What do Sony, Target, Home Depot, Neiman Marcus, JP Morgan Chase, and Anthem all have in common, other than the fact that they’re all Fortune 500 companies? In the last year, they’ve all been victims of devastating cyber attacks resulting in combined damages approaching one billion dollars.
In response to the rising number of data breaches affecting American companies, in December 2014 the Obama Administration issued a proposal advocating that Congress pass comprehensive legislation on cybersecurity-related information sharing. By offering financial incentives and legal protections to companies that choose to share information on cyber attacks and data breaches, the White House believes the proposal could help businesses, security researchers, and intelligence agencies gain a sharper picture of the current threat landscape, and in turn, better cooperate to improve U.S. cyber defenses.
To learn more about attitudes toward information sharing, Government Business Council conducted a short poll, asking federal managers whether they agree or disagree with the following statement:
The federal government should incentivize private sector entities to share information about cyber attacks/data breaches.
GBC received responses from 188 federal employees representing more than two dozen civilian and defense agencies. In total, 69 percent agree or strongly agree that the government should offer incentives to companies or organizations that choose to participate in information sharing, while 18 percent disagree or strongly disagree.
These findings indicate that, in general, federal employees agree with the core tenets of the Obama Administration’s legislative proposal. But despite the fact that a majority within the government believe federal agencies should do more to encourage information sharing, there is, first, the issue of determining how best to incentivize participation in information sharing regimes, and second, whether participation should be mandatory.
The White House proposal, as well as legislation such as the Cyber Information Sharing Act (CISA), would extend “targeted liability protections” to participating companies, shielding them from consumer lawsuits or Freedom of Information Act (FOIA) requests. A second bill, the Cyber Intelligence Sharing & Protection Act (CISPA), could in certain circumstances permit the federal government to compel private entities to share information with DHS’s National Cybersecurity and Communications Integration Center.
Other proposals, like the Cyber Information Sharing Tax Credit Act (CISTCA) would instead subsidize companies’ voluntary participation in industry-run organizations called Information Sharing & Analysis Centers (ISACs). ISACs perform many of the same threat assessment functions as federal intelligence agencies, but with less perceived risk of bureaucratic overreach. Nevertheless, many security researchers still support an ongoing role for the intelligence agencies, whose unique technical, operational, and strategic capabilities are arguably critical for attributing the identities of cyber attack perpetrators.
The data shows that a strong majority of federal managers favor cooperation between public and private sectors on cyber information sharing. But when it comes to predicting what a future law might look like, the devil may be in the details. GBC will revisit this topic in future polls.