Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
U.S. companies are struggling to find value in sharing cyberthreat information with the government—even as the Department of Homeland Security continues to promote its program, cybersecurity pros and former DHS officials told Bloomberg BNA.
Without stronger incentives, such as better liability protection for companies that share cyberthreat data, the DHS program is unlikely to significantly expand. Companies aren’t going to “give vulnerabilities away” without getting anything in return, Paul Rosenzweig, former deputy assistant secretary for policy at DHS and visiting fellow at The Heritage Foundation, told Bloomberg BNA.
The cyberthreat sharing program, enacted as part of the 2015 Cybersecurity Information Sharing Act (CISA) and operated out of the department’s U.S. Computer Emergency Readiness Team (US-CERT) division, aims to bridge the information gap between the federal government and the private sector.
DHS officials have recently advocated for more companies to join the program, specifically saying that too many companies take cyberthreat intelligence data from the government without sharing their own threat indicators.
DHS Acting Secretary Elaine Duke said at an Oct. 4 U.S. Chamber of Commerce cybersecurity event that companies need to view cyberthreat sharing as “herd immunity,” where sharing cyberthreat information not only helps one company but the whole industry.
CISA provides some liability immunity to organizations that share threat information with the government through proper protocols. However, beyond the limited liability protections, companies need to see a value, such as more actionable threat intelligence data and increased incentives, before joining the program, cybersecurity pros said.
Jamil N. Jaffer, director of the National Security Law & Privacy Program at the Antonin Scalia Law School at George Mason University, told Bloomberg BNA that the government must “pivot from the policy discussions to effectuating these goals.”
Companies would likely be more willing to share their cyberthreat indicators directly with the government “if they are assured they aren’t going to be regulated” based on what they share, Jaffer, who served as senior counsel to the House Intelligence Committee and associate counsel handing intelligence matters for former President George W. Bush, said.
Because the government—and especially the DHS—has “historically discussed their interest in regulating” cybersecurity, some companies hesitate to share sensitive cyberthreat information, he said.
Some 129 government agencies and private sector companies have used the DHS’ cyberthreat information sharing system, DHS Assistant Secretary for the Office of Cybersecurity and Communications Jeanette Manfra told a House committee Oct. 3. Some private sector data-sharing groups also send threat data to DHS, she said.
More companies use private sector information sharing groups to share threat data directly with their industry partners. Private-to-private sharing “is a fair trade” because if a company doesn’t contribute, other members will kick them out of the group, Rosenzweig, founder of Red Branch Consulting, said. By contrast, the only thing the government can do is offer companies incentives such as subsidies or contract procurement preferences to take part, he said.
Companies thinking about joining the DHS’ cyberthreat sharing program may gain a reputational boost by being ahead of the curve in cybersecurity protections, the cybersecurity pros said. But they may need some convincing to buy into that proposition.
To that end, the DHS should provide case studies where successes are highlighted and demonstrate how actionable threat data was used to prevent a cybersecurity incident, Megan Stifel, former director for international cyber policy in the National Security Council at the White House and a former attorney in the National Security Division at the Department of Justice, told Bloomberg BNA.
If the government can identify “success stories and talk about the type of information shared and safeguards around privacy,” more companies may be willing to join, Stifel, founder of Silicon Harbor Consultants and nonresident senior fellow with the Cyber Statecraft Initiative at the Brent Scowcroft Center on International Security, said.
DHS could also potentially promote the program by creating a private-public certification designation similar to what’s offered by the U.S. Green Building Council’s Leadership in Energy and Environmental Design (LEED) certification for environmentally responsible, resource-efficient structures.
If companies could get something akin to that designation for cybersecurity, in return for sharing threat data, they could get the word out to consumers that they offer higher levels of cybersecurity protection, Stifel and Rosenzweig said.
To contact the reporter on this story: Daniel R. Stoller in Washington at email@example.com
To contact the editor responsible for this story: Donald Aplin at firstname.lastname@example.org
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)