[BreachExchange] Cyberthreat Information Sharing Privacy Concerns Raised

[Audrey McNeil]

http://www.govinfosecurity.com/cyberthreat-information-sharing-privacy-concerns-raised-a-8970

The system the Department of Homeland Security is creating to enable the
government and the private sector to share cyberthreat information has
privacy shortcomings, according to DHS Chief Privacy Officer Karen Neuman.

Neuman's privacy impact assessment of the DHS' automated indicator sharing
system, published March 15, concludes that a "residual privacy risk" exists
because automated and manual processes might not remove personally
identifiable information as required under the Cybersecurity Information
Sharing Act enacted by Congress late last year (see Obama Signs Cyberthreat
Information Sharing Bill). The process could disseminate "more PII than is
directly related to the cybersecurity threat," according to the assessment.

CISA, as the new law is known, authorizes DHS to receive, process and
disseminate cyberthreat indicators and defensive measures in real time
through the department's National Cybersecurity and Communications
Integration Center and to remove PII and other sensitive information not
directly related to a cyberthreat before sharing that data with government
agencies and private organizations (see DHS Issues Guidance on How to Share
Cyberthreat Data).

Reviewing Process to Eradicate PII

To address the privacy risk, the assessment says DHS will periodically
review the cyberthreat indicators it disseminates as well as the processes
designed to remove PII to evaluate their effectiveness at eradicating
unneeded personal data. If PII continues to be disseminated, DHS will issue
updates to applicable indicators through the versioning feature in STIX,
the XML programming language used to share data about cybersecurity
threats. DHS says participants in the cyberthreat sharing program would be
expected to promptly apply any necessary versioning updates.

To further mitigate the privacy risk, the assessment says DHS would explore
enhancing STIX as well as acquiring commercial off-the-shelf products and
other technical solutions that might provide better filtering and
dissemination options.

CISA requires the government, in a timely manner, to notify citizens whose
PII has been disseminated, but the assessment points out that might not
always be possible: "Most personal information exchanged as part of a
cyberthreat indicator or defensive measure may be incomplete, may not
identify a specific individual or may lack enough information to verify
that it pertains to a United States person."

Another potential privacy risk identified in the assessment involves the
potential sharing of victim information with law enforcement or
intelligence agencies that's unrelated to the authorized use of shared
information. Neuman's assessment outlines steps that should be taken to
mitigate the risk.

DHS did not immediately respond to a request for comment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160316/5d174957/attachment.html>