Federal Cybersecurity Legislation Is on the Way — But Don’t Relax

Co-authored by Bill Blake

In response to the increased severity and frequency of cybersecurity incidents, policymakers in the United States are crafting legislative proposals to address areas in which the federal government and/or a revision of existing law could be helpful to organizations in this ongoing battle to protect networks. However, we must not relax by thinking any new laws will solve the problem entirely or that the federal government can or will be able to take care of resolving all cybersecurity problems. Yes, the White House assisted Sony Pictures Entertainment in 2014, but that was an extreme case. The government is not your ambulance. There is no emergency 911 cybersecurity phone number, and there likely never will be.

A few of the proposals presented so far include the following elements:

  • Voluntary sharing of cyberthreat data and liability protections associated with organizations willing to share with other organizations and the government;
  • A federal data breach notification standard to provide one methodology for how and when organizations need to notify consumers when an incident has occurred.

Cybersecurity Threat Sharing

IBM recently testified before Congress about new cybersecurity information sharing legislation, focusing on what is fundamental to any proposed bill: Namely, liability protections for sharing and receiving cyberthreat data, appropriate privacy protections — even though what is being shared is technical data, not personally identifiable information — and processes to share with the federal government.

IBM and its clients have seen firsthand the value that comes from the sharing of threat data since the company has been providing threat intelligence services to clients for more than a decade, proving that a single organization can benefit from the intelligence and analysis from a larger collaboration of threat intelligence. For instance, every customer benefits from other customers’ knowledge that a source IP address has been identified as a bad actor. Threat data sharing is a tool that will improve the overall ecosystem.

This idea was expressed in the recent executive order on cybersecurity, reading, “In order to address cyberthreats to public health and safety, national security and economic security of the United States, private companies, nonprofit organizations, executive departments and agencies (agencies) and other entities must be able to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible.”

What Will Be Shared?

It is important to understand what is being asked here. Congress is not proposing that companies provide full access to all information they hold; rather, legislative proposals are asking them to voluntarily share information about suspicious activity and attacks. Factors such as the source IP, the types of systems targeted and the form of the attack — spear phishing, SQL injection, direct attack against a website, etc. — could help others identify and prevent a similar attack.

The casino industry has a good model to follow. Each individual casino monitors its floor for bad actors. Once one is identified and his or her method is discovered, that information is shared with almost all the other casinos in the United States and beyond. The goal is to make things more secure for the entire industry, not just one casino. In the same way, we need to make things safer for all businesses operating in some manner on the Internet, not just our own clients.

While information sharing legislation will only lay out a framework, it is an important tool for organizations. It may not provide active protections for enterprises, but it will encourage automated, real-time sharing of information, which is ultimately a good thing.

Again, though, new legislation is not a silver bullet, and we shouldn’t relax because legislation is on the way; if anything, we must be even more vigilant. The devil is in the details. JPMorgan Chase, for instance, has rapidly staffed up on cyberwarriors. Remember, while the success criteria for a cybercriminal is to get in 1 percent of the time, the success criteria for organizations is to get it right 100 percent of the time.

Andrew Lemke

Security Strategist, IBM

Andrew Lemke has been involved with information security for 15 years in nearly every area knowledge domain. He is also...