President Obama signed recently into law a new federal spending bill that includes the latest edition of the Cybersecurity Information Sharing Act (CISA).
The Cybersecurity Information Sharing Act seeks to incentivize private companies and government agencies to exchange data on cybersecurity threats and vulnerabilities. The Heritage Foundation has recommended information sharing policies because they represent the first strong step to combat cybersecurity threats successfully.
In order to understand how the Cybersecurity Information Sharing Act improves U.S. cybersecurity by incentivizing information sharing, it is important to understand how information sharing works.
In the same way that a conscientious commuter might report a particular traffic jam that he encountered for the convenience of other commuters, so also might a well-meaning company report a particular instance of a cyberattack that it encountered for the benefit of other companies.
The Cybersecurity Information Sharing Act also requires companies to remove personally identifiable information prior to sharing. But more importantly from a privacy perspective, most of the information being shared is largely technical, usually including only the code of a new cyber threat or vulnerability that is enabling hackers to steal information.
The Cybersecurity Information Sharing Act further incentivizes companies to engage in cybersecurity information sharing by granting strong liability protection. Liability protection is important because it allows companies to share information without fear of being sued as long as they act within the constraints of the law.
In an attempt to streamline information sharing efforts, the Cybersecurity Information Sharing Act requires the federal government to set up a hub to gather cybersecurity information and share it with others. The bill designates the Department of Homeland Security as the liaison between agencies and companies as they share cybersecurity information with one another.
Ideally, the Department of Homeland Security should provide a secure, automated, easily-accessible, online portal where cybersecurity information sharing may take place.
While some voluntary exchanges of cybersecurity information are already taking place with good results, legislation that incentivizes information sharing improves U.S. cybersecurity even further. As more and more information sharing efforts are undertaken over time, the United States will be better prepared to take on a wide variety cybersecurity threats and vulnerabilities.