Law Interfering with CybersecurityAntitrust Fears Give Businesses Pause to Cooperate on IT Security
As a practical matter, that means efforts to secure information systems could be thwarted by existing laws, a concern expressed by Sen. Sheldon Whitehouse, D-R.I., at a hearing he chaired this past week of the Senate Judiciary Subcommittee on Crime and Terrorism that focused on the Obama administration's latest cybersecurity proposals.
When members of the various sector-specific Information Sharing and Analysis Centers, or ISACs, get together to discuss common IT security threats, they don't always share everything they know, even if it's in the best interest of all members that they do so to protect their IT systems, the senator said.
To many participants in the game, it's to their advantage to be a free rider, to do little as possible and allow their industry colleagues to carry as much of the load as possible.
As an aside, Whitehouse suggested that some companies involved in ISACs don't want to share, but just seek threat information from their industrial counterparts: "To many participants in the game, it's to their advantage to be a free rider, to do little as possible and allow their industry colleagues to carry as much of the load as possible. If everybody looks at it that way, you really don't get an optimal result. so there's an economic and motivation problem built in it as well."
But Whitehouse suggested that most ISAC members aren't that sinister, yet often hesitate to share information for fear that they could be seen colluding with competitors, and their cooperation to battle common threats could be interpreted as violations of antitrust laws, opening themselves to lawsuits.
Whitehouse pointed out that the administration's proposals legally protect organizations that share threat information with the Department of Homeland Security but no such shields exists when industry can be found "circling its wagons against common threats."
Associate Deputy Attorney General James Baker said the administration had put much thought into this dilemma without resolving it, but promised to work with lawmakers to find a solution. "These are tricky legal issues in there; antitrust concerns is one of particular note," Baker told Whitehouse. "You're exactly right. We need to figure out a better way of enhance that information sharing, and balance all those different factors you mentioned that need to be balanced appropriately."
Sen. Chris Coons, D-Del., wondered how far criminal and civil immunity goes protecting organizations that cooperate with DHS on cyber investigations. The administration proposals would protect cooperating organizations that deal with DHS in good faith, a legal principle that shields participants from liability for their honesty. But the proposals are silent on who determines good faith.
Baker said the judiciary would make the final determination on good faith "At the end of the day, it would be a court, a finder of fact, whether it's a judge or jury that will make that kind of determination," Baker said. "So, there is protection, but it's not something the government will be deciding on its own. It's going to be before a neutral decision maker."
What's the practical effect of organizations having faith they'll be protected by their good-faith efforts? Quick response to prevent further intrusions.
Businesses want to share vulnerability information because they feel it's important for the government and the community at large to be able defend against these threats. But their first call isn't to DHS or law enforcement authorities, but to their lawyers.
"That often results in a week long or days long process of working with counsel in order to determine and give comfort to general counsel somewhere that that information can, in fact, be shared," said Greg Schaffer, DHS's acting deputy undersecretary of National Protection and Programs Directorate, the department's highest ranking cybersecurity official. "In this space, as you know, millisecond counts, not days and weeks.
"The desire is to clear away that uncertainty and give general counsel a comfort level that they can share for this specific purpose ... to protect the larger ecosystem. That's really the problems that we see: Days of delay to be able to deploy defensive measures because concerns around whether or not that can be shared."
The problem is defined. The solution won't be easy to reach.