Legislation: Friend or foe?

Share this article:
Legislation: Friend or foe?
Legislation: Friend or foe?

The proposed Cyber Intelligence Sharing and Protection Act (CISPA) is galvanizing government and industry over whether we need federally mandated security legislation and what it should look like. The crux of the debate, whether personal privacy violations and information misuse will occur in the name of cyber security, is a thorny issue. Opponents of legislation that would mandate information sharing between the government and private sector about cyber threats claim it would be too burdensome for corporations to implement and could threaten civil liberties and privacy. 

Both groups can agree that government networks, critical infrastructure and corporate assets are under more frequent and sophisticated cyber attack. These result in information security breaches that are often only discovered after the fact –  sometimes months later and, often, by others. 

Until now, the United States has taken a consumer-focused approach to cyber security, mandating that only data breaches affecting consumers and their personal information need be disclosed. California's “right to know” disclosure law (SB-1386), which was copied by other states, is a good example. This approach is based on the premise that data security should be driven by consumer protection and not by government's anti-terrorism or crime-prevention initiatives. Ultimately, organizations that fail to protect against data breaches will suffer, as consumers seek better security from competitors.

But, at the end of the day, we need to understand that cyber criminals are coordinating their efforts and are well versed in sharing vulnerabilities and attack methodologies. To counter them, government and private industry have to work hand-in-hand to quickly dissipate information about threats. Europe, where the private industry and government agencies share threat information, has already learned this lesson. 

The emergence of information-sharing communities, such as the Red Sky Alliance, is a good first step. Now we need legislation that openly promotes the sharing of cyber attack intelligence across government and corporate boundaries, while at the same time protecting personal privacy.

Share this article:

Sign up to our newsletters

More in Opinions

Successful strategies for continuous response

Successful strategies for continuous response

While it isn't realistic for organizations to expect that it will never happen to them, a rapid, professional and continuous response can limit their scope and reputational impact.

When it comes to cyber attacks, predictions are pointless but preparation is key

When it comes to cyber attacks, predictions are ...

Rather than predicting the next lightning strike it is far better to pay attention to the areas we already know are vulnerable.

Protecting what matters

Protecting what matters

Whether it is a database of customer information or valuable intellectual property, an organization's "crown jewels" need to be protected with the most robust security possible.