With national attention focused on high-profile cyber attacks, IBM’s top cybersecurity legal expert today spoke to members of Congress about the importance of sharing cyber threat information, and how legislation can be shaped to help promote that sharing.
Washington, D.C. – With high-profile cyber intrusions and data breaches captivating national attention, IBM’s top cyber security legal expert today spoke to members of Congress about the need to foster more sharing of cyber threat data among businesses and other organizations.
In testimony before the U.S. House of Representatives Permanent Select Committee on Intelligence, IBM Cybersecurity Counsel Andrew Tannenbaum explained that enterprises have adopted a “risk management” approach to cyber threats.
He noted that in years past, securing networks was a relatively contained matter. Today however, businesses can have millions of users accessing their systems and the volume of data that has to be secured is staggering, and growing by the second. “Companies know they cannot eliminate all cybersecurity risk, he said, “the threats are simply too diverse and dynamic.” Businesses therefore identify potential risks in their IT systems, prioritize them and allocate security resources accordingly.
Tannenbaum then pointed out that cybersecurity is a data analytics challenge, and that a critical element of any enterprise-level cybersecurity risk management program is the ability to rapidly receive and use actionable data about the latest cyber threats. With new threats evolving in near real-time, companies need to be able to share such data quickly to keep one another one step ahead of the hackers.
In urging members of Congress to pass information sharing legislation as quickly as possible, Tannenbaum detailed three elements that IBM views as vital to making a cybersecurity bill truly effective. These included:
- Privacy Protection – any cybersecurity information sharing legislation must protect the privacy of individuals. Sharing should be limited to technical details organizations need to defend their systems.
- Liability Protection – businesses will be reluctant to share threat information until federal law is updated to provide legal clarity and liability protection for companies who do so appropriately and in good faith.
- Sharing “Rules of the Road” – companies need a single, civilian government agency with which to share cyber threat info, as well as reasonable flexibility to engage other agencies under specific and justifiable circumstances.
Tannenbaum stated IBM’s appreciation of the recent cybersecurity and information sharing initiatives launched by President Obama, while pointing out that bipartisan information sharing legislation remains vital to an effective cybersecurity strategy. IBM will, he said, continue working Congress and the Administration to secure passage of such a bill.
Download the testimony
Adam R. Pratt