Now that the federal government is encouraging companies to voluntarily share information about the cybersecurity threats they face and the steps they are taking to mitigate those risks, the financial services industry wants to continue to automate that sharing process.
Over the past few years, the financial industry has taken steps to automate the process but should continue down that path, according to John Carlson, chief of staff at the Financial Services Information Sharing and Analysis Center, or FS-ISAC, the financial industry’s global clearinghouse for cybersecurity and physical threat intelligence analysis and sharing.
At a Feb. 24 Financial Services Roundtable event, Next Steps to Fighting Cyber Threats: Implementing Cyber Information Sharing, Carlson touted the ways in which the private sector and federal government have collaborated to speed up the sharing of cybersecurity threat information.
In December, when President Barack Obama signed into law the omnibus federal budget, he also enacted the Cybersecurity Information Sharing Act of 2015, a measure that offers private entities liability protection from lawsuits if they share information with the federal government on cyberattacks — so-called threat indicators — and the defensive measures they are taking to protect against them.
Before passing information to the government, private companies need to scrub the data to remove personal information that could identify an individual, and the Department of Homeland Security also needs to continue the scrubbing process when it receives the data and before it passes it on to other federal agencies.
Last week, DHS and the Department of Justice issued guidelines and procedures required by the law, which offer agencies and companies “a clear understanding of how to share cyber threat indicators with DHS’s National Cybersecurity and Communications Integration Center, or ‘NCCIC,’ and how the NCCIC will share and use that information,” according to DHS Secretary Jeh Johnson.
Carlson said the financial industry has spent the past few years upgrading its technology to make it easier to securely share information about cybersecurity risks. “I think one of the great innovations over the past several years has been the development of several standards, called STIX and TAXII, to help categorize the information and then enable it to be read and enacted upon in machine-readable formats,” he said.
Carlson added that the DHS program to collect cyberthreat indicators, known as Automated Indicator Sharing, will be using those standards, which were developed by DHS and MITRE.
STIX, which stands for Structured Threat Information eXpression, is a standardized XML programming language used to relay cybersecurity threats in a common language so that humans and machines alike can easily understand them. TAXII, or Trusted Automated eXchange of Indicator Information, is a threat information exchange standard designed for sharing data in XML format and was created to be the transport protocol for STIX, according to the European Union Agency for Network and Information Security.
Carlson said FS-ISAC is going to meet with DHS next week on how to coordinate using the protocols.
In calling cybersecurity a “team sport,” Carlson also noted that several years ago, several financial services industry associations — including the Financial Services Roundtable, American Bankers Association, the Securities Industry and Financial Markets Association and others — poured about $5 million into a research and development project. Those efforts led to the creation of Soltra, a tool that distills threat intelligence, automates sightings, prioritizes actions and routes the intelligence. Soltra is a joint venture between FS-ISAC and the Depository Trust & Clearing Corp. and leverages STIX and TAXII.
“So I think a long-term strategy here is to try to move toward an automated platform so that you can be more nimble in responding to events,” Carlson said. He added that having machines respond to attacks with less human intervention could save time.
“In many cases, time is your worst enemy in response to a cyberattack,” he said.
Jeewon Kim Serrato, a cybersecurity and data privacy attorney at Debevoise & Plimpton who spoke at the event on a panel with Carlson, said she does not think “it would be doing justice to think about the team sport as including only the technical teams.”
Lawyers and others inside financial firms need to pore over whether data being given to DHS has personally identifiable information. “I hope that one of the takeaways from today is that’s not only the information security officer, perhaps, that’s participating in the threat sharing,” she said.
Serrato also added, “As much we try to do a lot of automated machine-to-machine talking, that human review is part of the process at the federal entities level.
“I would assume that that kind of judgment, that kind of discretion, would also be happening at the industry level,” she added. “And so the team sport should be that all cross-functional teams are involved in this process.”
Carlson said financial firms have engaged in a lot of information sharing on threats with one another and have discussed best practices for responding. All of that has been possible because of the voluntary nature of the information sharing, he said. “No one’s holding a gun to anyone saying, ‘You must share.’”
The sharing is driven by a desire to help peer financial institutions because the firms know that they might one day be hit by a cyberattack, Carlson said.
“So we don’t look at it as a competitive issue,” he said. “That is something that is very important that we got past many, many years ago, in terms of thinking about security as a competitive issue. It’s not in the financial sector. We view it as a highly collaborative team sport.”