Momentum Builds for Cyber Threat Information-Sharing

By Roy Maurer Apr 10, 2015
LIKE SAVE PRINT
Reuse Permissions

Backers of a cyber threat information-sharing bill in the U.S. Senate argue that it will help limit the impact of destructive cyberattacks on the nation’s private sector.

The Cybersecurity Information Sharing Act (CISA) was passed by the Senate Intelligence Committee March 12, 2015.

“I think we might have minimized what happened at Anthem, we might have minimized what happened at Home Depot” if the legislation had been law, said Sen. Richard Burr, R-N.C., and chairman of the committee. The 2014 malware attack on Home Depot resulted in the exposure of 56 million credit and debit cards and health insurer Anthem announced in February 2015 that hackers broke into a database containing the personal health information of nearly 80 million people. “But certainly we would have made sure that elsewhere in the industry, there wouldn’t have been a threat because federal government would have responded,” Burr said.

CISA would enhance cyber threat information-sharing between private-sector companies and government agencies by granting liability protections to companies offering their data.

Policy analysts have suggested that sharing information about data breaches with the government and other companies could be an effective and inexpensive part of improving the nation’s cybersecurity.

Firms presently share information on an ad hoc basis and through nonprofit organizations such as Information Sharing and Analysis Centers (ISACs) that analyze and disseminate information.

But many companies do not share information because of perceived legal risks, such as violating privacy or antitrust laws, and the fear that sharing information will benefit their competitors, according to N. Eric Weiss, a specialist in financial economics policy at the Congressional Research Service.

“A firm that has been attacked might prefer to keep such information private out of a worry that its sales or stock price will fall. Further, there are no existing mechanisms to reward firms for sharing information. Their competitors can take advantage of the information, but not contribute in turn. Because firms are reluctant to share information, other firms suffer from vulnerabilities that could be corrected,” Weiss said.

A recent study showed that a little over one-third of companies actually share data. The third annual Information Security Survey, conducted by Blue Lava Consulting, found that while 36 percent of respondents share information with industry groups, 50 percent of respondents don’t share any information.

To alleviate privacy concerns, CISA will not allow electronic, real-time sharing with intelligence agencies. Companies wishing to exchange cyber threat data will have to go through a Department of Homeland Security (DHS) portal. President Barack Obama has identified information-sharing as a key priority, and his own cyber information-sharing proposal placed the DHS at the center of nearly all public-private threat data exchange. The bill also has a provision to filter personally identifiable information out of shared data, but privacy advocates say it doesn’t go far enough.

The committee plans to bring the bill to the Senate floor for a vote by the end of April.

The House of Representatives is also preparing bills on enhancing cyber threat information-sharing, generating momentum for major cybersecurity legislation this year. Cybersecurity is viewed by both parties as a policy area with bipartisan potential and the recent high-profile data breaches have made the issue a top priority.

Matthew Eggers, a cybersecurity policy leader at the U.S. Chamber of Commerce, testified March 4, 2015, before a House Homeland Security subcommittee that the Senate bill should attract strong industry support.

CISA “offers strong protections and flexible avenues for sharing with public and private entities,” and strikes a balance between privacy demands and industry’s need for strong liability protection, Eggers said.

The value of Sharing

Sharing more information could reduce information asymmetries, increase the size and quality of the cybersecurity products market, and make cyberspace more secure, said Weiss. “Sharing more information could also reduce duplication of effort, making dollars spent on cybersecurity more effective,” he said.

Weiss explained that the advantages of information-sharing are likely to be greatest when organizations are using similar technologies. “For example, learning about a weakness in an operating system or application software has the most value to an organization using that operating system or application. It might provide a lesson to those using other software, but it is less likely to be directly applicable,” he said.

Concerns with sharing include erroneous information leading to new security holes and too much information, eliminating the capacity to pay attention to important alerts. ISACs can help to mitigate this problem by analyzing information and sorting out what information is relevant to subsets of their members, said Weiss.

Roy Maurer is an online editor/manager for SHRM.

Follow him @SHRMRoy

Quick Links:

SHRM Online Safety & Security page

Subscribe to SHRM’s Safety & Security HR e-newsletter

LIKE SAVE PRINT
Reuse Permissions

SEMINARS

HR Education in a City Near You

Find a Seminar

Job Finder

Find an HR Job Near You

SPONSOR OFFERS

Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 3,200 companies

Search & Connect