All U.S. Companies Need to Share Cybersecurity Threat Data

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

U.S. companies large and small feeling the burn in the aftermath of a data breach are struggling to find resources to bolster their security systems, cybersecurity industry panelists said at a March 9 House Homeland Security Cybersecurity and Infrastructure Subcommittee hearing.

Cybercriminals usually don’t discriminate based on a company’s size, going after valuable personal data no matter the target. Companies of all sizes need to work with the government and private-sector partners to combat the growing cyberthreat in the U.S., even though many hesitate to share threat data, given the limited liability protection offered by the government.

Separate from the hearing, Rep. Steve Chabot (R-Ohio), the House Small Business Committee chairman, told Bloomberg BNA March 9 that small businesses feel post-data breach fallout more strongly than large companies “such as Ford Motor Corp., General Motors Co and General Electric Co.” Unlike large companies, nearly 60 percent of small businesses have to close shop after a data breach, which costs, on average, about $32,000 per attack, he said. That highlights the need for cybersecurity help at all levels of industry, Chabot said.

DHS Program

Many companies turn to the Department of Homeland Security’s cyberthreat information-sharing program implemented as part of the Cybersecurity Information Sharing Act (CISA). The law provides some limited liability immunity to companies that share threat information with the government through the proper protocols, though some say the protections don’t go far enough.

Scott Montgomery, vice president and chief technical strategist of Intel Security Group at Intel Corp., told Bloomberg BNA March 9 that one of the problems with the current cybersecurity information-sharing model is the lack of return on investment in light of the preparation needed to participate in the program. The “free-rider problem” needs to be addressed so the resource investment spent and corresponding cybersecurity threat information gleaned are comparable, he said.

Industry representatives and federal lawmakers are hopeful that President Donald Trump’s upcoming executive order on cybersecurity will address U.S. concerns.

Montgomery said he’s happy that reported drafts of the executive order have provoked discussion of cybersecurity issues. Chabot is hopeful that Trump’s executive order will help small businesses and said he’s willing to work with him going forward. Neither Montgomery nor Chabot would estimate when Trump’s planned cybersecurity executive order would be released.

Representatives from Symantec Corp., Palo Alto Networks Inc., the HITRUST Alliance and New America’s Open Technology Institute also testified at the hearing.

Small Businesses

No matter the size of the company hit with a cybersecurity incident, all need support from other private- sector companies, state-level cybersecurity programs and the federal government.

Chabot plans to discuss cybersecurity at a meeting with Small Businesses Administrator Linda McMahon in the coming weeks. “We need to make sure that resources at the federal level are reaching small businesses across the country,” he said.

However, there needs to be some hesitation before giving troves of cyberthreat data to small businesses—because they won’t know what to do with it. This is where the “big macro” tech and cybersecurity companies can step in to “help create an automated pathway to help propagate information to the lowest levels of technical wherewithal,” Montgomery said.

To contact the reporter on this story: Daniel R. Stoller in Washington at dStoller@bna.comTo contact the editor responsible for this story: Donald Aplin at

For More Information

Further information on the hearing, including prepared testimony, is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security