When we surf the Internet, conduct e-commerce, or send emails and texts, we often don’t think about the tremendous work or resources going on behind the scenes to protect the networks and information we routinely use to connect and accomplish our daily tasks. Those networks are constantly besieged by increasingly sophisticated cyber criminals, and voluntary cybersecurity threat information sharing is a tool currently used to protect sensitive data, networks, and control systems.
Entities that know about threats to their networks can better protect or defend against them, or simply know if an incident has occurred.
But obstacles exist to greater voluntary sharing. For example, even the most security-conscious businesses may decline or delay voluntary disclosure for fear of private or government lawsuits or regulatory actions. In other cases, the flow of actionable cyber threat information from the government to private sector entities does not occur quickly enough.
We appreciate policymakers’ interest in enacting policies to address these obstacles and ITI recommends their proposals include certain key elements:
- Targeted liability protections. Cyber threat information voluntarily shared or received by a private entity should not be used as the basis for private or government lawsuits or regulatory actions, or be subject to FOIA. Information voluntarily shared or received among private entities should also be exempt from U.S. antitrust laws by codifying the April 2014 Department of Justice and Federal Trade Commission Antitrust Policy Statement on Sharing of Cybersecurity Information, that ITI supported.
- Improve multidirectional sharing. Private-to-private, private-to-government, and government-to-private sharing all help stakeholders protect and defend their networks. The federal government should continue its efforts to increase the volume, timeliness, and quality of cyber threat information shared with the private sector.
- Ensure cyber threat information sharing remains voluntary. Companies need the autonomy to decide what, and indeed whether, they share. A mandatory program is effectively an unfunded mandate and would discourage an active, cooperative, collaborative atmosphere most conducive to a successful outcome.
- Include robust privacy protections. Useful threat information is technical in nature (e.g., malware indicators) and would not include personally identifiable information as it is neither relevant nor helpful for cybersecurity. However, we acknowledge concerns about personally identifiable information being shared. Cybersecurity threat information sharing should go hand-in-hand with robust privacy protections. Useful protections include reasonable requirements to remove personally identifiable information by entities that share and for any recipients of threat information wishing to further share it, and limits on government uses of information received from the private sector to key areas, namely cybersecurity purposes.
Many companies already make reasonable efforts to remove personally identifiable information that may exist from cybersecurity threat indicators. Cyber threat information sharing policies with robust privacy protections would further support these practices.
Sharing is a tool, not an objective. It can help improve cybersecurity as entities can more quickly stem losses and protect their systems, partners, and customers. While no facet of cybersecurity activities is a silver bullet, the sooner appropriate stakeholders in government and the private sector have cyber threat information, the more quickly it can be used to help the public at large, including to address cyber crime.
ITI looks forward to working with policymakers to develop targeted policies that facilitate more robust voluntary cyber threat information sharing—and ultimately help to improve cybersecurity.