In IBM’s first THINKPolicy perspective, cybersecurity expert Andrew Tannenbaum urges Congressional action to strengthen America’s digital defenses.
By Andrew Tannenbaum, IBM Cybersecurity Counsel
With massive new data breaches being reported on what feels like a daily basis, businesses and consumers are increasingly concerned that their sensitive information could be exposed and exploited. Cybercrime and data hacks are fundamental threats to security and privacy, and their frequency is on the rise. The FBI recently announced that economic espionage cases surged 53 percent in the past year alone.
So, in IBM’s first THINKPolicy perspective, we are addressing a core data challenge of our time – cybersecurity – and offer the following recommendation to policy makers:
- Pass a Cyber Threat Info Sharing Bill – The U.S. Senate is poised to take up legislation this fall that would help public and private sector cybersecurity professionals rapidly share technical details on evolving cyber threats, and use that information to better secure their networks. Hackers operate in sophisticated, well-organized networks, and use secluded areas of the Internet to stage their attacks. By passing the Cybersecurity Information Sharing Act (CISA) and sending a final cybersecurity bill to the President’s desk, Congress will help security professionals better coordinate their defenses against these online criminal organizations. IBM strongly supports CISA, and companion bills passed earlier this year by large bipartisan margins in the House, because they address three essential factors that will foster more sharing of cyber threat info: strong privacy protections, legal clarity and protections for those who follow the privacy requirements, and clear “rules of the road” for sharing cyber threats through a civilian government agency.
According to the United Nations, 80% of cyber crimes are carried out by highly-organized criminal networks that actively share tools and information. This only underscores the need for better sharing and coordination between the professionals working to thwart them.
IBM is taking concrete steps to help our clients, governments and partners address evolving cyber threats. Earlier this year, we launched a new platform – the X-Force Exchange – that allows cybersecurity experts to access a vast database of cyber threat data and share insight into the latest attacks. Since its launch, more than 2,000 organizations have been participating in the exchange. It’s a good start, but only legislative action can provide the legal clarity necessary to scale cyber threat info sharing to the level required.
And as we look ahead to the future, this exchange of threat data will be made even more powerful through the application of cognitive technologies, which can study cyber attacks happening in real time to help security professionals adapt even faster to rapidly evolving threats.
Unfortunately, certain groups have erroneously equated cyber threat information sharing with government surveillance and labeled it a threat to individual privacy. As I stated recently in the Wall Street Journal, this is a red herring. Cybersecurity experts have thoroughly and repeatedly explained that they do not want or need anyone’s personal information when sending or receiving alerts about cyber threats. What they do need is technical data that can be quickly integrated into their network defenses, such as lines of malware code, malicious IP addresses and information about product vulnerabilities and the techniques used to exploit them. The threat information sharing bills in the House and Senate are appropriately focused on that type of technical information.
In fact, CISA and the companion House bills are strong, measures that affirmatively advance the cause of privacy. First and foremost, they put entities in a stronger position to defend against hackers who are brazenly stealing massive amounts of personal and confidential information, which is the real privacy crisis at issue. The bills also add a range of new privacy, transparency, and oversight protections that do not exist today. Instead of sharing threat indicators under an outdated and unclear legal framework – as occurs today – entities will now have legal clarity about what is appropriate to share (narrow categories of threat indicators) and how to do so while protecting privacy (by removing any incidental personal information, for example). Increased oversight and transparency will shed new light on the effectiveness of such sharing and any privacy impact. All of this is a net gain for privacy.
The time to act was yesterday. We cannot continue allowing cyber criminals to break into our systems, steal our data and disrupt our way of life. IBM urges Congress to address the cybersecurity challenge and, in doing so, foster the confidence businesses and consumers deserve when participating in the digital economy.
Adam R. Pratt
Ph: (202) 551-9625