High profile data breaches seem to occur in an almost predictable cadence and no industry is immune. This has frustrated organizations who want to believe their security is strong enough to keep them from experiencing the bottom-line-bashing data theft they see in the headlines. The fact that the majority of both business and government functions have gone digital opens up doomsday scenarios of which government agencies, from state and local up to the federal level, are well aware.
Another factor that should be cause for alarm is that some of these breaches are generated using malware that’s been around for a while. For instance, reports at the time allege the Home Depot and Target data breaches were caused by variants of the same malware. This goes a long way in validating that organizations aren’t sharing threat information, which is the issue behind some recent legislation, The Cyber Security Information Sharing Act (CISA). The new law is designed to incentivize private industry to share cyber threat information with the Department of Homeland Security (DHS). The incentives for participating include ensuring liability protecting any trade secrets of businesses that choose to participate.
The information being sought includes security vulnerabilities, malware code, damages from past breaches, and the steps the organization took to mitigate known or unknown threats.
While a move to more information sharing as a way to increase cybersecurity seems like a good idea, a recent article in Forbes Magazine entitled, Big Decision Time for Business As Cyber Security And Privacy Collide Again, points out a couple of reasons businesses might resist participation.
- Proponents of the law can’t point to a single data breach that this legislation would have prevented, begging the question, why do we need this law?
- Business may be concerned that the information they provide to DHS could be given to NSA, the agency whose history displays a decided lack of concern for privacy rights.
- Companies may feel compelled to ignore these concerns because not participating in the CISA sharing programs may deprive them of critical threat information they need.
As the Forbes writer points out, making the sharing of threat information a law, is a small but critical step in supporting an atmosphere of intelligence sharing that will benefit everyone in the long run. He also points out that businesses in some industries are already sharing this sort of information which is encouraging. Each of these steps represents an advancement in the war on cyber threats in which we all participate, whether we know it or not. Any action that moves us forward, no matter how small, should be welcomed.