CA supports US legislation on cyber information sharing
What the enterprise can learn from the value of sharing cyber threat information to protect and defend networks.
This week, the US House of Representatives will consider two bills, the National Cybersecurity Protection Advancement Act of 2015 and the Protecting Cyber Networks Act, which authorize the sharing of cyber threat information to protect and defend networks.
Earlier this year, CA Technologies outlined a series of principles that we consider necessary components of any successful cybersecurity information sharing policies:
First, the policies must encourage the development of automated mechanisms to share information in as close to real time as possible. Cyber-attacks happen rapidly and without upfront notice. Once cyber threat indicators are discovered, this information must also be disseminated rapidly in order to allow organizations that are the subject of attacks to mitigate attack effects, and to help other organizations target their defenses against the newly discovered threat.
Second, organizations should have targeted liability protections for the data they share or receive. These protections will help organizations feel more secure in participating in the program, improving collective defenses.
And, legislation should require organizations to take steps to remove personally identifiable information of individuals not related to the threat from any information they share with the government. This is vital to protect the privacy of customers and citizens.
CA Technologies believes that both the National Cybersecurity Protection Advancement Act and the Protecting Cyber Networks Act adhere to the principles outlined above, and we support their passage in the House.
In addition to these principles, both bills contain additional provisions, which we believe will improve cybersecurity outcomes.
First, the bills state that in order to receive any new liability protection for sharing cyber threat information with the government, they must be shared through a civilian agency portal. This builds confidence that the program will work to protect networks, which encourages greater participation.
In addition, the bills hold the Federal Government liable for any willful violations of privacy guidelines and restrictions on the use of the data. This builds confidence that the program will respect individual privacy and civil liberties.
There is still a long way to go before these bills become law. We look forward to working with Members of Congress and their staff as these bills make their way through the legislative process, including potential negotiations with the Senate, and the President’s signature. CA believes that any final legislation must continue to adhere to the principles outlined above in order for it to be signed into law.
Passage of these bills will not solve all of our cybersecurity challenges. Indeed, it is only one piece of a larger policy mosaic requiring active government, industry and other stakeholder engagement. However, it is a critical piece and we applaud the bills’ sponsors and supporters in the House for their contributions towards improving information security.