Reflecting the widespread concern over cyber attacks in corporate America, a coalition of businesses sent a strong message to the United States Senate last week on the issue of cybersecurity and data privacy, encouraging lawmakers to reduce the risk of lawsuits in order to promote information sharing.
The Senate Homeland Security and Governmental Affairs Committee’s addressed the issue of cybersecurity, with Chairman Ron Johnson noting, “One of our missions for this Congress is to address the cybersecurity threat. The first step in addressing any problem is defining it.”
He added that the Senate aims “to develop an understanding of the reality of the cybersecurity threat—the frequency and complexity of the cyberattacks U.S. businesses endure every day, what businesses can do to better defend themselves, and what businesses need from the federal government.”
From the perspective of the business community, some protection from lawsuits stemming from cybersecurity issues – and the efforts to prevent breaches – is needed.
“We need Congress to send a bill to the president that gives businesses legal certainty that they have safe harbor against frivolous lawsuits when voluntarily sharing and receiving threat indicators and countermeasures in real time and taking actions to mitigate cyberattacks,” said the groups, which included retailers, insurers, bankers, energy and utility interests, and corporate leaders. “The legislation also needs to offer protections related to public disclosure, regulatory, and antitrust matters in order to increase the timely exchange of information among public and private entities. Our organizations also believe that legislation needs to safeguard privacy and civil liberties and establish appropriate roles for civilian and intelligence agencies.”
Speakers at the hearing illustrated the expansion and increasing danger presented by cyber attacks for senators.
“The evolution in the sophistication and intensity of cyber threats has been astonishing. Just a few years ago, the principal form of cyber threat was a denial of service, or DDoS, attack that might disable or deface an organization’s website for a brief period,” stated Peter Beshar, executive vice president and general counsel for Marsh and McLennan Cos. “In 2013 and 2014, hackers turned their focus to the theft, particularly in the retail sector, of credit card and other personal data. Last month, however, we saw an attack whose ramifications are far reaching.”
Beshar described an attack on an iron plant in Germany, during which hackers caused massive physical damage by remotely disabling the plant’s furnace shut-off systems.
“Armed with ‘detailed knowledge of the industrial control systems,’ hackers utilized an elaborate spear phishing campaign to damage the entire plant,” said Beshar. “This escalation of cyber-attacks to physical assets reflects the growing threat posed to our critical infrastructure.”
In the financial sector, the threat extends beyond potential internal loss, but the losses connected with re-issuing many credit and debit cards, sometimes multiple times. The threat landscape is daunting, explained Marc Gordon, executive vice president and chief information officer for American Express.
“In 2014, we received over 5000 FS-ISAC cybersecurity alerts providing information of a variety of threats, attacks and other information supplied by members for members (an example of information sharing that goes on today), and have received approximately 100,000 technical indicators (describing malicious IP addresses, websites, malicious code components or some other aspect of a cyber threat to help maintain our defenses) from a variety of intelligence sources,” said Gordon. ISACs (Information Sharing and Analysis Centers) are industry-specific groups set up to facilitate the sharing of threat data.
Gordon suggested that businesses would favor an exemption from the Freedom of Information Act (FOIA) to more readily share cyber threat information with the government.
“Legislation that provides targeted protections from liability and disclosure – both for business-to-government sharing but also for business-to-business sharing – is sorely needed,” said Gordon. “By affording targeted protections from liability and disclosure, entities across sectors will be more willing to share key threat data without fear of unnecessary and wasteful litigation or public disclosures that could further compromise their systems.”
Gregory Nojeim, senior counsel and director of the Freedom, Security and Technology Project, advised the government to support the further development of the ISACs – without slighting consumers on their privacy and transparency rights.
“Quite simply, the American public should not – and need not – be forced to choose between being hacked by cyber criminals and being snooped on by the government,” Nojeim said. “The most important type of information sharing to incentivize is that between private entities. This is because entities in the private sector own and operate most of the critical infrastructure in the country that must be protected against cyber attacks. Information sharing can occur directly between private entities, without any government involvement. Threat analysis would occur more often at the private company level as opposed to within the government.”
Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].
