We all learn to share nicely with our neighbors in kindergarten, but information sharing has yet to become a reality in the cybersecurity sphere, although the observers say it could help protect businesses, price insurance more accurately, and keep tabs on the ever-evolving cyber-criminal element.
Phil J. Smith, senior vice president at Trustwave, a security vendor, told Advisen, “This has been an ongoing topic for many years.” He added that a public-private partnership is “critical” to aid in the fight against cybercrime against individuals, businesses, and government entities.
However, the right balance between consumer privacy and the need for accurate, up-to-date awareness of threats hasn’t been struck. Congress has considered several pieces of legislation in recent years aimed at streamlining the flow of information between the public and private sector.
Those who favor bills like the Cybersecurity Information Sharing Act (CISA), passed by the U.S. Senate Intelligence Committee in July, say the measure would allow industry and the government to stay steps ahead of hackers by sharing details of cyber threats.
Opponents say CISA would spell the end of privacy for consumers, essentially allowing private companies to hand information directly to the National Security Agency (NSA). Numerous organizations have said CISA is simply Cyber Intelligence Sharing and Protection Act (CISPA) in a new form, a bill that prompted outrage against “cyber spying.” CISPA prompted a promise of a veto from the White House and stalled in Congress in 2013.
Senate Intelligence Committee Chairwoman Dianne Feinstein, D-Calif., asserted that CISA could help put a stop to the nearly weekly data breaches that have plagued retailers and other businesses. Any information shared with the government would have to be stripped of any personally identifiable information.
That may not be good enough for privacy groups, several of whom recently sent a letter to President Barack Obama, asking him to veto CISA if it ever gets to his desk.
“CISA authorizes the federal government to use the information in a broad range of investigations and prosecutions, such as Espionage Act investigations, raising questions about increased harm to whistleblowers and journalists,” stated the groups, which include Reddit, the American Civil Liberties Union, Competitive Enterprise Institute and many more.
“The bill also offers broad immunity protections for corporations, disincentivizing companies from protecting the privacy of users and limiting access to remedy for those whose rights are impacted,” continued the letter. “The current discourse centered solely on information sharing mistakenly focuses on only one layer of the internet to the detriment of all actors in the online ecosystem.”
Smith, a former U.S. Secret Service special agent, said he thinks a middle ground can be found.
“Obviously, when the government possesses information about our citizens, they all understand that they have an obligation to protect that information,” he said. “That information can be anonymized and aggregated, so it can be shared.”
Currently, there are avenues to information sharing via associations, networks and personal relationships. The private sector has the freedom to transmit information about cyber threats to law enforcement. However, law enforcement can’t in turn warn others about possible threats if the information would compromise an ongoing investigation.
Individual industries have Information Sharing and Analysis Centers (ISAC) for many years, also a way to bolster the nation’s critical infrastructure by offering risk mitigation assistance, incident alerts and other actionable information. ISACs for financial services, the energy sector, real estate, the nuclear industry and several more industries have been operating for over a decade.
The goal of information sharing should be “intelligence of what’s coming our way,” according to Smith. He also cited the Secret Service’s electronic crimes task force as “one really positive area of information sharing.”
“Do I think it’s easy? No. But we need to clear the next hurdles, and share this information both ways,” he told Advisen.
Covering Their Backs
Liability protection for businesses sharing cyber threat information is a key part of the conversation. Businesses are leery of broadcasting intrusions into their systems or providing data for fear of being sued.
“When you get the lawyers involved, they put their very cautious hats on,” said Smith. “They’re not going to want the attack information shared. But over last 10 years, you’ve seen more companies willing to share that information. With the threat landscape as it changes, especially with how quickly things change, it’s just important to get a process in place.”
Another bill (H.R. 3696) that cleared the U.S. House of Representatives this week could be a better solution, according to Ben Beeson, partner in Lockton’s global technology and privacy practice.
The National Cybersecurity and Critical Infrastructure Protection Act amends the Support Anti-Terrorism by Fostering Technologies Act of 2002 (SAFETY Act) and encourages businesses to adopt certain technological protections against cyber threats in exchange for protection from some liability.
“It’s incentivizing a company to improve its security,” Beeson said.
Beeson also noted that he supports the work of the Department of Homeland Security (DHS) on promoting a dialogue between the insurance industry and government on developing the cyber insurance market further. DHS recently released a report detailing several roundtable discussions with insurers, agents and brokers on the topic. DHS offered some reasons why information on cyber attacks is limited.
“Event participants reported that while insureds historically have shared information about cyber incidents and related losses with their carriers, most are afraid to report this data publicly given potentially negative regulatory or reputational consequences,” noted DHS in the report. “They further advised that the limited sharing that has taken place has otherwise failed to spur the development of broadly accessible cyber risk actuarial data needed to advance the cybersecurity insurance market more comprehensively. To address this shortcoming, many participants cited the need for a secure method through which organizations could pool and share cyber incident information, on an anonymized basis, and make it accessible to carriers and other risk management professionals. Some stated that a cyber incident data repository could be a helpful resource in this regard.”
For Beeson, while data to model risks on would be helpful, all industries should be seeking to understand cyber risk. Putting the right price tag on cyber insurance, while significant, keeps the focus on risk transfer, when risk avoidance and control should also be in play.
DHS is “moving in the right direction,” said Beeson. However, giving the insurance industry data on cyber risks for modeling purposes suggests that those risks are “static,” when in fact cyber attacks are constantly evolving. Beeson advocated more lobbying from the insurance industry on the issue of safety in cyberspace.
“Where the emphasis should be is on risk control, how best to mitigate this risk, versus how to model it,” he said.
Indeed, the DHS report cites one underwriter’s opinion, that an information sharing system could allow all parties to develop best practices for cybersecurity and benchmark successes as processes improve.
“Historical data … allowed carriers to investigate and promulgate fire safety best practices such as sprinkler systems, alarms, and outward opening doors – all of which carriers typically require today as a condition for commercial fire insurance coverage,” DHS noted. “The underwriter asserted that knowing how often certain cyber incidents occur and which vulnerabilities are being exploited by bad actors – data a repository could record over time – will help carriers identify similar patterns and trends that will help them develop and advertise similar best practices.”
According to Trustwave’s Smith, benchmarking shows results in quicker detection and remediation of threats.
“It always helps other companies know what they need to do in terms of elevating their game,” he said. “I think companies have actually done a better job of upping their game on cybersecurity defenses.”
Even without an extensive database of information on cyber incidents, insurers have developed a market, both for third-party coverage and first-party coverage. The insurance industry has a fair amount of data breach data from the last 10 years and has performed well in offering third-party liability coverage for breaches. Now the “embryonic” first-party coverage market needs to develop further. And good loss control practices on the part of businesses offer a better sense of predicting the likelihood of a cyber incident.
“Risk is risk. And when it’s new areas of risk, you don’t have the luxury of data to rely on, so you have to start somewhere,” said Beeson. “And surely the logical place to start is, ‘what are you doing to try and lock down the risk?’