Private Sector Cooperation in Cyber Threat Intelligence

Posted on by Rita Heimes

Devices provide imperfect information security protection, even if they are considered acceptable for purposes of satisfying a legal obligation to follow industry security standards. An advanced warning system that predicts the likelihood of cyber attack may ultimately be more effective and less costly if well designed and executed.Legal Questions RSAC

Private organizations have tremendous technical capacity to inspect and analyze online traffic and potentially to predict vulnerabilities and threats. 

The White House is discussing plans for a Cyber Threat Intelligence Integration Center (CTIIC) within the office of the Director of National Intelligence.  Those who applaud this move also caution that the CTIIC’s effectiveness will be limited if cyber threat data isn’t gathered and analyzed in collaboration with the private sector.

In an essay to Lawfare, Steve Slick describes the role of the CTIIC and limitations on its effectiveness: “The Internet’s basic design allows actors to conceal their identities, or even attribute their actions to others. IC collection of cyber threat data is structurally limited to the extent it excludes the large body of relevant information that Americans, U.S. businesses, and other private organizations choose not to volunteer to the government.”

On Thursday, April 23, a panel comprised of Joe Burton, Mark Silvestri, Jon Stanley and me, moderated by Bill Rogers, will explore the technical, legal and ethical issues raised by private sector cooperation in cyber threat analysis and prediction. Our legal track panel at RSA Conference explores the potential for the private sector to contribute meaningfully to the national effort to detect and thwart cyber attack before it happens.  

  • Assuming the detection capacity and threat analytics are already sufficiently developed by these players, will they share information with government agencies like CTIIC and under what circumstances should they be compelled to do so? 
  • What are the legal restrictions currently preventing such sharing?
  • If there are none, and refusals to cooperate are merely on the basis of perceived consumer concerns, should those be removed through Terms of Use or other contractual arrangements with users? 
  • Even in light of the players’ ability to amend Terms of Use to allow for pervasive monitoring and sharing, what are the ethical reasons for them not to cooperate?
  • How will data accuracy and accountability concerns affect the ethical analysis and the liability concerns, for both those who may rely on the threat predictions as well as those conducting them?
  • Can or should the government compel cooperation for national security reasons? What regulatory safe harbors would be appropriate in such circumstances?

RSA Conference participants are invited to join the discussion on April 23 in Room 2007 Moscone West and anticipate the next legal frontier in cyber security.

Rita Heimes

General Counsel and Privacy Officer, IAPP

threat intelligence law legislation

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community