates to regulation present new possibilities for improvements to systems and practices. Those businesses able to maximise these without disrupting customers, will likely be the most successful. Technology providers, such as myPINpad and others, are great examples of bridging legacy systems with the new regulatory standards to further the innovation journey securely for their partners.
Although the CISA is still suffering from imperfections it is definitely a step forward in the fight against fraudsters and hackers. The benefits of such an information sharing regulation is apparent, and businesses across the technology and financial sectors are starting to see the huge opportunity that this creates.