Approach cyber info-sharing with caution

The ability of cybersecurity legislation to satisfy the interests of both the private sector and the government remains elusive as long as there continue to be questions around privacy and the inherent value of a cyber information-sharing bill.

The Cybersecurity Act of 2015, being voted on as part of the omnibus spending bill, is the culmination of three cyber bills passed by the Senate and the House of Representatives.  While the government should be applauded for its determination to pass important cybersecurity legislation, businesses would be wise to proceed cautiously when considering whether to participate. It remains unclear what exactly will be defined as threat indicators, how information will be distributed among government agencies, and whether the privacy of citizens – in this case, the all-important customers of participating businesses – will be maintained.

{mosads}The bill promises companies the ability to share cyber threat and breach information in real time without fear of legal liability. The decision to take part should be based on risk tolerance and resources. Some companies may wish to more fully understand whether risk exposure will decrease or increase before engaging. All must calculate the potential return on investment, asking whether information sharing will provide useful preventative insight given the resources needed to participate. It may be overly burdensome for a small business to invest time and resources and it may not provide added value even for a large entity with its own cyber team. 

Hampering potential value are the operational risks of the government, such as delays and partisan disagreements. Government institutions simply operate at a slower pace, running counter to the need for speed in assessing and responding to cyber threats.  

Adding to this is the fact that while government may provide helpful post-incident support, that still may not translate into the preventative intelligence needed to deter an adversary or prevent an attack or breach from occurring. The methodologies and tradecraft used by malicious actors are constantly evolving and updating. Therefore, businesses should not presume that previous attack indicators and information will be a bellwether of future threats. 

In a dynamic threat environment, the only correlation between previous victimhood and the possibility of suffering a future attack is whether a company’s holistic cyber security posture has been hardened and to what extent their existing defenses continue to be readily exploitable. If you leave your doors unlocked and your windows down, someone will come in eventually. But don’t assume that participation in CISA is tantamount to rolling up the windows.

For those not willing to be a pioneer in government-industry information transfer, know that the private sector has resources available, such as the Information Sharing and Analysis Centers (ISACs) which trade threat information. Reports suggest the global private sector continues to invest double the percentage of assets, as a share of total spending, on IT than the US government. Industry is therefore best positioned to lead cybersecurity research, threat intelligence gathering, and information sharing.

The government should be commended for enabling private-public dialogue on cybersecurity. However, there remain tangible and intangible costs to the sharing of threat indicators and individuals’ private information. Businesses should proceed cautiously and not expect this legislation or partnership with the government to be a panacea. Remember, good cybersecurity is a matter of constantly evaluating risk, ensuring a mature cybersecurity culture, and having a plan in place to get back to business as soon as possible if an attack or breach does occur.

Doherty is president of TSC Advantage, an enterprise threat consultancy supporting Fortune 500 companies and the public sector.