One of the most significant barriers to broad participation in cybersecurity information-sharing efforts is the risk companies face from disclosing information about cyber incidents impacting their organizations. Under current law, companies face the potential for civil – and possibly even criminal, liability – should they disclose the details of a cyber attack on their organization. However, Congress took significant action in April to address this challenge.
Recently, the House passed the Protecting Cyber Networks Act (H.R. 1560) and the National Cybersecurity Protection Advancement Act of 2015 (H.R. 1731). These bills provide liability protection for companies that share cyber threat indicators and defensive measures to combat a threat among one another and, should they choose, with the government. While this legislation still has a long way to go before becoming law, they mirror similar proposals currently under debate in the Senate and follow closely on the Executive Order President Obama signed in February promoting private sector sharing of cyber threat information.
Though undeniable, there is a level of mistrust within our community when it comes to information sharing between the private sector and the government, we shouldn't let the significance of these actions get lost in that debate. Let's set that aside just for a moment and focus on the fact that, taken together, these bills are a step toward providing companies liability protection for cyber threat information that they share among one another – without any government involvement. We know that the bad guys are collaborating and, yet, the defenders often have to work alone. This disadvantage will continue until we remove the corporate reluctance to share information about cyber incidents before they become front page news and give companies and individuals a much better chance of stronger security. Eliminating the threat of legal action isn't a panacea, but if it becomes law, it will certainly go a long way toward achieving that goal.