lolloj - Fotolia

As threats to data spread, security info sharing debate heats up

New laws encourage cybersecurity information sharing between the public and private sector, but will the data protection measures infringe on privacy?

Rod Dykehouse doesn't think cybersecurity is a fair fight. Like other CIOs, he sees more and more attacks coming from organized enemies like criminal syndicates and foreign governments.

To help even the odds, Dykehouse said he's willing to work with the federal government, sharing information back and forth to more quickly identify and more effectively guard against cyberattacks.

"The cybersecurity attacks that are occurring are increasingly complex and sophisticated, and that, in my opinion, is an unfair fight," said Dykehouse, CIO at Penn State Hershey Medical Center and College of Medicine. "If we have to figure this out on our own, we will lose the war before it's begun. But by sharing, we can address this together."

But Dykehouse also stressed that he isn't giving the government unfettered access to his systems.

"We're trying to make sure we're protecting not only our networks, but also the privacy and confidentiality of the information with which we're entrusted," he said. "But we're not opening the gates to them."

New laws spark security info sharing debate

Congress is expected to enact a new law creating a system that enables cybersecurity information sharing between private entities and the federal government. But the move is controversial and has many IT and cybersecurity leaders weighing the benefits of sharing that information against safeguarding the data confidentiality.

The U.S. Senate passed the Cybersecurity Information Sharing Act (CISA) on Oct. 27 with a 74-21 vote.

One pixel Sound security strategy offsets compliance

The proposed law is meant to help businesses, nonprofits and other private nongovernment organizations in their battles against cybercriminals by allowing them to share cybersecurity threats to data with the Department of Homeland Security. The information would be used to identify trends and successful countermeasures useful to multiple organizations, assisting all organizations in efforts to identify and fight those threats to data.

This forthcoming "information sharing ecosystem" will create "greater situational awareness, greater visibility across all the participants, so if something happens at one place you have the ability to more quickly adopt defensive techniques that can be applied to the ecosystem," said Michael Brown, a board member with the Advanced Cyber Security Center and VP and general manager of the global public sector at RSA, the security division of EMC.

The measure has plenty of critics, particularly privacy advocates and civil liberties groups that charge that the government could use CISA as a way to access personal information that it otherwise could not without a warrant. But it also has supporters, noted Jerry Luftman, professor and managing director of the Global Institute for IT Management.

"It's a vehicle to help ensure that when there are attacks, others will know about them … before they impact them, and I think the benefits far outweigh the risks in being able to help organizations," he said.

Some IT organizations have also come out in favor of the law. For example, the College of Healthcare Information Management Executives, of which Dykehouse is an active member, and the Association for Executives in Health Information Security announced their support after CISA's passage.

With passage of this new law expected, enterprise IT leaders will have to determine whether they want to share information and if they do, how they'll share that data while also protecting private information and meeting existing privacy laws.

"The concerns that privacy groups are voicing is that there isn't enough details around what's being shared. There are concerns about what data is going to be shared," said Timothy P. Ryan, managing director of Cyber Security at Kroll, a provider of risk solutions.

The costs of sharing cybersecurity threat data

Ryan said, ideally, private entities and the government would share cybersecurity threat indicators in an automated system. The information should flow back and forth in near real time, with systems that automatically analyze potential threats to data so IT and security staff only react to alerts, he added.

Most companies, however, do not have the systems in place for that sophisticated, automated level of sharing, he and others said, so more will have to be done manually. And because decisions on what will ultimately be shared rests with individual organizations, many businesses remain fearful about exposing private data or opening themselves up to other liabilities. Lawyers, consultants, IT professionals and security leaders said companies are concerned that if they share cybersecurity threat indicators, they risk drawing public attention to their cybersecurity vulnerabilities or the fact that they were hacked.

They also worry that by sharing their cybersecurity information, they open themselves up to government scrutiny that could find violations of other laws such as the Health Insurance Portability and Accountability Act. (Privacy groups charge that the measure, which grants some immunity to organizations sharing cybersecurity data, will give companies a pass if they're found lacking in such areas.)

Companies also fear they might face legal risks for agreeing to share information that potentially violates privacy law. They could simultaneously open themselves up to lawsuits from others by not participating in this sharing ecosystem: For example, companies could be sued for negligence by not doing all they could to prevent a cyberattack, said attorney Julia Jacobson, a partner at McDermott Will & Emery LLP, a practice that focuses in part on privacy and data protection law.

As the proposed law stands now, private entities are not required to share their cybersecurity information. If they opt to participate and share, they're asked to share threat indicators such as suspicious domain names or file names.

However, Brown, Jacobson and others said companies may end up sharing more than that, including personally identifiable information. Because CISA calls for sharing threat-related information, they said some companies could deem PII and other confidential or proprietary data as such.

"The complexity of the cyberattacks demands a great deal of information to analyze," said Christos Dimitriadis, the international president of trade group ISACA and group director of information security at the Greek company INTRALOT.

But he, like others, said companies must implement strategies that can fulfill that need against the continuing need to keep confidential and proprietary information private.

"This is a balance that any organization should maintain," he said.

Next Steps

Read more about how cybersecurity measures are driving a wedge between public safety and privacy advocates, and Congress can fix the privacy issues raised by the Cybersecurity Information Sharing Act. Then, check out one CIO's rundown of how and why keeping a cool head in the face of a cybersecurity threat is game-changing.

Dig Deeper on Risk management and compliance