Tweet Cybersecurity

Time for Congress to Act on Cyber Threat Information Sharing

Both public and private sector entities fall victim to cyber criminals and other malicious actors each day. Sharing information about cyber threats is critical to prevent and combat these attacks.

Over the past several years, Congress and the courts have taken steps to clarify and promote information sharing. Last year, the Department of Justice and Federal Trade Commission provided guidance clarifying that private entities can share cyber threat information without raising antitrust concerns — helping to pave the way for more timely cyber threat information sharing. That was a helpful step but there is more that can be done.

For our member companies, ensuring that information networks — their own and those of their partners and customers — are well protected and able to fend off cyber attacks, is critical. The timely and appropriate sharing of information about cybersecurity threats, vulnerabilities, lessons learned, and best practices is imperative to building a collaborative framework to defend networks against attacks. This can and should be done in a manner respectful of privacy as cyber threat information sharing involves the sharing of technical information and rarely, if ever, involves the use of personal information.

To that end, BSA supports six key tenets policymakers should follow in order to usher in an era of effective cyber threat information sharing. These tenets include:

  1. Empowering private entities, through appropriately targeted legislation and policies, to voluntarily share information regarding cyber threat indicators with other private entities or governments, domestically and internationally, by expressly limiting potential legal or regulatory consequences, both for sharing and receiving this information.
  2. Implementing appropriate policies and regulations that protect the privacy of those affected by shared cyber threat information without impeding the ability to share cyber threat indicators in a timely fashion.
  3. Authorizing and encouraging government actors to share relevant cyber threat information with private parties, and accelerating the time periods for sharing such information, including through automated mechanisms.
  4. Facilitating information sharing by private entities with both government and private parties, minimizing contractual terms mandated through laws or regulations to the applicable shared information, and providing flexibility to affected parties to enter into appropriate transactional arrangements.
  5. Establishing a civilian portal for private-to-government information sharing, and ensuring that liability protections be provided for those information-sharing situations. Legislation should also make clear that companies may continue to lawfully share cyber threat indicators with the government in other situations, such as with a law enforcement agency in the event of a potential cybercrime investigation, a regulatory agency, or an agency that is a customer under a government contract.
  6. Ensuring shared cyber threat information is used by the recipient only to promote cybersecurity and for no other purpose, and when information is shared with governments, that the information is used only to promote cybersecurity or for limited law enforcement activities.

The House of Representatives has an opportunity this week to build upon this effort. We expect the House to consider the Protecting Cyber Networks Act (H.R. 1560) and the National Cybersecurity Protection Advancement Act of 2015 (H.R. 1731). Together, these bills go a long way towards breaking down the legal barriers that currently discourage information sharing while ensuring that privacy is protected. We urge the House to send this legislation to the Senate so that it can to pass its own legislation and send a final product to the President for signature.

Victoria Espinel

Author:

Victoria Espinel is a respected authority on the intersection of technology innovation, global markets and public policy. She leads strategic efforts that help shape the technology landscape in 60 countries through work in BSA’s 10 global offices.

Espinel also serves as the President of Software.org: the BSA Foundation. Software.org is an independent and nonpartisan international research organization created to help policymakers and the broader public better understand the impact that software has on our lives, our economy, and our society.

Espinel served for a decade in the White House, for both Republican and Democratic Administrations as President Obama’s advisor on intellectual property and, before that, as the first ever chief US trade negotiator for intellectual property and innovation at USTR. She was also a professor of international trade and intellectual property at the George Mason School of Law.

Espinel is a founding and ongoing co-sponsor of Girls Who Code’s Washington, DC, summer immersion program, which empowers young women to pursue careers in STEM fields. She speaks before audiences around the world to build visibility for the amazing things people can do with software, and encourages businesses, governments, and the public to support a policy environment that will enable even more software breakthroughs.

Espinel chairs the World Economic Forum’s Global Future Council on the Digital Economy and Society. She was appointed by President Obama to serve on the Advisory Committee on Trade Policy and Negotiations (ACTPN), the principal advisory group for the US government on international trade. She holds an LLM from the London School of Economics, a JD from Georgetown University Law School, and a BS in Foreign Service from Georgetown University’s School of Foreign Service. Follow her on Twitter: @victoriaespinel.

Leave a Reply

Your email address will not be published. Required fields are marked *