Getting Serious about Information Sharing for Cybersecurity
Our cybersecurity in large part depends on the strength of the weakest part of a network. So, it is critical that the private sector, federal, state and local governments, and communities work together to build up our cyber security. Today’s announcement by the Department of Justice and the Federal Trade Commission that they have issued guidance to clarify that cybersecurity information can be shared with competitors without violating antitrust law – long a perceived barrier to effective cybersecurity – is so important. These two agencies, together charged with enforcing our antitrust laws, have made clear today that they do not believe “that antitrust is – or should be – a roadblock to legitimate cybersecurity information sharing.”
We know sharing threat information is critical to effective cybersecurity. Indeed, reducing barriers to information sharing is a key element of this Administration’s strategy to improve the nation’s cybersecurity, and we are aggressively pursuing these efforts through both executive action and legislation. Today’s announcement makes clear that when companies identify a threat, they can share information on that threat with other companies and help thwart an attacker’s plans across an entire industry.
We know many companies are already sharing information on cyber threats with each other and with the government through programs that preserve the privacy of Americans, maintain appropriate constraints on government access to private information, and do not lead to anti-competitive practices.
For example, during the denial-of-service attacks that targeted the websites of many leading U.S. banks over the last few years, the Financial Services Information Sharing and Analysis Center brought these banks together to exchange information with each other and with the Federal government. That information helped companies manage the attacks.
Non-profit information sharing organizations such as Boston’s Advanced Cybersecurity Center, the Bay Area Security Council, and ChicagoFirst have shown value in building smaller trust networks across sectors in metropolitan areas. And many for-profit information sharing organizations are also stepping into the game.
We will continue to work with our partners in industry to encourage the development of a network of information sharing partnerships and to identify actions we can take to further reduce barriers to information sharing.
While the Administration works to expand the sharing of cybersecurity information through executive action, we will work with Congress to carefully update laws to further facilitate cybersecurity information sharing while preserving the rights of individuals. We can and should increase information sharing while working in partnership with companies and organizations to secure their networks and protecting the privacy of their customers.
We also will continue to work to address the concerns our private sector partners have raised that the government should share more of its own information, so that companies could better protect themselves.
Last year, the President’s Executive Order on Improving Critical Infrastructure Cybersecurity opened up a Defense Department program created to protect the defense sector to companies across all 16 critical infrastructure sectors of the economy. The program, Enhanced Cybersecurity Services, gives participating commercial security providers access to the classified signatures that are used to protect the government’s own networks.
The President also required federal agencies to promptly notify victims or targets of malicious cyber activity. We have already made thousands of such notifications. And we are working to increase the volume, timeliness, and utility of the information we share.
Our goal is for the government to be a reliable information sharing partner, but only one of many. Companies that are targeted by criminals and nation state actors should establish information sharing channels with the National Cybersecurity & Communications Integration Center at the Department of Homeland Security, law enforcement agencies such as the FBI and Secret Service, and with other relevant agencies; however, they should also build information sharing relationships with private sector partners and organizations.
In today’s networked world, a cyber threat to one is really a cyber threat to all. This is why steps such as today’s announcement by the Department of Justice and the Federal Trade Commission that can encourage more information sharing are key to building up our collective cybersecurity. Companies should assess whether the remaining risks they perceive for engaging in legitimate information sharing are greater than those they face for failing to protect their customer data, their intellectual property, and their business operations from the growing cyber threats to them.