Financial ISAC shows how info sharing beefs up security
The Financial Services Information Sharing and Analysis Center (ISAC), which Homeland Security Deputy Undersecretary Mark Weatherford said has become the operational arm for detecting and responding to cyber attacks against the financial sector, was honored with the award for information security at last week’s RSA Conference in San Francisco.
The Financial Services ISAC was created in 1999 under Presidential Directive 63, which mandated mechanisms to enable the sharing of data between the public and private sectors. The ISAC works closely with the Treasury Department, the Federal Deposit Insurance Corp., and DHS.
Although information sharing between government and industry remains a challenge, ISAC president Bill Nelson said that willingness to share between circles of trust created in the ISAC has “changed the game” in information security.
ISAC recently completed its Critical Infrastructure Notification System (CINS), though which it issues security alerts to industry while providing for user authentication and delivery confirmation, the organization said. The group also offers anonymous information sharing, including advice on best practices for defending against known and emerging threats.
Also at RSA, the leaders of the House Permanent Select Committee on Intelligence were recognized for their efforts to pass cybersecurity legislation that would improve the sharing threat information between intelligence communities and outside organizations.
Committee Chairman Mike J. Rogers (R-Mich.) and ranking member C.A. Ruppersberger (D-Md.) were the authors of the Cyber Intelligence Sharing and Protection Act (CISPA), a controversial bill that passed the House in April 2012 but failed to move out of the Senate. In receiving the 16th annual award for excellence in public policy, they were praised for their bipartisan effort to protect the nation’s critical infrastructure and intellectual property.
CISPA would have allowed the federal intelligence community to share classified cyber threat intelligence with appropriate entities in the private sector “consistent with the need to protect the national security of the United States.” It also would have streamlined granting of security clearances for private sector officials and allowed voluntary sharing of threat information between companies and with government.
Among the controversial provisions of the bill are exemptions from liability that would shield companies from any civil or criminal action for use or misuse of information as long as they had acted in good faith.
The bill was criticized as overly broad and lacking adequate privacy protections, and drew a veto threat from the White House. Despite these concerns, it passed the House by a healthy margin of 248 to 168, but died in the Senate with the end of the 112th Congress.
The representatives reintroduced bill in February with no changes as H.R. 624. No action has yet been taken on it.