Co-authored by Bill Blake

In response to the increased severity and frequency of cybersecurity incidents, policymakers in the United States are crafting legislative proposals to address areas in which the federal government and/or a revision of existing law could be helpful to organizations in this ongoing battle to protect networks. However, we must not relax by thinking any new laws will solve the problem entirely or that the federal government can or will be able to take care of resolving all cybersecurity problems. Yes, the White House assisted Sony Pictures Entertainment in 2014, but that was an extreme case. The government is not your ambulance. There is no emergency 911 cybersecurity phone number, and there likely never will be.

A few of the proposals presented so far include the following elements:

  • Voluntary sharing of cyberthreat data and liability protections associated with organizations willing to share with other organizations and the government;
  • A federal data breach notification standard to provide one methodology for how and when organizations need to notify consumers when an incident has occurred.

Cybersecurity Threat Sharing

IBM recently testified before Congress about new cybersecurity information sharing legislation, focusing on what is fundamental to any proposed bill: Namely, liability protections for sharing and receiving cyberthreat data, appropriate privacy protections — even though what is being shared is technical data, not personally identifiable information — and processes to share with the federal government.

IBM and its clients have seen firsthand the value that comes from the sharing of threat data since the company has been providing threat intelligence services to clients for more than a decade, proving that a single organization can benefit from the intelligence and analysis from a larger collaboration of threat intelligence. For instance, every customer benefits from other customers’ knowledge that a source IP address has been identified as a bad actor. Threat data sharing is a tool that will improve the overall ecosystem.

This idea was expressed in the recent executive order on cybersecurity, reading, “In order to address cyberthreats to public health and safety, national security and economic security of the United States, private companies, nonprofit organizations, executive departments and agencies (agencies) and other entities must be able to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible.”

What Will Be Shared?

It is important to understand what is being asked here. Congress is not proposing that companies provide full access to all information they hold; rather, legislative proposals are asking them to voluntarily share information about suspicious activity and attacks. Factors such as the source IP, the types of systems targeted and the form of the attack — spear phishing, SQL injection, direct attack against a website, etc. — could help others identify and prevent a similar attack.

The casino industry has a good model to follow. Each individual casino monitors its floor for bad actors. Once one is identified and his or her method is discovered, that information is shared with almost all the other casinos in the United States and beyond. The goal is to make things more secure for the entire industry, not just one casino. In the same way, we need to make things safer for all businesses operating in some manner on the Internet, not just our own clients.

While information sharing legislation will only lay out a framework, it is an important tool for organizations. It may not provide active protections for enterprises, but it will encourage automated, real-time sharing of information, which is ultimately a good thing.

Again, though, new legislation is not a silver bullet, and we shouldn’t relax because legislation is on the way; if anything, we must be even more vigilant. The devil is in the details. JPMorgan Chase, for instance, has rapidly staffed up on cyberwarriors. Remember, while the success criteria for a cybercriminal is to get in 1 percent of the time, the success criteria for organizations is to get it right 100 percent of the time.

More from Government

Who Will Be the Next National Cyber Director?

After Congress approved his nomination in 2021, Chris Inglis served as the first-ever National Cyber Director for the White House. Now, he plans to retire. So who’s next? As of this writing in January of 2023, there remains uncertainty around who will fill the role. However, the frontrunner is Kemba Walden, Acting Director of the National Cyber Director’s office. Walden is a former Microsoft executive who joined the National Cyber Director’s office in May. Before her appointment, Walden was the…

How Much is the U.S. Investing in Cyber (And is it Enough)?

It’s no secret that cyberattacks in the U.S. are increasing in frequency and sophistication. Since cyber crime impacts millions of businesses and individuals, many look to the government to see what it’s doing to anticipate, prevent and deal with these crimes. To gain perspective on what’s happening in this area, the U.S. government’s budget and spending plans for cyber is a great place to start. This article will explore how much the government is spending, where that money is going…

What the New Federal Cybersecurity Act Means for Businesses

On December 21, 2022, President Biden signed the Quantum Computing Cybersecurity Preparedness Act. The risk of quantum-powered password decryption is increasing exponentially. The new legislation is designed to help federal agencies proactively shift to a post-quantum security posture. Agencies have until May 4, 2023, to submit an inventory of potentially vulnerable systems, and the Act directs the Office of Management and Budget (OMB) to prioritize the adoption of post-quantum cryptography standards. For businesses, government efforts to address emerging quantum risks…

What to Know About the Pentagon’s New Push for Zero Trust

The Pentagon is taking cybersecurity to the next level — and they’re helping organizations of all kinds do the same. Here’s how the U.S. Department of Defense is implementing zero trust and why this matters to all businesses and organizations. But first, let’s review this zero trust business. What is Zero Trust? Zero trust is the most important cybersecurity idea in a generation. But “zero trust” is itself a bit of a misnomer. It’s not about whether a person or…