by Mark MacCarthy

Corporate cyber security: Sharing is caring

Feb 03, 20154 mins

Cyber security may finally be a unanimous, bipartisan national priority, but lawmakers should focus on information sharing, not security mandates

north korea interview
Credit: Kevork Djansezian/Reuters

Cyber security may finally be a unanimous, bipartisan national priority. Proposals in Washington appear to be gaining steam, fueled by last year’s unprecedented hack of Sony Pictures, which exposed proprietary information, leaked embarrassing emails, and slowed the company’s operations to a crawl. That attack, along with high-profile credit card breaches at Target, Home Depot, and JP Morgan, have pushed policymakers to the point where meaningful action is possible.

In his State of the Union speech last week, President Obama noted that if we don’t take action on cyber security, we’ll “leave our nation and our economy vulnerable.”

Yet despite persistent media attention, hearings and much debate on Capitol Hill over the last several years, Congress has not been able to pass legislation to help protect America against the growing wave of cyber attacks. For the sake of citizens and business leaders across the country, Congress and the president should work together to accomplish this critical bipartisan objective.

The 2014 congressional legislation — revived by the president’s call to action — is a great place to start. Most importantly, the proposals provide businesses with appropriate liability protection in order to incentivize critical information sharing on cyber threats. And when it comes to cyber attacks, there is no question that information is power.

In fact, information sharing on known cyber threats and vulnerabilities is the most critical component to prevent and mitigate attacks. When a company detects a breach, a crucial next step is to immediately let other companies and government agencies know about it right away. If one company is under attack, it is likely that other enterprises and institutions are also vulnerable. But without timely warnings, organizations have no ability to prepare their own defenses and team up to prevent the spread of attacks.

For the most part, companies are good at working with each other, with law enforcement and with industry-specific private-sector information-sharing and analysis centers. But the system doesn’t always work because companies face legal risks when they reveal or share cyber threat information. Targeted and appropriate liability immunity would provide an incentive to companies to reveal vulnerabilities and threats. With the administration now offering strong support for such a proposal, this should be acted on during this session.

Sharing cyber threat information is not spying. This legislation would not allow companies to snoop on their customers or the public and then report questionable or illegal behavior to law enforcement or national security agencies. Instead, companies would simply be encouraged to monitor their computer networks and report technical threats and vulnerabilities.

A second way that the president’s proposed legislation improves cyber security is by making sure that hacked companies let the public, government agencies and the affected parties know when a data breach occurs. Keeping data breaches a secret prevents those whose information has been compromised from taking steps to protect themselves. Potential victims of identity theft can put an alert on their credit files or monitor their accounts more carefully — but only if they know there’s a problem. When it comes to cyber threats, what we don’t know can be extremely dangerous.

Data-breach disclosure is widely accepted as the right thing to do, but it is currently enforced through a patchwork quilt of 46 state laws with conflicting notification requirements. One state says to notify victims immediately, some states require approval from law enforcement before notification, and other states have slightly different triggers for notification.

Data breaches are rarely limited to one jurisdiction, so why should data-breach notification requirements vary from state to state? A definitive national standard for data-breach notification is a common sense way to improve security.

With all of this, finding the right balance is essential. Enhanced monitoring and communication are critical to protecting our economy and personal data, but lawmakers must avoid policies aimed at penalizing companies that fall victim to a cyber attack.

If there is a clear theme among recent high-profile data breaches, it is that every company that experiences a cyber attack suffers financial harm. After all, companies that suffer information security breaches are victims, not perpetrators.

Forcing companies to adhere to government-ordered security mandates, enforced through fines and criminal penalties, is no way to make progress. Such regulations will only encourage a culture of compliance, in which companies seek to avoid legal liability rather than aggressively pursuing innovative new ways to keep their systems safe.

Data-driven technologies are becoming increasingly prevalent, and without effective laws in place to encourage much-needed communication and cooperation, our economy and personal data will only grow more vulnerable. The president’s proposals directly address this need, and the time to act on them is now.