Congress Wants Companies Facing Cyberattacks to Share Data, and it‘s Not a Moment Too Soon
A longstanding reluctance to share information about cybersecurity threats and defensive measures has limited our ability to form teams of good guys.
Successful executives know that putting together the right team is a key element in achieving goals and overcoming challenges. In fact, walk into any CEO’s office and you are likely to find a number of books on teamwork sitting on the bookshelf.
But corporate managers aren’t the only ones who recognize the value of collaboration. We’ve learned the hard way that hackers and other bad actors in cyberspace have become proficient in finding ways to collaborate and share information in real-time on exploits and other offensive strategies.
Yet, despite obvious disadvantages, companies defending against these attacks continue to work alone. A longstanding reluctance to share information about cyber security threats and defensive measures has limited our ability to form teams of good guys, and even when the teams have formed, productive collaboration often remains elusive.
One of the most significant barriers to broad participation in cyber security information sharing efforts is the risk–legal, reputational, and market–that companies face in disclosing information about cyber incidents. Under current law, companies face the potential for civil, and possibly even criminal, liability, should they divulge the details of a cyber attack on their organization.
Though this may come as a surprise to some given the obvious advantage of sharing information on cyber attacks with others who may potentially be affected, it is something almost every company has had to at least consider before they disclose cyber attack data–and it very often stops them from doing so.
But the tide may finally be turning.
Congress has recently taken significant action to minimize the legal risks for companies voluntarily sharing cyber incident information with the passage of the Protecting Cyber Networks Act (HR-1560) and the National Cybersecurity Protection Advancement Act of 2015 (H.R. 1731). These bills provide liability protection for companies that share cyber threat indicators and defensive measures to combat a threat among one another and, should they choose, with the government.
It is important to note that unlike past efforts, taken together these bills are not solely aimed at encouraging companies to share cyber threat information with the government, but rather, at breaking down the barriers that often stop them from sharing even among themselves.
These bills follow closely on the Executive Order president Obama signed in February promoting private sector sharing of cyber threat information, and mirror similar proposals currently under debate in the Senate. With these actions, the U.S. government is sending a clear signal that it recognizes the vital role of information sharing in our efforts to stay ahead of our adversaries. We know that the bad guys are collaborating and yet, the defenders often have had to go it alone. This disadvantage will continue until we eliminate corporate reluctance to share information on cyber incidents.
However, trust is not easily attained and it is understandable that some concerns may still prevail. While companies who share information with the government may be protected from legal risk, many may still be wary of the potential for reputational or market risk should that data be compromised.
Further, though the revisions included in the passed versions of the bills should allay most privacy fears by requiring the removal of any personally identifiable information, reservations linger about how exactly these privacy protections will be monitored and enforced.
Having worked in both the government, as part of the White House’s Homeland Security Council, and as CISO for CyberPoint International, I realize that making significant change requires action by both government and the private sector.
Of course, both of these bills still have a ways to go before becoming law. This is good for TruSTAR, because a new law would enable security operators within enterprises to begin sharing incident data—not personally identifiable information or pricing data–with other enterprises without fear of civil or criminal penalty.
However, enabling information sharing requires more than just government action. In fact, we recently launched TruSTAR with a clear understanding that technology innovation would be a key part of reducing the risk associated with cyber incident sharing. Indeed, our work has only just begun. Even still, we can’t help but be encouraged about the convergence of policy and emerging technology.
2015 may be the year we finally break down the barriers to effective cyber incident collaboration, and begin building and arming our team of good guys to beat back the hackers.