Guidelines for Cyber Information Sharing Released
Is the best way to protect American citizens from cyberattacks to maximize the amount of information that companies can freely share with the federal government or should we instead place restrictions on anyone’s ability to access computer information? This question is at the forefront of the news this morning and its answer has very practical implications for your credit union both from a compliance and operational standpoint.
Late last year, Congress passed the Cybersecurity Information Sharing Act (CISA). The purpose of the Act was to facilitate sharing of information about cybersecurity threats and possible defenses among corporations and the federal government. The legislation advances this goal by exempting entities participating in this program from antitrust laws and giving them liability protection against lawsuits.
Yesterday, the Department of Homeland Security released the guidelines that entities wishing to participate in this program will have to follow. If the expanded information sharing network functions as envisioned, the government will be able to provide continuous, real-time updates on the latest cyber security threats. As a result, if you are interested in participating in the program, there are certain technical specifications with which your credit union must be able to comply. Have your IT person take a look at this guidance.
Under the guidelines, participants would be responsible for scrubbing personal information before it is sent for distribution. The crucial role that banks and credit unions will play in this system is underscored by the fact that DHS emphasizes that financial information constitutes a vast category of information that is both highly sensitive and highly regulated.
Privacy groups are not fans of this new law. They argue that it puts too much information in the hands of the federal government and includes too few protections against the accidental disclosure of private information. Tim Cook, Apple’s CEO, clearly agrees with this viewpoint. Apple released a public letter a few hours ago in which it explains why it is going to fight an order from the federal government. According to Apple, the government is seeking to force it to develop an operating system so that it can access the information stored in the iPhone of one of the San Bernandino, CA terrorists.
Apple’s argument comes down to its contention that the government can’t be trusted to properly safeguard an encryption key. As he explains in the letter, “the government suggests this tool could only be used once, on one phone. But that simply is not true. Once created, the technique could be used over and over again on any number of devices. In the physical world it would be the equivalent of a master key, capable of opening hundreds of millions of locks – from restaurants and banks to stores and homes. No reasonable person would find that acceptable.”
Frankly, I think Cook has the better side of the argument. But, Congress apparently disagrees. In the meantime, you and your members are caught in the middle.