The ‘Automated Public/Private Intel Sharing System’ That Enables CISA
This is the client-side view for Anomali's "ThreatStream." Image: Anomali

FYI.

This story is over 5 years old.

Tech

The ‘Automated Public/Private Intel Sharing System’ That Enables CISA

The privacy-killing Cybersecurity Information Sharing Act was renamed and snuck into a budget bill at the end of 2015. This is the software that sends 'cyber threats' to the Department of Homeland Security.

At the end of 2015, with the United States facing the potential of a government shutdown, a widely derided and unpopular cybersecurity bill formerly known as CISPA and CISA was unceremoniously snuck into a 2000-page, must-pass budget bill.

The Cybersecurity Act of 2015 is now the law of the land, and on Monday, the Department of Homeland Security and a private firm called Anomali tested the first "automated public/private intel sharing system" that will shuttle information about "cyber threats" from private companies to the federal government.

Advertisement

For those who don't remember the Cybersecurity Intelligence Sharing and Protection Act or its successor, the Cybersecurity Information Sharing Act, or its successor, the Cybersecurity Act of 2015, the law allows the federal government to share classified "cyber threat" information with private corporations. In return, the law allows private corporations to share information about cyber threats directly with the Department of Homeland Security.

Proponents of the law say that the voluntary nature of the information sharing doesn't force companies to share potentially privacy-killing user information with the federal government. The thing is, the law carves out lots of safeguards for companies who do share users' private information with the government.

For instance, companies that don't "know at the time of sharing" that a piece of intelligence contains specific personal information about someone who is "not directly related" to a cyber threat will have legal immunity from being prosecuted or sued for sharing such information.

Image: Anomali

The law was opposed by both massive tech companies such as Google and Facebook and civil liberties groups like the American Civil Liberties Union and the Electronic Frontier Foundation, who suggested that the law would serve as a de-facto replacement for the NSA's mass surveillance program that had been ruled unconstitutional.

"CISA's vague definitions, broad legal immunity, and new spying powers allow for a tremendous amount of unnecessary damage to users' privacy, and it's highly unlikely that the public will learn about it," the Electronic Frontier Foundation wrote about an iteration of the law that was very similar to the one that was ultimately passed. In addition, critics said that the bill wouldn't have stopped any of the high profile hacks we've seen in recent years, such as the Sony breach: "the bills don't address problems like unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links," the EFF wrote.

Advertisement

At issue is the broad and all-encompassing definition of what a "cyber threat" is. Law360 has a good summary of what constitutes a "cyber threat":

"Information may be disclosed, retained, or used only for (1) a cybersecurity purpose; (2) identifying cybersecurity threats or security vulnerabilities; (3) responding to, preventing, or mitigating a specific threat of death, or serious bodily or economic harm, including a terrorist act; or (4) responding to, investigating, prosecuting, preventing, or mitigating a serious threat to a minor, any offense arising out of a threat described in (3), or certain offenses relating to fraud, identity theft, espionage, censorship, or the protection of trade secrets."

"Every one of the 2,000-plus customers on our platform and their users will be able to share data with DHS should they choose to do so"

It does not define what a "cybersecurity purpose" is, and civil liberties groups say that such a definition means something as innocuous as an email account hijacked to send spam without the knowledge of its owner could be considered a "cybersecurity threat."

Anomali, a company that is facilitating data sharing between DHS and a group of private companies, announced that it has automated the process. It will take the DHS's "Automated Indicator Sharing" stream of potential cyber threats (the DHS describes these as things like malicious IP addresses and email addresses of known phishing accounts), and will stream them to private companies.

Advertisement

But the program will also take the amorphous "cyber threat" information from the companies themselves and give it back to the federal government.

"Every one of the 2,000-plus customers on our platform and their users will be able to share data with DHS should they choose to do so," Todd Helfrich, vice president of federal relations at Anomali, told me.

"As we give information to DHS, they have their own validation that they're going to use to make sure there is no personally identifiable information present."

He said he could not name any specific companies using Anomali's "ThreatStream" program, but said the company has customers among Fortune 50, Fortune 100, and Fortune 500 companies.

"We have customers in the aviation sector, transportation sector, financial services, customers in the healthcare sector, across all industries," he said. "Our customers have access to 400 streams of cyber threat intelligence."

ThreatStream looks like the image you see above, and is designed to detect phishing attempts, malware, zero days, the use of Tor or other onion routers, and other potential threats.

He said the system "has precautionary measures in place to look for social security numbers so they are not imported into our systems," and said the company is not looking for "personally identifiable information, [it's looking for] indicators of compromise associated with, for instance, certain file hashes, and domains."

"As we give information to DHS, they have their own validation that they're going to use to make sure there is no personally identifiable information present," he said, adding that much of the information is not "human readable."

Without seeing the program in action or knowing which companies are specifically using it, we can't say specifically what sorts of information is being shared. ThreatStream is not only facilitating DHS-to-company and company-to-DHS streams, it also automates company-to-company intelligence sharing within what Anomali calls "trusted circles."

"Healthcare services would be one circle, retail services is another, international community governance, US government," he said. "If you're seeing closely resembled attack patterns, it's significantly beneficial to share that information."

"Historically, information sharing has been taking place with spreadsheets within an organization, with Post-it notes, emails, instant messaging," he added. "From external party to external party, they've been using secure FTP files. So organizations have been sharing this information, but they haven't been public about it. What Anomali provides to industry allows them to do is share it in a structured and routine, automated way."