Corporate cyber security: Sharing is caring

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.infoworld.com/article/2877206/government/corporate-cyber-security-sharing-is-caring.html

Cyber security may finally be a unanimous, bipartisan national priority.
Proposals in Washington appear to be gaining steam, fueled by last year’s
unprecedented hack of Sony Pictures, which exposed proprietary information,
leaked embarrassing emails, and slowed the company's operations to a crawl.
That attack, along with high-profile credit card breaches at Target, Home
Depot, and JP Morgan, have pushed policymakers to the point wher

In his State of the Union speech last week, President Obama noted that if
we don't take action on cyber security, we'll “leave our nation and our
economy vulnerable.”

Yet despite persistent media attention, hearings and much debate on Capitol
Hill over the last several years, Congress has not been able to pass
legislation to help protect America against the growing wave of cyber
attacks. For the sake of citizens and business leaders across the country,
Congress and the president should work together to accomplish this critical
bipartisan objective.

The 2014 congressional legislation -- revived by the president’s call to
action -- is a great place to start. Most importantly, the proposals
provide businesses with appropriate liability protection in order to
incentivize critical information sharing on cyber threats. And when it
comes to cyber attacks, there is no question that information is power.

In fact, information sharing on known cyber threats and vulnerabilities is
the most critical component to prevent and mitigate attacks. When a company
detects a breach, a crucial next step is to immediately let other companies
and government agencies know about it right away. If one company is under
attack, it is likely that other enterprises and institutions are also
vulnerable. But without timely warnings, organizations have no ability to
prepare their own defenses and team up to prevent the spread of attacks.

For the most part, companies are good at working with each other, with law
enforcement and with industry-specific private-sector information-sharing
and analysis centers. But the system doesn’t always work because companies
face legal risks when they reveal or share cyber threat information.
Targeted and appropriate liability immunity would provide an incentive to
companies to reveal vulnerabilities and threats. With the administration
now offering strong support for such a proposal, this should be acted on
during this session.

Sharing cyber threat information is not spying. This legislation would not
allow companies to snoop on their customers or the public and then report
questionable or illegal behavior to law enforcement or national security
agencies. Instead, companies would simply be encouraged to monitor their
computer networks and report technical threats and vulnerabilities.

A second way that the president’s proposed legislation improves cyber
security is by making sure that hacked companies let the public, government
agencies and the affected parties know when a data breach occurs. Keeping
data breaches a secret prevents those whose information has been
compromised from taking steps to protect themselves. Potential victims of
identity theft can put an alert on their credit files or monitor their
accounts more carefully -- but only if they know there’s a problem. When it
comes to cyber threats, what we don’t know can be extremely dangerous.

Data-breach disclosure is widely accepted as the right thing to do, but it
is currently enforced through a patchwork quilt of 46 state laws with
conflicting notification requirements. One state says to notify victims
immediately, some states require approval from law enforcement before
notification, and other states have slightly different triggers for
notification.

Data breaches are rarely limited to one jurisdiction, so why should
data-breach notification requirements vary from state to state? A
definitive national standard for data-breach notification is a common sense
way to improve security.

With all of this, finding the right balance is essential. Enhanced
monitoring and communication are critical to protecting our economy and
personal data, but lawmakers must avoid policies aimed at penalizing
companies that fall victim to a cyber attack.

If there is a clear theme among recent high-profile data breaches, it is
that every company that experiences a cyber attack suffers financial harm.
After all, companies that suffer information security breaches are victims,
not perpetrators.

Forcing companies to adhere to government-ordered security mandates,
enforced through fines and criminal penalties, is no way to make progress.
Such regulations will only encourage a culture of compliance, in which
companies seek to avoid legal liability rather than aggressively pursuing
innovative new ways to keep their systems safe.

Data-driven technologies are becoming increasingly prevalent, and without
effective laws in place to encourage much-needed communication and
cooperation, our economy and personal data will only grow more vulnerable.
The president’s proposals directly address this need, and the time to act
on them is now.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!