Boosted by the U.S. House of Representatives considering — and ultimately passing — two separate cyber threat information-sharing bills last week, information sharing was top of mind for many attendees at RSA Conference last week.
Having waited patiently for years as Washington debated the particulars of a complex issue, RSAC speakers had a lot of feelings about what information sharing means to the security world now that it's so close to becoming legislated practice. During a Tuesday panel discussion on cyberlegislation, before the House had voted on either of its bills, there was a sense the issue was finally making some progress.
"The time is ripe now for information legislation to pass," said Sarah Beth Groshart, director of government affairs and legislative counsel for the Information Technology Industry Council, a non-profit trade group representing the technology industry. Groshart expects the Senate to consider its own bill in a couple of weeks, and then merge that with what it receives from the House, with a combined bill eventually being presented to President Obama to sign.
Whatever legislation emerges from the process will reinforce what already has been taking hold with many of the world's largest companies, many of which have established cooperative arrangements within their own industries.
"Information sharing seems like a no-brainer. The value proposition is understood to be for the collective good," says Tom Bossert, president of risk consultancy Civil Defense Solutions, and former deputy assistant for Homeland Security under President George W. Bush. "Even without legislation, companies are clearly seeing a value to sharing information."
One of the most successful cyber information-sharing efforts has been in place in the financial services industry since 1999. The Financial Services Information Sharing and Analysis Center was formed to help the industry better prepare for, defend against and respond to cyber and physical threats. It has since become a model that some feel should be duplicated as soon as possible to protect telecommunications networks, the electrical grid, and other critical pieces of our infrastructure.
"We need to spread that goodness out to other industries," said Tom Cocoran who recently became head of cyber threat analysis at Zurich Insurance Group after more than a decade as a Congressional policy advisor.
During a separate panel discussion on navigating a cyber-crisis, however, speakers were much more skeptical about information sharing.
Dave Baumgartner, VP of cyber security at Target, said legislated information sharing will likely lead to struggles as companies try to figure out how to apply the data they receive to their own businesses. "The challenge is making it actionable," said Baumgartner. "In actually applying it to your environment, it's very difficult to get at the context."
Meanwhile, Patrick Gorman, chief security officer at investment management firm Bridgeway Associates, said he's not convinced legislated information sharing will be a security industry game-changer. Gorman believes training exercises such as "war gaming," in which security staff repeatedly try to hack into their employers' network, applications and data, are more effective, and that forced information sharing in the private sector will only do so much. "I think there's a larger public-private cooperation that needs to happen," he said.
Bossert agreed that the intense distrust of the government in the wake of the Snowden revelations and subsequent disclosures about the scope of the NSA's intelligence gathering efforts has made private-public cooperation a vital component of the information sharing discussion. And "right now," he said, "there's not a legal framework for that discussion to occur."
But, said Bossert, given how hard it's been to craft legislation that satisfied enough of the stakeholders, some progress is better than none, and thus he welcomes any movement on the legislative front.
"We could end up with a good bill that moves the ball forward," he said.