On December 18, President Obama signed an omnibus spending bill that included the Cybersecurity Information Sharing Act. Components of the act are good policy and widely supported, such as ensuring that companies take defensive actions against cyberattacks, and promoting the sharing of threat/attack data to strengthen the ecosystem.
However, the legislation also includes liability protections for those companies that share information, and these will be controversial. The data privacy of consumers could be compromised through the loose constraints of the program and its liability protections, which may serve to reduce the level of care that organizations apply when sharing information. Couple this with the recent OPM breach and there is significant concern about data privacy and the responsibilities that banks (as well as other organizations) have in how they share data through the program.
Although we applaud the focus on sharing data, including that of FS-ISAC, we remain concerned about the sharing of raw data attributes and the security required for the safe transfer of this data. In some cases, such as in prosecution of cyber criminals, detailed data will need to be shared. But for the more general purposes of protecting the cyber ecosystem, we recommend taking a page from how banks anonymize payment card data today in order to enable “actionable information sharing.” This involves one-way strong salted hashes of any PII/payment details, so that if the data is compromised it cannot the traced back to individuals.
One might ask, how does that make the data actionable? In fact, the power in the data comes not from the identities of the individuals but from the analytic models, such as those we use in FICO Falcon Fraud Manager, which analyze the patterns of good and fraudulent behaviors and not identities. The anonymized payments data is leveraged across issuers, but without personally identifiable markers. In the payments ecosystem, this enables the large-scale development of machine-learning models that banks use to fight fraud collectively. In cybersecurity, the same approach can be used to detect suspicious activity and anticipate how cyberattacks will evolve.
Powerful analytic models built from this kind of anonymized data sharing arrangement have monitored and protected card payments for more than two decades – without the exchange of personal information. We at FICO are taking the same approach to actionable data sharing as we develop our analytic models for cybersecurity. We are defining our protocol for exchanging suspicious patterns rather than raw data, in order to protect data privacy.
The US government is right to make cybersecurity a priority, and to join the industry players that are defining new standards and technologies for protecting the cyber ecosystem. As this work continues, we need to work together to ensure we beat the hackers while ensuring data privacy.