GDPR: An Opportunity for Better Threat Intelligence SharingAnti-Phishing Working Group Confident It Will Navigate GDPR Requirements
Europe's General Data Protection Regulation is reshaping the way organizations handle data. That's also going to have an impact on the sharing of threat intelligence, says Pat Cain, research fellow at the Anti-Phishing Working Group.
APWG, founded in 2003, is a not-for-profit group dedicated to sharing information to fight cybercrime. It acts as a clearinghouse for cybercrime event data, distributing millions of reports on phishing sites and other indicators of compromise to help organizations defend themselves. Its members include Microsoft, PayPal, McAfee, RSA and many financial institutions.
Convincing organizations to share data with APWG has not always been easy, Cain says. But the idea is that more sharing enhances the capabilities of organizations to build better defenses against criminal activity.
But GDPR has cause a fair amount of consternation, with good reason: Data protection authorities can leverage large fines against organizations that are found to have violated its tenets. There's also a certain amount of ambiguity over exactly what regulators think is OK regarding data sharing (see Europe's Strong GDPR Privacy Rules Go Into Full Effect).
APWG and Cain have sought to gain clarity in order to continue to expand threat intelligence sharing, and as Cain puts it, "cause the attorneys to calm down." He notes: "GDPR could be good for data sharing, mostly because it's going to force the techies to sit down and say 'Here's what really we're doing' and we'll get the lawyers comfortable with it, and they may be more willing to share."
APWG has a tightly vetted model for accepting and sharing data. Those who are receiving data must sign a two-page data-sharing agreement, or DSA, that sets the expectations for how the information can be used, Cain says.
Organizations often have informal arrangements to exchange threat intelligence, such as a secret Google group. That relies on each party trusting the other not to do anything potentially harmful, such as publishing or selling the data, Cain says.
The DSAs ensure that parties sharing information will not publicly identified. And they've have been successful in putting lawyers at ease, Cain contends.
"Some of the bigger companies are getting more comfortable with it [threat intelligence sharing] as they see the benefits of it," he says.
There's value in a collective defense: The more data, the better.
"The bad guys don't go after one bank," Cain says. "They go after 20 at a time. They don't go after one car manufacturer; they go after all the car manufacturers. It's impossible to have your fingers in the entire internet looking for stuff. So you have to rely on other people."
APWG's DSAs are already a perfect fit with GDPR. Under the regulation, two organizations sharing data are supposed to have binding corporate rules for sharing and handling that information. But there are other unknowns with GDPR.
Code Of Conduct
APWG has been exploring for the past 18 months how GDPR would impact its operations, Cain says. The regulation runs 130 pages, and Cain has taken a lead role in determining how to ensure APWG complies.
Europe didn't issue a guide for how to comply with the regulation, and there are no court precedents, which has left granular questions. "There's been lots of guessing over what the right things to do are," Cain says.
APWG works closely with many treaty organizations and European governments, so it has been asking questions and getting solid feedback on how to be compliant. In late May, APWG held a data symposium in Barcelona, one in a series of three events that focuses on data sharing to work through concerns and barriers.
APWG has also been drafting a code of conduct, another recommendation within GDPR. That is under evaluation, and eventually APWG will send it to data protection authorities in Europe to test it for "adequacy," which means it complies with GDPR's tenets.
If APWG's code of conduct is deemed adequate, the organization can take it to companies and assure them they're in good shape with regulators if they follow the code, Cain says.
A point of concern for APWG is its collection of malicious IPs. Under GDPR, IP addresses can be considered personal data if one can be linked back to a person.
"We think that we could make a case that it's not personal data because we have no idea who the individual behind it is," Cain says. "But a lot of the lawyers in the members community were like: 'Oh my god. It's got IP addresses.'"
GDPR also includes a provision providing a private right of action, Cain says. That means an individual could sue a company, in addition to a data protection authority, which means organizations need to tread carefully. In the end, Cain feels confident that APWG will marshal the support for its efforts.
"We're helping crime fighting," Cain says. "It's not in any government's best interests to dissuade us from doing crime fighting."