Government hands down new cyber framework

The Obama administration has issued a cyber threat information sharing framework just as discussions are heating up in Congress on stalled legislation dealing with the issue.

Lawmakers and law enforcement officials have been pounding the pavement in recent weeks, declaring that steps to ease the sharing of information about cyber threats are critical for the country’s defenses.

{mosads}The practices laid out in the federal document, a draft, are intended to help government and industry officials better identify and thwart cyberattacks. The document is part of a larger effort by the National Institute for Standards and Technology (NIST) to create voluntary cybersecurity standards for government and industry.

The document fills a gap in NIST’s more general cybersecurity framework, released earlier this year, according to Bob Gourley, a former chief technology officer for the Defense Intelligence Agency from 2005 to 2007.

“Greatest thing NIST has done in a long time,” said Gourley, currently a partner at cyber intelligence firm Cognitio.  

Cyber intelligence is a burgeoning field and companies are often in the dark, he said.

“This document comes out at exactly the right time.”

But roadblocks to total implementation remain, as both industry and privacy groups have been hesitant to freely share information in the current legal landscape.

“To fully work with it you would need legislation,” Gourley said. 

One bill that would address the legal issues is the Cybersecurity Information Sharing Act (CISA), but it remains unclear whether the bill could see action in the lame-duck session after the elections.

Absent congressional action, businesses are concerned about whether they will be protected from liability when sharing information with the government.

Conversely, privacy advocates are wary of what personal data industries might share with the government, given the surveillance activities that have been revealed at the National Security Administration (NSA).

Earlier this week, NSA head Adm. Michael Rogers insisted he’s not interested in personal data, which would simply slow cyber threat analysis. But he acknowledged he wasn’t sure exactly what cyber threat information would best serve the NSA.

“What I’d like to have is a discussion about, so just what is the information that we should share with each other,” he told the U.S. Chamber of Commerce.

“That’s a huge problem,” said Robyn Greene, policy counsel for the Open Technology Institute, who opposes CISA as written.

The government can’t pass CISA until it’s explicitly defined what information will be shared and what will happen to it once shared, she said. “It should be a public debate.”

Privacy advocates are expecting a new draft of CISA soon that is meant to assuage those concerns.

Meanwhile, NIST’s cyber threat info sharing framework is open to public comment through Nov. 28.