The drumbeat of high-profile corporate cyber-incidents shows no sign of slowing down. Target, Anthem, JPMorgan Chase, Sony Pictures…the list goes on. There is an array of perpetrators of these cyber attacks, including state-sponsored actors, elements of organized crime, and other sophisticated cyber-criminals, and the threat they pose to American companies has become painfully apparent. It’s no secret that securing American enterprise networks and electronic information systems will require cooperation within and between the private and public sectors. To its credit, Congress is currently taking a hard look at how legislation can enable cyber threat information sharing that will help level the playing field for American companies as they defend themselves against cyber attacks.
Bills under consideration in both the House and Senate aim to promote robust and timely sharing of cyber threat indicators within the private sector and with the federal government. The legislation enhances the private sector’s ability to manage and protect networks against cyberattacks by authorizing companies to monitor their networks and deploy defensive measures against threats. It creates a voluntary framework for companies to share threat information with each other and with the Department of Homeland Security. Companies that choose to participate and share cyber threat information receive expanded liability protections for doing so. Liability protections are a challenging but critical part of any information sharing framework. There is widespread agreement that our cyber defense posture could be greatly strengthened by effective information sharing, but sharing has to occur quickly and efficiently.
Information security professionals need to know about new threats in a timely manner to protect themselves effectively. The amount of time it takes to share critical information about a threat could be the difference between deterring or mitigating an attack and watching it proliferate. Businesses that run networks face fluid, real-time cyber attacks that need immediate action. By expanding liability protections to companies that choose to participate in information sharing, it ensures that information that could be key in stopping the next big attack is not slowed by fear of tort claims and class-action lawsuits. The defense of American corporate networks should be driven by technologists and network engineers, not by litigation-averse general counsel.
Timeliness is of even more importance when considering the tactics favored by today’s cutting-edge hackers. For example, botnet operators use the networks of third-party devices like personal computers and mobile phones to perpetrate their attacks on company networks. This strategy allows them to camouflage the source of the incursion under the watchful eyes of information security professionals. Their most recent attacks have also involved hacking into small businesses and using them as entry points into larger corporate networks due to the former’s lower levels of security. For example, the entry point for the Target hack was through a heating and air conditioning subcontractor. As attackers’ methods get more complex, it will take more time to respond to attacks. Networks are also expanding in new ways via cloud computing, mobile access and the Internet of Things. As the complexity of networks increases in this way, botnet masters will have more time to inflict additional damage before they are discovered.
The fundamental purpose of information sharing legislation is to reduce liability risks, encourage beneficial conduct, safeguard the networks American companies and consumers use and ultimately strengthen America’s cyber readiness. With the focus on the speed of sharing and expanded liability protections, the point must still be made that cyber threat information consists of things like IP addresses, lines of malicious code and network traffic data – not the personally identifiable information of a company’s customers. There needs to be a clear understanding that information sharing is about stopping computer-based crime, not invading an individual’s personal life. Uncertainty regarding the exact nature of information sharing and what it entails has kept us in this debate for too long. The current congressional legislation is a good first step towards providing American businesses with the tools to defend themselves from cyber attacks. Without clear liability protections for sharing information and executing defensive measures, the harmful and counterproductive overhang of liability risk will continue to hinder American cybersecurity efforts.