We Need More than a “Good Samaritan” Law for Cybersecurity Information Sharing
With the Senate planning to vote on cybersecurity legislation in early June, opponents of the legislation are stepping up their opposition. During the Memorial Day recess a coalition of groups plan to pressure members of Congress to oppose the two Senate cybersecurity bills: S. 2105, the Cybersecurity Act and S. 2151, the Secure IT Act. These groups assert that the information-sharing measures included in the bills will violate individual privacy rights. While much of the debate about information sharing has focused on the privacy aspects, some have basically argued that information sharing has little to no value for improving cybersecurity. For example, Jim Harper at Cato Institute has complained about “the fetishization of information sharing on Capitol Hill.” In his view, the government should have a minimal role, if any, in promoting information sharing for cybersecurity purposes. Instead we should “let competitive pressure drive cybersecurity, rather than collective, government-run cybersecurity information sharing programs.”
While I agree that information sharing is not the only, nor even close to the most important, aspect of improving cybersecurity, it is still highly relevant. For example, although the number of zero-day attacks was down in 2011, these types of vulnerabilities are still frequently exploited and can lead to millions of dollars of losses. Better information sharing is needed so that new attack signatures can be more rapidly identified and disseminated. In addition, the increased risk from advanced persistent threats and polymorphic code suggests that organizations may sometimes need to disclose more than just de-identified data or specific malicious code. Instead, they need to be working cooperatively with others in the public and private sector to identify new intrusion techniques and obfuscation methods.
I am sympathetic to the free-market approach, but with regards to information sharing, it is an ineffective solution to the underlying structural problem that needs to be solved. Different sector-specific Information Sharing and Analysis Centers (ISACs) already exist to provide an institution for exchanging information about threats to critical infrastructure. However, in the existing framework organizations have little incentive to quickly and efficiently share information about a cybersecurity threat that they see on their network.
Let me provide an example. In January 2010, Google disclosed that its computer systems had been subject to a highly sophisticated and targeted attack. The company detected the attack in mid-December, and at the time of disclosure, noted that “as part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses—including the Internet, finance, technology, media and chemical sectors—have been similarly targeted” and that the company was “currently in the process of notifying those companies.” Later reports indicated that at least 34 companies were attacked.
This attack illustrates why information sharing needs to be improved.
First, information sharing should be timely. The time between when the first software vulnerabilities were discovered to when the first intrusions were detected to when the disclosures were made appears to be measured in weeks, not days or hours. Under existing law, organizations have no real motivation to share information quickly. Their first priority is to secure their own systems. In addition, organizations face pressure not to disclose this information. They do not want to suffer reputational harm or put themselves at a competitive disadvantage by disclosing security incidents.
Second, information sharing should be cross-industry. As in this case, the threat was not to a specific sector but rather affected many different industries. Even if sector-specific information-sharing occurs, another entity, whether it is a government agency, law enforcement, or another organization, needs to help facilitate cross-industry information sharing. While Google took the commendable step of publicly disclosing the attack in this case, they were unable to notify every organization that was possibly at risk.
Unfortunately, the proposed cyber security legislation does not go far enough to fix these underlying structural problems. The current cybersecurity information sharing provisions are basically the digital equivalent of a “Good Samaritan” law. Like Good Samaritan laws that protect individuals who try to help others in need, the cybersecurity information sharing provisions are intended to protect organizations that take action from liability resulting from their actions. This is a win for organizations that want liability protection for sharing information, but it does not necessarily result in the optimal outcome for society because these bills do not include a duty to act.
Legislation should go further and include a duty to report certain types of cybersecurity incidents within a specific time frame. This would be similar to the types of “duty to report” requirements imposed on teachers, doctors and counselors who are responsible for reporting evidence of abuse (rather than merely being given liability protection for revealing confidential information). Compelling organizations to report this data would help them avoid the inclination to freeload by using data supplied by others but failing to provide their own data.
It is important that we get information sharing right. If organizations receive liability protection for sharing information, they will not want to see limits imposed on that at a later date. Congress should only grant liability protection to those organizations that commit to sharing data about cyber security incidents in a timely manner.
The notion that federal efforts to improve information sharing are unimportant or unneeded is simply false. Information sharing may not be a comprehensive solution to our cybersecurity problems, however, it is one tool among many that the government and private sectors can and should use to better anticipate, detect and respond to threats.
