This afternoon the National Association of Information Sharing
and Analysis Centers (NAISACS) announced that its member Centers will no longer
share cyber-threat intelligence information with the CSA’s Critical
Infrastructure Security Operations Center (CI-SOC). NAISACS is taking this
action due to the
announcement of the Federal Bureau of Inquiry’s investigation of MedDevice.
Dr. John McKittrick, NAISACs’ President, told reporters
during a virtual press conference; “Our member Center’s effectiveness is based
upon voluntary information sharing by organizations. With the FBI’s
investigation being based upon information obtained from MedDevice via a voluntary
association with CI-SOC, the Centers have heard concerns from their supporters
that information shared would end up in the hands of the FBI or regulators. We
are taking this action today to ensure that individual organizations will continue
to share valuable cyber-threat information with our Centers.”
General Buck Turgidson (Ret), Director of CI-SOC, said that
he had talked with McKittrick and a number of individual Center Directors over
the weekend while this action was being discussed. “We knew that this was
coming,” the General said; “I tried to convince them that we would do our best
to protect the information provided by the ISACs, but we are constrained by
Federal law that requires us to notify the FBI when a cybercrime is committed.”
Immanuel C. Securitage, spokesperson for the ECS-CERT,
confirmed that the ECS-CERT was also constrained by the same legal requirements
as CI-SOC. “We have been very careful to tell folks approaching us for
assistance that we will have to share some information with the FBI and some
federal regulators,” Securitage explained; “We work closely with NAISACs and
their Centers. We have never received any information from them that we would
have been required to report to the FBI.”
McKittrick confirmed that the Centers were careful about
what information that they shared with ECS-CERT to avoid putting them in the
position of having to report the shared information. “I would suspect that the
Centers would do the same with CI-SOC. But with the public announcement that
CI-SOC had shared information with the FBI that resulted in a criminal
investigation, many of our supported organizations have raised concerns about
the CI-SOC.”
A staffer at NAISACs that is not authorized to talk to the
press told me that there had been no discussion about the information sharing
activities with ECS-CERT over the weekend. She said: “There has never been a
problem with the information shared with that organization, so it did not come
up. If information shared with ECS-CERT ever ends up in an FBI investigation, I
expect that NAISACs would take the same action with them.”
Information sharing is difficult, especially with those who make policy on those who provide it.
ReplyDelete