Legislation: Friend or foe?

Share this article:
Legislation: Friend or foe?
Legislation: Friend or foe?

The proposed Cyber Intelligence Sharing and Protection Act (CISPA) is galvanizing government and industry over whether we need federally mandated security legislation and what it should look like. The crux of the debate, whether personal privacy violations and information misuse will occur in the name of cyber security, is a thorny issue. Opponents of legislation that would mandate information sharing between the government and private sector about cyber threats claim it would be too burdensome for corporations to implement and could threaten civil liberties and privacy. 

Both groups can agree that government networks, critical infrastructure and corporate assets are under more frequent and sophisticated cyber attack. These result in information security breaches that are often only discovered after the fact –  sometimes months later and, often, by others. 

Until now, the United States has taken a consumer-focused approach to cyber security, mandating that only data breaches affecting consumers and their personal information need be disclosed. California's “right to know” disclosure law (SB-1386), which was copied by other states, is a good example. This approach is based on the premise that data security should be driven by consumer protection and not by government's anti-terrorism or crime-prevention initiatives. Ultimately, organizations that fail to protect against data breaches will suffer, as consumers seek better security from competitors.

But, at the end of the day, we need to understand that cyber criminals are coordinating their efforts and are well versed in sharing vulnerabilities and attack methodologies. To counter them, government and private industry have to work hand-in-hand to quickly dissipate information about threats. Europe, where the private industry and government agencies share threat information, has already learned this lesson. 

The emergence of information-sharing communities, such as the Red Sky Alliance, is a good first step. Now we need legislation that openly promotes the sharing of cyber attack intelligence across government and corporate boundaries, while at the same time protecting personal privacy.

Share this article:

Sign up to our newsletters

More in Opinions

Unfair competition: Proactive preemption can save you from litigation

Unfair competition: Proactive preemption can save you ...

With each job change, the risk that the new hire will bring confidential information or trade secrets with him or her to the new company grows.

Hackers only need to get it right once, we need to get it right every time

Hackers only need to get it right once, ...

Hackers only need to find one weak point to steal valuable information. On the flip side, security pros need to account for every possible scenario.

Successful strategies for continuous response

Successful strategies for continuous response

While it isn't realistic for organizations to expect that it will never happen to them, a rapid, professional and continuous response can limit their scope and reputational impact.