In January, President Obama signed the Cybersecurity Act of 2015, but companies remain in a holding pattern, waiting for legal clarity and demonstrable benefits before sharing sensitive information.
Sharing information on cyber-threats has garnered a great deal of U.S. government support over the past 18 months.
In February 2015, President Obama signed Executive Order 13691, encouraging collaboration between private companies and with the government through organizations known as information sharing and analysis organizations, or ISAOs.
Nearly a year later, Congress passed a 2,009-page military spending bill that included among its provisions the Cybersecurity Act of 2015, a law that affords companies legal protections in exchange for sharing information with the government about cyber-attacks. This past summer, the Department of Homeland Security released guidelines for sharing details of attacks with the federal government.
Despite the government action, companies have been reticent to begin sharing data on the attacks hitting their networks. One report found that while nearly 140 organizations were connected to DHS’s Automated Indicator Sharing system, only one company was sharing any significant amount of information.
Nine months after the Cybersecurity Act became law, the complexity of information sharing and the natural human reluctance to reveal details about network and data breaches means that convincing organizations to share continues to be difficult, Chris Coleman, CEO of threat-intelligence firm LookingGlass, told eWEEK.
“I always question whether it’s in human nature to share this type of information,” he said. “For companies, the legal issues of a material breach … mean that there is not a lot of established policy in regards to sharing. So [many say] why take the risk?”
Yet defenders need to exchange information on cyber-threats. Such intelligence promises to aid companies in hardening their defenses against the most pervasive attacks and assigning staff and resources to the most pressing threats.
Yet, very few companies have started sharing information. Large companies are studying the legal issues, concerned that talking about attacks will bring lawsuits and legal jeopardy. Smaller firms generally just do not know where to begin, Greg White, executive director of the ISAO Standards Organization and a professor of computer science at University of Texas at San Antonio, told eWEEK.
“Mostly our problem at this point is getting the word out,” he said, adding that “if you are one of those entities that sign up for a feed and you are getting thousands of indicators, many don’t know what to do with that.”
The Cybersecurity Act of 2015 should assuage fears of legal repercussions to limited sharing. The law, which had been discussed in Congress in various forms for nearly a decade, orders government agencies to share information about threats with companies and other groups, and mandates new processes and systems to disseminate information about threats from the private sector to government agencies.
Before the law, companies would only rarely voluntarily share breach information.