Both public and private sector entities fall victim to cyber criminals and other malicious actors each day. Sharing information about cyber threats is critical to prevent and combat these attacks.
Over the past several years, Congress and the courts have taken steps to clarify and promote information sharing. Last year, the Department of Justice and Federal Trade Commission provided guidance clarifying that private entities can share cyber threat information without raising antitrust concerns — helping to pave the way for more timely cyber threat information sharing. That was a helpful step but there is more that can be done.
For our member companies, ensuring that information networks — their own and those of their partners and customers — are well protected and able to fend off cyber attacks, is critical. The timely and appropriate sharing of information about cybersecurity threats, vulnerabilities, lessons learned, and best practices is imperative to building a collaborative framework to defend networks against attacks. This can and should be done in a manner respectful of privacy as cyber threat information sharing involves the sharing of technical information and rarely, if ever, involves the use of personal information.
To that end, BSA supports six key tenets policymakers should follow in order to usher in an era of effective cyber threat information sharing. These tenets include:
- Empowering private entities, through appropriately targeted legislation and policies, to voluntarily share information regarding cyber threat indicators with other private entities or governments, domestically and internationally, by expressly limiting potential legal or regulatory consequences, both for sharing and receiving this information.
- Implementing appropriate policies and regulations that protect the privacy of those affected by shared cyber threat information without impeding the ability to share cyber threat indicators in a timely fashion.
- Authorizing and encouraging government actors to share relevant cyber threat information with private parties, and accelerating the time periods for sharing such information, including through automated mechanisms.
- Facilitating information sharing by private entities with both government and private parties, minimizing contractual terms mandated through laws or regulations to the applicable shared information, and providing flexibility to affected parties to enter into appropriate transactional arrangements.
- Establishing a civilian portal for private-to-government information sharing, and ensuring that liability protections be provided for those information-sharing situations. Legislation should also make clear that companies may continue to lawfully share cyber threat indicators with the government in other situations, such as with a law enforcement agency in the event of a potential cybercrime investigation, a regulatory agency, or an agency that is a customer under a government contract.
- Ensuring shared cyber threat information is used by the recipient only to promote cybersecurity and for no other purpose, and when information is shared with governments, that the information is used only to promote cybersecurity or for limited law enforcement activities.
The House of Representatives has an opportunity this week to build upon this effort. We expect the House to consider the Protecting Cyber Networks Act (H.R. 1560) and the National Cybersecurity Protection Advancement Act of 2015 (H.R. 1731). Together, these bills go a long way towards breaking down the legal barriers that currently discourage information sharing while ensuring that privacy is protected. We urge the House to send this legislation to the Senate so that it can to pass its own legislation and send a final product to the President for signature.