Despite a new law encouraging companies to share more information about cybersecurity attacks, only 58 percent of CIOs polled say the new law would make it more likely they would cooperate with the government in the event of a data breach. The results, collected in a live audience poll at the Wall Street Journal’s CIO Network show Tuesday, suggest the U.S. government has a ways to go to fostering trust with the corporate sector.
Andy Ozment, the Department of Homeland Security's assistant secretary of the office of cybersecurity and communications.
Companies are generally willing to share threat “indicators," such as the IP address of a phishing scam making the rounds, rather than report specific incidents, said Andy Ozment, the Department of Homeland Security's assistant secretary of the office of cybersecurity and communications, who took the poll in stride as a guest speaker. "The legislation will make that more clear."
The U.S. Senate in October passed the Cybersecurity Information Sharing Act, a well-intentioned band-aid for the rash of data breaches that have buffeted the corporate sector. Ideally, companies would share with DHS more information about threats they are seeing in their networks, which would contextualize the data and share it with other companies and federal agencies. The law seeks to protect companies from private lawsuits, a major stumbling block to information sharing. Ozment said the DHS would begin sharing cybersecurity threat information with private companies later this month.
Uncle Sam wants you to trust it with your data
Ozment, who oversees a $930 million budget and workforce created to bolster the nation’s cyber and communications infrastructure defense, says companies can relay threat indicator information from their intrusion detection system to one of their servers. Companies then relay it to DHS, which has created a “giant mixing bowl of indicators,” which are stripped of information about employees. He also said cybersecurity vendors would be able to use the data to build their own products.
While he allowed that companies are much more reticent to report hacks, Ozment encouraged companies to communicate incidents to law enforcement or DHS, which would grant statutory protections where the data can't be used for regulatory purposes, civil litigation or Freedom of Information Sharing Act requests. "The bill says that if you're sharing information for cybersecurity purposes, then you’re protected against this liability," Ozment says.
Companies are contemplating how to share not only information, but talent. Jim Motes, CISO of Rockwell Automation, has proposed a cooperative staffed by the best engineers from member companies, which he says would be better positioned to protect corporate networks than most managed security service providers (MSSP).
Sign up for CIO Asia eNewsletters.