[UPDATE: slides from my TF-CSIRT presentation are now available]
Several years ago I wrote a paper on using the GDPR to decide when the benefits of sharing information among network defenders outweighed the risks. That used the Legitimate Interests balancing test to compare the expected benefits – in improving the security of accounts, systems or globally deployed software – against the risk of sharing personal/pseudonymised data – on a bilateral, community or public basis – that would be needed to deliver those benefits.
That framework has been widely used by incident response and security teams, however it left a couple of loose ends. First, that the framework was motivated by Recital 49 of the GDPR which, back in 2016, only said that such data processing “could” be linked to that legal provision; and second – particularly for the international sharing that is essential to protect the international internet – that GDPR Article 49 requires data exports to serve a “compelling legitimate interest” of the exporter. Information sharing more directly benefits the recipients, who can learn from others’ experience and analysis how to secure their own systems, so we need a bit of logical gymnastics to claim that improving overall security benefits the exporter, too.
I’m delighted to report that my latest paper – “NISD2: A Common Framework for Information Sharing Among Network Defenders” – ties up those loose ends.
This is based on Recitals in the European Commission’s draft Network and Information Security Directive (NIS2D). Published in early 2021, these show how thinking has developed. First, although Recital 69 repeats the GDPR wording linking incident response to the Legitimate Interests basis, the permissive “could” in the GDPR is now a significantly stronger “should” in the NIS2D. The same Recital explicitly describes sharing “to raise awareness in relation to specific cyber threats, exchange of information in the context of vulnerability remediation and coordinated disclosure … voluntary exchange of information on those incidents, cyber threats and vulnerabilities, [Indicators of Compromise], tactics, techniques and procedures, cybersecurity alerts and configuration tools” as a component of the defender toolbox.
Second, the individual harms that motivated incident response in 2016 (“unauthorized access … malicious code distribution and … denial of service attacks”) have been replaced in NIS2D Recital 3 by societal harms (“impede the pursuit of economic activities …, generate financial losses, undermine user confidence and cause major damage to … economy and society”). This seems to invoke a different GDPR export provision, that sharing is “necessary for important reasons of public interest” (Article 49(1)(d)). Not only is this a more natural description of what information sharing actually does, it also removes the possible duty – if relying on a “compelling legitimate interest” – to inform regulators of all transfers.
So now I have a more complete framework, with NIS2D thinking joining up GDPR law:
- When: network defenders should share information when this will serve an “important public interest” (GDPR Art.49(1)(d)) …
- Including those of preventing “financial losses, undermin[ing] user confidence, … caus[ing] major damage to … economy or damage to society” (NIS2D Rec.3) …
- What: the information shared should be “necessary for [that] interest” and “not over-ridden by the rights and freedoms of individuals” (GDPR Art.6(1)(f) in fact, as discussed in my original paper, sharing among defenders normally benefits those rights and freedoms) …
- How: protected by tools such as the Traffic Light Protocol and, perhaps, norms such as those of the UN Global Group of Experts (NIS2D Rec.6).
Thanks to ScriptED for publishing both papers as open access.