Essential Guide

An IT security strategy guide for CIOs

A comprehensive collection of articles, videos and more, hand-picked by our editors
News Stay informed about the latest enterprise technology news and product updates.

As threats to data spread, security info sharing debate heats up

New laws encourage cybersecurity information sharing between the public and private sector, but will the data protection measures infringe on privacy?

Rod Dykehouse doesn't think cybersecurity is a fair fight. Like other CIOs, he sees more and more attacks coming from organized enemies like criminal syndicates and foreign governments.

To help even the odds, Dykehouse said he's willing to work with the federal government, sharing information back and forth to more quickly identify and more effectively guard against cyberattacks.

"The cybersecurity attacks that are occurring are increasingly complex and sophisticated, and that, in my opinion, is an unfair fight," said Dykehouse, CIO at Penn State Hershey Medical Center and College of Medicine. "If we have to figure this out on our own, we will lose the war before it's begun. But by sharing, we can address this together."

But Dykehouse also stressed that he isn't giving the government unfettered access to his systems.

"We're trying to make sure we're protecting not only our networks, but also the privacy and confidentiality of the information with which we're entrusted," he said. "But we're not opening the gates to them."

New laws spark security info sharing debate

Congress is expected to enact a new law creating a system that enables cybersecurity information sharing between private entities and the federal government. But the move is controversial and has many IT and cybersecurity leaders weighing the benefits of sharing that information against safeguarding the data confidentiality.

The U.S. Senate passed the Cybersecurity Information Sharing Act (CISA) on Oct. 27 with a 74-21 vote.

One pixel Sound security strategy offsets compliance
difficulties

The proposed law is meant to help businesses, nonprofits and other private nongovernment organizations in their battles against cybercriminals by allowing them to share cybersecurity threats to data with the Department of Homeland Security. The information would be used to identify trends and successful countermeasures useful to multiple organizations, assisting all organizations in efforts to identify and fight those threats to data.

This forthcoming "information sharing ecosystem" will create "greater situational awareness, greater visibility across all the participants, so if something happens at one place you have the ability to more quickly adopt defensive techniques that can be applied to the ecosystem," said Michael Brown, a board member with the Advanced Cyber Security Center and VP and general manager of the global public sector at RSA, the security division of EMC.

The measure has plenty of critics, particularly privacy advocates and civil liberties groups that charge that the government could use CISA as a way to access personal information that it otherwise could not without a warrant. But it also has supporters, noted Jerry Luftman, professor and managing director of the Global Institute for IT Management.

"It's a vehicle to help ensure that when there are attacks, others will know about them … before they impact them, and I think the benefits far outweigh the risks in being able to help organizations," he said.

Some IT organizations have also come out in favor of the law. For example, the College of Healthcare Information Management Executives, of which Dykehouse is an active member, and the Association for Executives in Health Information Security announced their support after CISA's passage.

With passage of this new law expected, enterprise IT leaders will have to determine whether they want to share information and if they do, how they'll share that data while also protecting private information and meeting existing privacy laws.

"The concerns that privacy groups are voicing is that there isn't enough details around what's being shared. There are concerns about what data is going to be shared," said Timothy P. Ryan, managing director of Cyber Security at Kroll, a provider of risk solutions.

The costs of sharing cybersecurity threat data

Ryan said, ideally, private entities and the government would share cybersecurity threat indicators in an automated system. The information should flow back and forth in near real time, with systems that automatically analyze potential threats to data so IT and security staff only react to alerts, he added.

Most companies, however, do not have the systems in place for that sophisticated, automated level of sharing, he and others said, so more will have to be done manually. And because decisions on what will ultimately be shared rests with individual organizations, many businesses remain fearful about exposing private data or opening themselves up to other liabilities. Lawyers, consultants, IT professionals and security leaders said companies are concerned that if they share cybersecurity threat indicators, they risk drawing public attention to their cybersecurity vulnerabilities or the fact that they were hacked.

They also worry that by sharing their cybersecurity information, they open themselves up to government scrutiny that could find violations of other laws such as the Health Insurance Portability and Accountability Act. (Privacy groups charge that the measure, which grants some immunity to organizations sharing cybersecurity data, will give companies a pass if they're found lacking in such areas.)

Companies also fear they might face legal risks for agreeing to share information that potentially violates privacy law. They could simultaneously open themselves up to lawsuits from others by not participating in this sharing ecosystem: For example, companies could be sued for negligence by not doing all they could to prevent a cyberattack, said attorney Julia Jacobson, a partner at McDermott Will & Emery LLP, a practice that focuses in part on privacy and data protection law.

As the proposed law stands now, private entities are not required to share their cybersecurity information. If they opt to participate and share, they're asked to share threat indicators such as suspicious domain names or file names.

However, Brown, Jacobson and others said companies may end up sharing more than that, including personally identifiable information. Because CISA calls for sharing threat-related information, they said some companies could deem PII and other confidential or proprietary data as such.

"The complexity of the cyberattacks demands a great deal of information to analyze," said Christos Dimitriadis, the international president of trade group ISACA and group director of information security at the Greek company INTRALOT.

But he, like others, said companies must implement strategies that can fulfill that need against the continuing need to keep confidential and proprietary information private.

"This is a balance that any organization should maintain," he said.

Next Steps

Read more about how cybersecurity measures are driving a wedge between public safety and privacy advocates, and Congress can fix the privacy issues raised by the Cybersecurity Information Sharing Act. Then, check out one CIO's rundown of how and why keeping a cool head in the face of a cybersecurity threat is game-changing.

This was last published in December 2015

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

5 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Do you think cybersecurity information sharing between the public and private sector can protect against threats to data? Why or why not?
Cancel
I think its a bit ludicrous for the Governments of the world, especially the US, to expect and demand special 'features' to gain access to data, when they've proven in the last year that they do not treat the data of their own employees (OPM Hack) with the same security and privacy that most of us would want it to be treated.

So no, until they get their house in order, the private sector should find ways to cooperate with duly served warrants, but not bend over backward for governments.
Cancel
I honestly believe, that a lot of the data that the government might seek, would be captured by systems already and available if a simple warrant was presented.  
Cancel
This debate is now getting more complicated as the Apple vs. the FBI saga is heating up- It will be interesting to see if Apple ultimately caves to pressure and creates the backdoor to unlock the San Bernardino shooter's phone. Either way this is no doubt the first in a long line of situations where the debate between privacy/public safety/cybersecurity causes controversy when companies are asked to cooperate with law enforcement seeking access to data on consumer devices.
Cancel
Well, I guess we know how the Apple/FBI battle went. But seriously, the best way to move forward is for both sectors to work together to determine what information is already available, and create a solution beneficial to both both sectors and the public. I suspect that option is no longer valid, though.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchHealthIT

SearchCloudComputing

SearchDataCenter

SearchDataManagement

SearchSecurity

Close