National Affairs Incorporated’s Privacy and Security Law
Report. “The cyberthreat has not abated, and … the need
for established methods of direct government-to-private
sector and private-sector-to-government sharing has
Fear stymies some of the information sharing in the
private sector—fear of sharing proprietary details or per-
sonnel data, and fear of prosecution should federal offi-
cials deem the sharing could violate antitrust laws. Legal
experts often caution their clients against sharing because
no clear guidelines govern information sharing.
Some of the onus to easing legal restrictions could fall
on Congress, contends the Heritage Foundation. “Given
that cybersecurity threats are very real and costly and
that voluntary information sharing is an inexpensive and
privacy-enhancing way of staving off these threats, Congress should consider ways to facilitate sharing,” foundation writers state. Lawmakers could update ambiguities
in outdated communications laws, the writers add, specifically the Wiretap Act and the Stored Communications
Act, written in 1986 to deal with telephone privacy protection issues, which seem to prohibit sharing of cybersecurity information. Liability protections could encourage
companies to share rather than fear lawsuits if damages
result from shared information. And shared information
should be protected from public release under the Freedom of Information Act.
A U.S. congressional bill might address the issues. The
Senate version of the Cybersecurity Information Sharing
Act of 2014, approved by the Senate Intelligence Committee in July, seeks to expand information shared about
cybersecurity threats and defensive mechanisms between
the government and industry. Language in the legislation includes a call for increased sharing of classified and
unclassified cyberthreat information, authorizing the voluntary sharing of cyberthreat information by individuals and companies with each other and the government
while safeguarding personally identifying information;
enacting liability protections for individuals and companies that appropriately monitor and safeguard their own
networks; and limiting the government’s ability to use
information it receives for cyber-related purposes, not for
inappropriate investigations or regulation.
An additional blueprint exists that could aid officials
in drafting rules for information sharing. The Three
Mile Island nuclear accident in 1979, the worst in U.S.
commercial nuclear power plant history, highlighted
failures of existing organizations and governance. Yet,
after-action reports netted rapid, revolutionary and
sweeping changes within the nuclear industry, to include
the establishment of effective nationwide information
sharing and governance processes. In 2013, President
Barack Obama issued an executive order to improve
cybersecurity of the nation’s critical infrastructure, which
also stressed improved information sharing.
Past efforts have not made it easier or more welcoming
for industry to voluntarily share its own intelligence. “We
need to allow for a more healthy environment and a safe
haven, so to speak, to bring those communities of inter-
est together to be able to take information sharing to the
level of actionable sharing versus just sharing of potential
post-event data,” says William F. Pelgrin, CEO and presi-
dent of the Center for Internet Security.
While industry might clamor for better cybersecurity
dialogue, businesses are hesitant to relinquish control,
particularly to the government. “The Obama administration was trying, a few years back, to come out with a
cybersecurity bill that actually had some teeth in it,” said
Sanford “Sandy” Reback, senior technology analyst for
Bloomberg Government, at a Fairfax County Chamber
of Commerce cybersecurity forum for small businesses.
“And it didn’t make it through Congress because most of
the business sectors said, ‘We don’t want you, the govern-
ment, telling us what we need to do to protect our own
systems,’—in many instances, for very good reasons,”
Reback continued. “They think they’re on the front lines.
They understand the technology. Things are changing
very quickly. The government is not in a good position
to [adapt to the changes.] That’s one of the main reasons
we’re in this situation where it’s a voluntary framework
kind of supplemented by this patchwork quilt … of differ-
“We’ve done a great job on awareness,” adds expert
John Gilligan, president and chief operating officer of
Schafer Corp. “You can’t go a day without hearing about
cyber-security issues. But we haven’t changed behavior
yet. How do we change behavior in a positive way?”
contact: Sandra Jontz, firstname.lastname@example.org
“You can’t go a day without hearing about cybersecurity
issues. But we haven’t changed behavior yet.
How do we change behavior in a positive way?”
—John Gilligan, president and chief operating officer of Schafer Corporation.