The court’s written decision said the problem was not “weak” firewalls, IP address restrictions, encryption and passwords, but rather that in many cases, there weren’t “any” security measures in place. And it acidly noted that, “Wyndham did not respond to this argument in its reply brief.”
“That’s another great example of the irrelevance of information ‘sharing’,” Tien said calling it, “a solution in search of a problem. Or perhaps it’s a solution to some other problem, but not that of computer security.”
Joel Harding, a retired military intelligence officer and information operations expert, disagrees with Tien about the value of information sharing. “My background in cybersecurity is from a U.S. government perspective, so I naturally tend to promote information sharing in order to more accurately portray the developing situation,” he said, adding, “I still feel that way.”
But he agrees with him and other CISA critics that the bill does not contain, “enough protections for people or corporations whose information may be shared throughout the government. All too often we have seen information not adequately protected and sensitive personal and corporate information gets into the wrong hands,” he said.
Whatever the flaws in CISA, there are voices in the private sector that support some kind of information sharing legislation. One of them, the Society for Information Management's Advanced Practices Council, has formed the CIO Coalition for Open Security, whose members advocate for it.
Madeline Weiss, director of the council, said the coalition favors legislation that would accomplish three main objectives:
- Create a forum for organizations to identify the best tools for information sharing and cyber resiliency.
- Create an anonymous database of cyber attack and breach information.
- Support federal legislation that offers liability protections for firms that share threat information.
In a post last October on CIO Insight, Weiss noted that information sharing amounts to “collective intelligence. We need to connect people and computers, so that collectively they act more intelligently than any individual, group or computer has ever done,” she wrote.
We need to connect people and computers, so that collectively they act more intelligently than any individual, group or computer has ever done.
Madeline Weiss, director, Society for Information Management's Advanced Practices Council
One member of the coalition, the CIO for a Fortune 1000 company who declined to be identified, said the goal is to, “eliminate all obstacles that currently get in the way of entities sharing their cyber attacks and threats as they occur. Legislation that protects them from any form of backlash or retribution or legal risk in sharing this information is required to make this happen,” he said.
Evidence of that need, he said, is the court ruling on the FTC’s suit against Wyndham. For organizations that are breached, “apart from towering legal fees and a damaged reputation, now an appeals court has confirmed that the FTC can slap you with fines as well,” he said.
Sign up for CIO Asia eNewsletters.