Cyber Attacks an Inconvenient Truth – Now What?
March 12, 2015 Leave a comment
by Lloyd McCoy Jr., Consultant
The time-honored debate over cyber information sharing has picked-up steam in the last few months, with recent high-profile attacks on companies and government agencies, including: Sony, Target, Home Depot, OPM, and DOD (just to name a few). Congress and the President are renewing calls to improve, or create from scratch, ways industry and government can work together to limit these threats. The consensus is: effective and damaging hacks are the new normal. Where there hasn’t been agreement is what to do about it. Efforts from lawmakers suggest some form of legislation could be in the works.
The next few weeks we will see hearings and debate over several legislative bills, from both sides of the fence, all aimed at enhancing information sharing between industry and government. Both the resurrected Cyber Intelligence Sharing and Protection Act (CISPA) and the Cybersecurity Information Sharing Act (CISA) bills would enable information sharing while offering liability protection. An upcoming bill from the Senate Homeland Security Committee would make the Department of Homeland Security the broker for information sharing, an expansion of the work it is already doing with commercial critical infrastructure providers.
Meanwhile, the White House issued an Executive Order last month, directing agencies to come up with broad cybersecurity standards and urging companies to embrace these standards. The Administration also created a Cyber Threat Intelligence Integration Center (CTIIC), which increases information sharing within the government, but would certainly be involved in any industry-government partnerships.
There’s obviously no guarantee any of these particular measures will pass or be successful, but we are seeing strong momentum toward some agreement on an information sharing framework. So what does this mean for industry? Well for one, legislation could make information sharing mandatory, meaning the government could have access to a company’s source code. Also, companies “opting out” of any voluntary agreement could be more vulnerable to litigation if a breach does occur. There are also issues and concerns related to privacy.
On the other hand, industry could benefit through targeted government investments resulting from the information sharing. Cybersecurity vendors are well-positioned to reap the benefits of this renewed urgency and focus on cyber threats. If you are a vendor selling a non-security related product, demonstrate how security is baked into your product and the role it might play in protecting or making the environment more secure. Furthermore, information sharing could yield clarity for both industry and government on best practices to address existing and emerging cyber threats.
If you found this post helpful, make sure to add me to your network on LinkedIn @Lloyd McCoy Jr.