This is the second post in a multi-part series. The first post is here.
Information sharing is one major aspect of the current calls for action on National Cyber Security issues. As I noted earlier, lawers, company executives, government officials and others have differing views on the need for new laws regarding information sharing. Information sharing has been discussed in the context of the intelligence failures pre-9/11, in the context of corporate liability, and with respect to privacy breaches. Considering the call for action from the President and others, here are several aspects of information sharing we all need to consider.
We should consider mandating sharing for governments and corporations. There are calls to authorize, enable or force more sharing from the government to private sector corporations and organizations that need the information. While the government is arguably sharing more than ever, there are still issues of classification, usefulness and volume. In intelligence jargon, corporations need actionable intelligence. While the government can declassify data, or temporarily issue clearances as part of its sharing efforts, measuring how much information is actually being shared remains difficult. Measuring actionability of that shared data is even harder.
Government needs to measure what they are sharing, and evaluate the value of that sharing on a regular and periodic basis. Since there is still a broad perception that the government doesn’t share enough, perhaps additional legal tools and mechanisms are needed. Commercial threat intelligence has started to close some of the delta between what government knows and what corporations understand.
Corporations also face changes in mandated sharing. Since California SB1386 became law in 2002, states and corporations have been reviewing mandatory breach notification requirements to government and customers. The president has proposed a national breach law which would set a single national standard (instead of the varying state standards currently in place) requiring notification within 30 days of discovering the breach. Privacy advocates are concerned this could weaken state laws which have stricter requirements. Others are concerned with the ability of organizations to meet even a 30 day requirement. Statistics and anecdotes show that companies range from taking an average of 19 days be aware of a breach, to companies becoming aware of a breach months later when an external company comes calling. Legislation can overcome these concerns by clearly defining discovery and escalating penalties as the time from breach detection to notification increases.
Proposals also aim to protect corporations and executives who share information from certain kinds of liability. Lawyers rightly worry that sharing could lead to customer lawsuits, shareholder lawsuits, and criminal penalties for companies that failed to protect information and systems from attack. Organizations often engage their attorneys throughout an investigation to limit and manage the flow of information around breach and recovery efforts. Protecting some of the sharing associated with investigating and recovering from attacks could increase the broader understanding of attacks. This increased knowledge base would help the community to better manage risk, and prevent attackers from reusing the same methods as they move from target to target.
Increased sharing among members of the Financial Services Information Sharing and Analysis Center (FS-ISAC) and other sector ISACs demonstrate the value of such sharing.
Specific sharing proposals and details matter, but increased sharing from the government, consistent rules for corporate reporting, and appropriately protecting sharing to reduce risk across the broader community are worthy goals. We need to stay engaged.