April 16, 2015 By Andrew Lemke
Bill Blake
3 min read

Co-authored by Bill Blake

In response to the increased severity and frequency of cybersecurity incidents, policymakers in the United States are crafting legislative proposals to address areas in which the federal government and/or a revision of existing law could be helpful to organizations in this ongoing battle to protect networks. However, we must not relax by thinking any new laws will solve the problem entirely or that the federal government can or will be able to take care of resolving all cybersecurity problems. Yes, the White House assisted Sony Pictures Entertainment in 2014, but that was an extreme case. The government is not your ambulance. There is no emergency 911 cybersecurity phone number, and there likely never will be.

A few of the proposals presented so far include the following elements:

  • Voluntary sharing of cyberthreat data and liability protections associated with organizations willing to share with other organizations and the government;
  • A federal data breach notification standard to provide one methodology for how and when organizations need to notify consumers when an incident has occurred.

Cybersecurity Threat Sharing

IBM recently testified before Congress about new cybersecurity information sharing legislation, focusing on what is fundamental to any proposed bill: Namely, liability protections for sharing and receiving cyberthreat data, appropriate privacy protections — even though what is being shared is technical data, not personally identifiable information — and processes to share with the federal government.

IBM and its clients have seen firsthand the value that comes from the sharing of threat data since the company has been providing threat intelligence services to clients for more than a decade, proving that a single organization can benefit from the intelligence and analysis from a larger collaboration of threat intelligence. For instance, every customer benefits from other customers’ knowledge that a source IP address has been identified as a bad actor. Threat data sharing is a tool that will improve the overall ecosystem.

This idea was expressed in the recent executive order on cybersecurity, reading, “In order to address cyberthreats to public health and safety, national security and economic security of the United States, private companies, nonprofit organizations, executive departments and agencies (agencies) and other entities must be able to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible.”

What Will Be Shared?

It is important to understand what is being asked here. Congress is not proposing that companies provide full access to all information they hold; rather, legislative proposals are asking them to voluntarily share information about suspicious activity and attacks. Factors such as the source IP, the types of systems targeted and the form of the attack — spear phishing, SQL injection, direct attack against a website, etc. — could help others identify and prevent a similar attack.

The casino industry has a good model to follow. Each individual casino monitors its floor for bad actors. Once one is identified and his or her method is discovered, that information is shared with almost all the other casinos in the United States and beyond. The goal is to make things more secure for the entire industry, not just one casino. In the same way, we need to make things safer for all businesses operating in some manner on the Internet, not just our own clients.

While information sharing legislation will only lay out a framework, it is an important tool for organizations. It may not provide active protections for enterprises, but it will encourage automated, real-time sharing of information, which is ultimately a good thing.

Again, though, new legislation is not a silver bullet, and we shouldn’t relax because legislation is on the way; if anything, we must be even more vigilant. The devil is in the details. JPMorgan Chase, for instance, has rapidly staffed up on cyberwarriors. Remember, while the success criteria for a cybercriminal is to get in 1 percent of the time, the success criteria for organizations is to get it right 100 percent of the time.

More from Government

Updated SBOM guidance: A new era for software transparency?

3 min read - The cost of cyberattacks on software supply chains is a growing problem, with the average data breach costing $4.45 million in 2023. Since President Biden’s 2021 executive order, software bills of materials (SBOMs) have become a cornerstone in protecting supply chains.In December 2023, the National Security Agency (NSA) published new guidance to help organizations incorporate SBOMs and combat the threat of supply chain attacks.Let’s look at how things have developed since Biden’s 2021 order and what these updates mean for…

Roundup: Federal action that shaped cybersecurity in 2023

3 min read - As 2023 draws to a close, it’s time to look back on our top five federal cyber stories of the year: a compilation of pivotal moments and key developments that have significantly shaped the landscape of cybersecurity at the federal level.These stories highlight the challenges federal agencies faced in securing digital infrastructure in the past year and explore the evolving nature of cyber threats, as well as the innovative responses required to address them.New White House cybersecurity strategyThe White House’s…

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today