In early March, the Center for Strategic & International Studies (CSIS) published a report outlining their recommendations to Congress in regard to cyber threat information sharing between the government and the private sector.
To identify lessons learned from existing and previous information sharing efforts, CSIS convened three workshops to discuss the technical, structural, and legal challenges to cyber threat information sharing. These workshops were attended by a cross-sector stakeholder group that included government, industry, and privacy organizations, as well as experts from the financial services, telecommunications, electricity, oil and gas, retail, and commercial information technology sectors, and the privacy community.
After analyzing the comments and suggestions of the participants, the authors have provided Congress with 11 recommendations for policy and legislation. These recommendations cover both structural and legal issues, and include:
- Private-to-private sharing with a minimal role for government can help promote voluntary information sharing and alleviate privacy concerns.
- Build upon existing information-sharing organizations and mechanisms.
- Cyber threat information shared voluntarily with the government should be protected from disclosure through Freedom of Information Act (FOIA) requests and barred from use in civil litigation or regulatory purposes.
- Identify ways for information sharing models to demonstrate value for all parties involved.
- Permissible law enforcement uses of cyber threat information shared by companies with the government should be restricted to cybersecurity purposes and a limited set of other activities.
- Legislation should authorize monitoring and sharing of cyber threat information, and provide a safe harbor from civil and criminal liability for good-faith actions in conducting such activities.
While the authors recognize that there is much to be gained through improved cyber threat information sharing, they also note that it is not “an end in itself,” and suggest that the government and other sectors “articulate the objectives and goals for information sharing, and tailor mechanisms for information sharing to achieve those goals.”
For more information on the CSIS report, please follow the link below.
Cyber Threat Information Sharing: Recommendations for Congress and the Administration, Center for Strategic & International Studies