Legislation: Friend or foe?

Share this article:
Legislation: Friend or foe?
Legislation: Friend or foe?

The proposed Cyber Intelligence Sharing and Protection Act (CISPA) is galvanizing government and industry over whether we need federally mandated security legislation and what it should look like. The crux of the debate, whether personal privacy violations and information misuse will occur in the name of cyber security, is a thorny issue. Opponents of legislation that would mandate information sharing between the government and private sector about cyber threats claim it would be too burdensome for corporations to implement and could threaten civil liberties and privacy. 

Both groups can agree that government networks, critical infrastructure and corporate assets are under more frequent and sophisticated cyber attack. These result in information security breaches that are often only discovered after the fact –  sometimes months later and, often, by others. 

Until now, the United States has taken a consumer-focused approach to cyber security, mandating that only data breaches affecting consumers and their personal information need be disclosed. California's “right to know” disclosure law (SB-1386), which was copied by other states, is a good example. This approach is based on the premise that data security should be driven by consumer protection and not by government's anti-terrorism or crime-prevention initiatives. Ultimately, organizations that fail to protect against data breaches will suffer, as consumers seek better security from competitors.

But, at the end of the day, we need to understand that cyber criminals are coordinating their efforts and are well versed in sharing vulnerabilities and attack methodologies. To counter them, government and private industry have to work hand-in-hand to quickly dissipate information about threats. Europe, where the private industry and government agencies share threat information, has already learned this lesson. 

The emergence of information-sharing communities, such as the Red Sky Alliance, is a good first step. Now we need legislation that openly promotes the sharing of cyber attack intelligence across government and corporate boundaries, while at the same time protecting personal privacy.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in Opinions

Me and my job: Chris Sullivan, vice president of advanced solutions, Courion

Me and my job: Chris Sullivan, vice president ...

This month we get to know Chris Sullivan, vice president of advanced solutions at Courion.

Threat of the month: SVPENG

Threat of the month: SVPENG

We take a closer look at SVPENG, malware that's capable of launching two different types of attacks.

Security assessment stability

Security assessment stability

We should be asking if it is worth the cost of constantly switching security assessment companies, says Ken Stasiak CEO, SecureState.