Getting Serious about Information Sharing for Cybersecurity

[Jake <jake () riskbasedsecurity com>]

http://www.whitehouse.gov/blog/2014/04/10/getting-serious-about-information-sharing-cybersecurity

Our cybersecurity in large part depends on the strength of the weakest part
of a network.  So, it is critical that the private sector, federal, state
and local governments, and communities work together to build up our cyber
security. Today’s announcement by the Department of Justice and the Federal
Trade Commission that they have issued guidance to clarify that
cybersecurity information can be shared with competitors without violating
antitrust law – long a perceived barrier to effective cybersecurity – is so
important. These two agencies, together charged with enforcing our
antitrust laws, have made clear today that they do not believe “that
antitrust is – or should be – a roadblock to legitimate cybersecurity
information sharing.”

We know sharing threat information is critical to effective cybersecurity.
 Indeed, reducing barriers to information sharing is a key element of this
Administration’s strategy to improve the nation’s cybersecurity, and we are
aggressively pursuing these efforts through both executive action and
legislation.  Today’s announcement makes clear that when companies identify
a threat, they can share information on that threat with other companies
and help thwart an attacker’s plans across an entire industry.

We know many companies are already sharing information on cyber threats
with each other and with the government through programs that preserve the
privacy of Americans, maintain appropriate constraints on government access
to private information, and do not lead to anti-competitive practices.

For example, during the denial-of-service attacks that targeted the
websites of many leading U.S. banks over the last few years, the Financial
Services Information Sharing and Analysis Center brought these banks
together to exchange information with each other and with the Federal
government.  That information helped companies manage the attacks.

Non-profit information sharing organizations such as Boston’s Advanced
Cybersecurity Center, the Bay Area Security Council, and ChicagoFirst have
shown value in building smaller trust networks across sectors in
metropolitan areas. And many for-profit information sharing organizations
are also stepping into the game.

We will continue to work with our partners in industry to encourage the
development of a network of information sharing partnerships and to
identify actions we can take to further reduce barriers to information
sharing.

While the Administration works to expand the sharing of cybersecurity
information through executive action, we will work with Congress to
carefully update laws to further facilitate cybersecurity information
sharing while preserving the rights of individuals. We can and should
increase information sharing while working in partnership with companies
and organizations to secure their networks and protecting the privacy of
their customers.

We also will continue to work to address the concerns our private sector
partners have raised that the government should share more of its own
information, so that companies could better protect themselves.

Last year, the President’s Executive Order on Improving Critical
Infrastructure Cybersecurity opened up a Defense Department program created
to protect the defense sector to companies across all 16 critical
infrastructure sectors of the economy. The program, Enhanced Cybersecurity
Services, gives participating commercial security providers access to the
classified signatures that are used to protect the government’s own
networks.

The President also required federal agencies to promptly notify victims or
targets of malicious cyber activity. We have already made thousands of such
notifications. And we are working to increase the volume, timeliness, and
utility of the information we share.

Our goal is for the government to be a reliable information sharing
partner, but only one of many. Companies that are targeted by criminals and
nation state actors should establish information sharing channels with the
National Cybersecurity & Communications Integration Center at the
Department of Homeland Security, law enforcement agencies such as the FBI
and Secret Service, and with other relevant agencies; however, they should
also build information sharing relationships with private sector partners
and organizations.

In today’s networked world, a cyber threat to one is really a cyber threat
to all. This is why steps such as today’s announcement by the Department of
Justice and the Federal Trade Commission that can encourage more
information sharing are key to building up our collective cybersecurity.
Companies should assess whether the remaining risks they perceive for
engaging in legitimate information sharing are greater than those they face
for failing to protect their customer data, their intellectual property,
and their business operations from the growing cyber threats to them.

--
Chief Information Security Officer
Risk Based Security
804-482-1337 / 855-RBS-RISK
jake () riskbasedsecurity com

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!