The benefits of federal legislation to govern private and public sector sharing of cyber threat information are being oversold -- and the risks are being too easily dismissed.
That was the consensus of a dozen speakers and panelists at the second annual Senior Executive Cyber Security Conference in Baltimore earlier this month. And it runs counter to the view held by government leaders from President Obama on down, and some leaders in the private sector as well, who've been saying for years that without a legal framework for such sharing, there's little hope for either sector to fend off cyber attacks.
The conference, sponsored by the Johns Hopkins University's Whiting School of Engineering, its Information Security Institute and by Comprehensive Applied Security Solutions (COMPASS), included speakers and panelists from the White House, the Department of Homeland Security (DHS), the private sector, advocacy groups and academia.
Though none at the conference were outright opposed to threat information sharing, several attendees noted that 80% to 90% of security incidents are caused by known vulnerabilities, and could be avoided with good "security hygiene" using security tools that already exist. They also gave multiple examples of sharing that is already going on.
More important, they said the legislative proposals now before Congress don't adequately protect privacy and civil liberties.
"Unfortunately, the bills incentivize oversharing," especially from the private sector to government, said Robyn Greene, policy counsel of the New America Foundation's Open Technology Institute. "They don't protect PII (personally identifiable information) once it gets to other companies or the government."
That, she said, would allow, "too much of it to be used for investigations on things that have nothing to do with cybersecurity."
Greene also argued that there is already plenty of sharing within the private sector. "If anything, what needs to increase is more government sharing. Not to create free-for-all, but to find a way to get classified data into hands of technologists."
Journalist Hodding Carter III, who served as assistant secretary of state for public affairs under President Jimmy Carter, was even more blunt. "Our government has decided, on behalf of the nation, that we need extreme measures to combat ... a terminal threat - the worst in American history," he said. "Nonsense, nonsense, nonsense."
Carter asserted that the current terrorist threat doesn't come close to the "mortal threats" of Nazi Germany or the Cold War with the USSR. "We are under threat," he said, "but it's a good time not to do terrible things."
One of those terrible things, he said, is government - specifically the National Security Agency (NSA) - "vacuuming up the details of Americans' lives" - the involuntary data collection exposed by former NSA contractor Edward Snowden.
Sign up for CIO Asia eNewsletters.