Should we share cyber security information ?
Is this a good idea… there are very good reasons why we should share cyber security information and there are also reasons that perhaps it may not be such a good idea.
The current landscape seems to be moving towards the sharing of this confidential and sensitive information with regulation being imposed on both sides of the Atlantic in recent months to promote and encourage the sharing of cyber security information.
At the end of last year the EEC announced The Network and Information Security Directive (NIS) which is a security and reporting directive for companies in critical business sectors , namely transport , energy , health and finance. This is also applicable to the businesses such as Google and Amazon.
This Directive includes a requirement to report cyber security breaches which is aimed to encourage greater visibility of cyber crime and data breaches within companies and for companies to address their own cyber security.
It is anticipated that this will be ratified in the Spring, with implementation anticipated within the next two years.
In the US , also at the end of last year, the Cybersecurity Information Sharing Act (CISA) was passed by the Senate which allows companies to share cybersecurity threat data with the Department of Homeland Security (DHS) and other federal agencies. A number of bodies that already exist in the US which include the sharing of cybersecurity information . These include Enhanced Cybersecurity Services (ECS) which is a voluntary information sharing program and whose aim is to help better protect busineses customers and the National Cybersecurity and Communications Integration Centre (NCCIC) which shares information with public and private sector partners.
In the UK the Cyber-security Information Sharing Partnership (CiSP) exists which is part of CERT-UK . This is a joint industry government initiative set up to share cyber threat and vulnerability information in order to increase overall awareness of cyber threats and help mitigate the impact this may have on UK businesses.
The British Insurance Brokers Association ( BIBA) have recently endorsed (CiSP) to encourage insurance brokers to join CiSP to share the knowledge of over 4000 cyber-security professionals from over 1500 organisations. The government is also very keen that the insurance industry works closer with cyber security professionals and it is likely that we will see evidence of this in the future via associations and collaborations.
Let’s now review the positives and negatives of sharing cyber security information :-
Positives
- It provides information to business on the latest forms of malware, spear phishing campaigns, and known malicious domains
- Improvement in technology to combat the latest forms of security threats
- Information derived from claims that insurers can assess / rate and improve the coverage under cyber insurance policies.
- Assessment of insurers aggregation
- Information to help insurers analyse cyber catastrophe models
- Provision of knowledge to help anticipate future terrorists lead cyber attacks
Negatives
- Possible release of confidential information of cyber attacks and data breaches to third parties
- The information provided may impact on a company to carry out businesses with existing customers being concerned with poor cyber security measures.
- Collateral damage to reputation of a business and impact on stock market share price
- Hackers gain access to extremely sensitive data bases
- Perceived by some that “big brother” is spying and will encourage surveillance of businesses
- Inadvertent sharing of personally identifiable information
The cyber security industry also has an important role to play as they are arguably possess the greatest amount of cyber security data, this is no doubt considered valuable intellectual property and there would be a reluctance to readily share this to a wider audience without distribution to secure destinations.
The sharing of cyber security information is more advanced in the US than the EEC / Rest of the World and is reflective of two very differing cyber landscapes , with the US being more mature in terms of number and size of cyber security breaches and the existing litigation that helps drives notification.
The sharing of cybersecurity information definitely has a role to play in the development of the improvement of cyber security and the defence of cyber attacks that can threaten a business…… how it is shared is perhaps the current dilemma facing governments and regulators.