Cyberthreat Information Sharing Privacy Concerns Raised

Info Sharing , Privacy

DHS Assessment Identifies Shortcomings in Automated Info Sharing Initiative Cyberthreat Information Sharing Privacy Concerns RaisedDHS Chief Privacy Officer Karen Neuman raises concerns over privacy risks in a cyberthreat information sharing system.

The system the Department of Homeland Security is creating to enable the government and the private sector to share cyberthreat information has privacy shortcomings, according to DHS Chief Privacy Officer Karen Neuman.

See Also: Unite & Disrupt: How to Mitigate Attacks by Developing a Unified Security Approach

Neuman's privacy impact assessment of the DHS' automated indicator sharing system, published March 15, concludes that a "residual privacy risk" exists because automated and manual processes might not remove personally identifiable information as required under the Cybersecurity Information Sharing Act enacted by Congress late last year (see Obama Signs Cyberthreat Information Sharing Bill). The process could disseminate "more PII than is directly related to the cybersecurity threat," according to the assessment.

CISA, as the new law is known, authorizes DHS to receive, process and disseminate cyberthreat indicators and defensive measures in real time through the department's National Cybersecurity and Communications Integration Center and to remove PII and other sensitive information not directly related to a cyberthreat before sharing that data with government agencies and private organizations (see DHS Issues Guidance on How to Share Cyberthreat Data).

Reviewing Process to Eradicate PII

To address the privacy risk, the assessment says DHS will periodically review the cyberthreat indicators it disseminates as well as the processes designed to remove PII to evaluate their effectiveness at eradicating unneeded personal data. If PII continues to be disseminated, DHS will issue updates to applicable indicators through the versioning feature in STIX, the XML programming language used to share data about cybersecurity threats. DHS says participants in the cyberthreat sharing program would be expected to promptly apply any necessary versioning updates.

To further mitigate the privacy risk, the assessment says DHS would explore enhancing STIX as well as acquiring commercial off-the-shelf products and other technical solutions that might provide better filtering and dissemination options.

CISA requires the government, in a timely manner, to notify citizens whose PII has been disseminated, but the assessment points out that might not always be possible: "Most personal information exchanged as part of a cyberthreat indicator or defensive measure may be incomplete, may not identify a specific individual or may lack enough information to verify that it pertains to a United States person."

Another potential privacy risk identified in the assessment involves the potential sharing of victim information with law enforcement or intelligence agencies that's unrelated to the authorized use of shared information. Neuman's assessment outlines steps that should be taken to mitigate the risk.

DHS did not immediately respond to a request for comment.

Watch for updates on this developing story.