April 16, 2015 By Andrew Lemke
Bill Blake
3 min read

Co-authored by Bill Blake

In response to the increased severity and frequency of cybersecurity incidents, policymakers in the United States are crafting legislative proposals to address areas in which the federal government and/or a revision of existing law could be helpful to organizations in this ongoing battle to protect networks. However, we must not relax by thinking any new laws will solve the problem entirely or that the federal government can or will be able to take care of resolving all cybersecurity problems. Yes, the White House assisted Sony Pictures Entertainment in 2014, but that was an extreme case. The government is not your ambulance. There is no emergency 911 cybersecurity phone number, and there likely never will be.

A few of the proposals presented so far include the following elements:

  • Voluntary sharing of cyberthreat data and liability protections associated with organizations willing to share with other organizations and the government;
  • A federal data breach notification standard to provide one methodology for how and when organizations need to notify consumers when an incident has occurred.

Cybersecurity Threat Sharing

IBM recently testified before Congress about new cybersecurity information sharing legislation, focusing on what is fundamental to any proposed bill: Namely, liability protections for sharing and receiving cyberthreat data, appropriate privacy protections — even though what is being shared is technical data, not personally identifiable information — and processes to share with the federal government.

IBM and its clients have seen firsthand the value that comes from the sharing of threat data since the company has been providing threat intelligence services to clients for more than a decade, proving that a single organization can benefit from the intelligence and analysis from a larger collaboration of threat intelligence. For instance, every customer benefits from other customers’ knowledge that a source IP address has been identified as a bad actor. Threat data sharing is a tool that will improve the overall ecosystem.

This idea was expressed in the recent executive order on cybersecurity, reading, “In order to address cyberthreats to public health and safety, national security and economic security of the United States, private companies, nonprofit organizations, executive departments and agencies (agencies) and other entities must be able to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible.”

What Will Be Shared?

It is important to understand what is being asked here. Congress is not proposing that companies provide full access to all information they hold; rather, legislative proposals are asking them to voluntarily share information about suspicious activity and attacks. Factors such as the source IP, the types of systems targeted and the form of the attack — spear phishing, SQL injection, direct attack against a website, etc. — could help others identify and prevent a similar attack.

The casino industry has a good model to follow. Each individual casino monitors its floor for bad actors. Once one is identified and his or her method is discovered, that information is shared with almost all the other casinos in the United States and beyond. The goal is to make things more secure for the entire industry, not just one casino. In the same way, we need to make things safer for all businesses operating in some manner on the Internet, not just our own clients.

While information sharing legislation will only lay out a framework, it is an important tool for organizations. It may not provide active protections for enterprises, but it will encourage automated, real-time sharing of information, which is ultimately a good thing.

Again, though, new legislation is not a silver bullet, and we shouldn’t relax because legislation is on the way; if anything, we must be even more vigilant. The devil is in the details. JPMorgan Chase, for instance, has rapidly staffed up on cyberwarriors. Remember, while the success criteria for a cybercriminal is to get in 1 percent of the time, the success criteria for organizations is to get it right 100 percent of the time.

More from Government

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today