President calls for more cybersecurity information sharing

President Barack Obama followed up Monday's speech about data breach notification with another speech Tuesday encouraging companies to share information about cyberattacks.

In an address to the National Cybersecurity and Communications Integration Center (NCCIC) he proposed legislation that offers liability protection to companies that share information.

Previously, such legislation had stalled due to privacy concerns, but the current proposal requires companies to remove "unnecessary personal information" before sharing.

The proposed legislation also contains provisions that would allow for the prosecution of the sale of botnets, would criminalize the overseas sale of stolen personal financial information, and would give courts the authority to shut down criminal botnets.

"We want to be able to better prosecute those who are involved in cyber attacks, those who are involved in the sale of cyber weapons like botnets and spyware," he said. "We want to ensure that we're able to prosecute insiders who steal corporate secrets or individuals' private information."

Privacy groups met this latest proposal with a great deal of skepticism.

"Introducing information sharing proposals with broad liability protections, increasing penalties under the already draconian Computer Fraud and Abuse Act ... are both unnecessary and unwelcome," said the Electronic Frontier Foundation in a statement.

"Expanded information sharing poses a serious risk of transferring more personal information to intelligence and law enforcement agencies," the organization added.

Security experts also reacted to the information sharing aspects of this proposal with some criticism.

"There is no guarantee the concept will be met with open arms," said Dodi Glenn, senior director of security intelligence and research labs at Clearwater, FL-based ThreatTrack Security, Inc. "I have personally been involved in operations where the very second a private company mentions involving the U.S. government, other participating companies become hesitant to continue to share data."

According to Glenn, there is a clear trust issue between the government, the private sector, and the public. Allegations of domestic spying, for example, have damaged the government's credibility on this issue. "Passing this bill is critical to the environment we are living in 2015, I do not know a business, consumer or security expert who would beg opposition."

"It is critical that the government not overreach in any information sharing program, and that they work with the private sector as a true partner," he said.

"The industry has proven that sharing information is not something the industry does just because someone says it's a good thing to do," said Tsion Gonen, chief strategy officer at Amsterdam-based security firm Gemalto.

The proposed legislation leaves some important questions unanswered, said Carl Wright, general manager at San Mateo, CA-based security firm TrapX.

Take, for example, the requirement to remove unnecessary personal information.

"What is the definition of 'unnecessary'?" he asked. "Who is responsible for making such decisions?"

Similarly, he said, liability protection sounds like an unfunded mandate on the cyber insurance industry, which is still in its infancy.

Even harsher penalties for cybercrimes did not meet with uniform support from cybersecurity professionals.

The current Computer Fraud and Abuse Act is already too broad, said Ian Amit, vice cresident at Baltimore-based security firm ZeroFOX.

"It has been notoriously criticized in several high-profile cases for being used to indict people whose action would [normally] not have even been classified as a misdemeanor," he said.

Under the proposed law, violations no longer start at a misdemeanor but as felonies, he added, and while the law is still too vague it also does not address the landscape of modern cybercrime.

"If it were left to a professional legal review from security industry professionals I believe that it would not see the light of day in its current form," he said. "But as we are all aware, the legislative process is subject to non-security industry forces."

Other security experts, however, saw the proposed legislation as an important first step towards addressing the evolving nature of cyberthreats.

"While this legislation probably doesn't go far enough, I think merely introducing it is a step in the right direction," said Sanjay Beri, CEO and co-founder at Los Altos, CA-based cloud security vendor Netskope. "We need to have this discussion and get serious about cybersecurity across all types of companies."

Beri added that he's not convinced that the new legislation will help prevent breaches.

"But I am 100 percent convinced that there will be more data breaches and sitting on our hands and not having this discussion won't prevent them either," he said. "Also, this needs to be a two way street. Governments need to ramp up sharing data they gather to vendors and enterprises in an easy way."

According to Mary Ann Miller, senior director at New York City, NY-based NICE Actimize Inc., the proposed legislation is an "outstanding first step."

"Any initiative that creates a better environment for open discussions of critical issues ... is only a win for the good guys," she said.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsNational Cybersecurity and Communications Integration Centersoftwaredata protection

More about BaltimoreElectronic Frontier FoundationGemaltoInc.NICEThreatTrack Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place