Cyberthreat Information Sharing Privacy Concerns RaisedDHS Assessment Identifies Shortcomings in Automated Info Sharing Initiative
This story has been updated.
See Also: DevOps - Security's Big Opportunity
The system the Department of Homeland Security has launched to enable the government and the private sector to share cyberthreat information has privacy shortcomings, according to DHS Chief Privacy Officer Karen Neuman.
DHS Secretary Jeh Johnson and other government leaders officially inaugurated the automated indicator sharing system at ceremonies at DHS's National Cybersecurity and Communications Integration Center in Virginia, meeting the March 17 deadline set by a new cyberthreat information sharing law.
Only six organizations had signed up, though others have expressed interest, says DHS Assistant Secretary Andy Ozment, according to the Associated Press. "This is a big deal," Ozment says. "We're not going to launch out the gates ... and have thousands of companies sharing all sorts of information. We want to make sure we're providing value and growing."
'Residual Privacy Risk'
Published two days before its launch, Neuman's privacy impact assessment of the DHS' automated indicator sharing system concludes that a "residual privacy risk" exists because automated and manual processes might not remove personally identifiable information as required under the Cybersecurity Information Sharing Act enacted by Congress late last year (see Obama Signs Cyberthreat Information Sharing Bill). The process could disseminate "more PII than is directly related to the cybersecurity threat," according to the assessment.
CISA, as the new law is known, authorizes DHS to receive, process and disseminate cyberthreat indicators and defensive measures in real time through the department's National Cybersecurity and Communications Integration Center and to remove PII and other sensitive information not directly related to a cyberthreat before sharing that data with government agencies and private organizations (see DHS Issues Guidance on How to Share Cyberthreat Data).
Reviewing Process to Eradicate PII
To address the privacy risk, the assessment says DHS will periodically review the cyberthreat indicators it disseminates as well as the processes designed to remove PII to evaluate their effectiveness at eradicating unneeded personal data. If PII continues to be disseminated, DHS will issue updates to applicable indicators through the versioning feature in STIX, the XML programming language used to share data about cybersecurity threats. DHS says participants in the cyberthreat sharing program would be expected to promptly apply any necessary versioning updates.
To further mitigate the privacy risk, the assessment says DHS would explore enhancing STIX as well as acquiring commercial off-the-shelf products and other technical solutions that might provide better filtering and dissemination options.
Timely Notification Not Always Possible
CISA requires the government, in a timely manner, to notify citizens whose PII has been disseminated, but the assessment points out that might not always be possible: "Most personal information exchanged as part of a cyberthreat indicator or defensive measure may be incomplete, may not identify a specific individual or may lack enough information to verify that it pertains to a United States person."
Another potential privacy risk identified in the assessment involves the potential sharing of victim information with law enforcement or intelligence agencies that's unrelated to the authorized use of shared information. Neuman's assessment outlines steps that should be taken to mitigate the risk.
DHS did not immediately respond to a request for comment about the privacy assessment.