Report: Federal cyberthreat data-sharing initiative insufficient when it comes to security

Dive Brief:

There are some significant privacy concerns to be worked out with the Automated Indicator Sharing initiative, according to an assessment released Tuesday by the Department of Homeland Security.
The Automated Indicator Sharing initiative is an automated system intended to allow private companies to share cyberthreat indicators with the federal government without impacting privacy by stripping personally identifiable information (PII) out of the shared data.
The system falls under the Cybersecurity Information Sharing Act (CISA), which became law last December, and was placed under the umbrella of the Department of Homeland Security.

Dive Insight:

CISA requires any personally-identifiable information that is shared through the program to be directly related to a cybersecurity threat. But the report found "residual privacy risk that these processes may not always identify and remove unrelated PII, thereby disseminating more PII than is directly related to the cybersecurity threat.”

CISA sets up incentives for businesses to share threat information with each other and government agencies and would eventually result in tools to protect both business and government networks. The Automated Indicator Sharing system is designed to work via machine-to-machine connections that share threat information in a common format over a common platform.

CISA raised significant opposition from both privacy organizations and tech companies, including Apple, prior to passage.

Once fully operational, the Automated Indicator Sharing initiative and its rules could impact many businesses and add complexities when it comes to user privacy. Some say it essentially means that customers of a business will no longer be able to rely on their privacy policy. At this point, it is also unclear to what extent companies will be required to anonymize the information they share with other entities.