The purpose of this act is to enable government entities to share cyber threat information with private sectors. In addition, this act would also facilitate in the private sector’s sharing of information with federal bodies.
Role of Information Sharing and Access [ISAC] in Cyber Security
- Information sharing is recognized as a key pillar of effective cyber security. Sharing of information between private-private and private-government helps block cyber threats before they lead to cascading damages
- Information sharing means early warning and expert advice, which means the difference between business continuity and widespread business catastrophe
- Joint Working Group [JWG] report on Public-Private-Partnership (PPP) for Cyber Security in India, emphasized on the need for setting up information sharing centers. The National Cyber Security Policy notified in 2013, also underlined the need of such information sharing.
- Indian Banks Center for Analysis of Risks and Threats (IB-CART) is the first such center set up at IDRBT, Hyderabad
Issues of Sharing Cyber-threat Information
- Industry sectors have different risk profiles for cyber security. Stronger information sharing arrangements may be appropriate for only some, not others
- The process of sharing the information may be onerous. It should be easy, low touch and without any governmental interventions
- Privacy becomes the major concern while sharing information. Private sector sharing information with the government attracts the attention of the proponents of civil liberty. The fears associated with it are genuine and increasingly getting aggravated after the Snowden revelations
- Cyber threat information sharing would be voluntary. It should be used only for the purpose of cyber defense. The companies sharing the information should be protected from government monitoring and the many obligations
- Information shared should be handled carefully and responsibly. A proper due diligence, and controls must be implemented to prevent unauthorized access and secure it
Cyber Security Information Sharing Act of the US
The Information Sharing Act has tried to address these issues and provide a legal backing for enabling the sharing of information. The salient features of the act are:
- Definition of the terms: ‘Cyber Security Purpose’, ‘Cyber Security Threat’, ‘Cyber Threat Indicator’, ‘Malicious Cyber Command & Control’, ‘Malicious Reconnaissance’, ‘Monitoring’, ‘Security Control’ and ‘Security Vulnerability’
- Enabling clauses and framework for Sharing of Information by the Federal Government: which notifies the federal departments that would be sharing the information, stipulates timely sharing of the information with federal and non-federal entities (which includes private sector) and asks for developing procedures
- Authorization for preventing, detecting, analyzing and mitigating cyber security threats and operate defense measures: It says private entities can monitor private and federal entities upon the authorization and written consent. It also acknowledges private entity’s role of operating defense measures to protect its rights and property
- Security and privacy of Information: The act demands entity monitoring an information system to implement and use security controls to protect unauthorized access to cyber threat indicators. It also advocates removal of personal information from cybersecurity threat indicators
- Exemptions: The act provides exemptions to the entities providing cyber threat information from provisions of Anti-trust. The companies sharing the information will also get the liability protection
Impact on Indian IT-BPM companies
Nothing in this act state that could inhibit flow of data from the US to India. Being part of the global supply chain, Indian companies have to be prepared for the expectations arising out of cyber security concerns. Companies should take the following points in consideration in respect of this act
- Role in providing cyber threat indicator information: Being a key partner in managing infrastructure and applications for the US clients, the Indian IT/BPM companies may have information that defines threat indicator. The outsourcing companies may have to support the efforts of information sharing. Although it is voluntary arrangement for the US companies, the companies being part of the arrangement may expect their outsourcing partners for the necessary support. They may eventually obligate the responsibility of their partners in sharing the information
- Companies providing security services: The companies providing security services to the US clients has to be cognizant of the fact and their responsibility of sharing information, as they may be holding key piece of information
Information received from the federal departments: With the enabling framework for information sharing, the companies are bound to get more information on cyber security threats. Services companies may get access to this sensitive information during the regular IT/BPM services or specialized security services. Services companies may have to adopt proper due diligence and control to avoid unauthorized access to the information.