The pros and cons of information sharing
Sharing information about data breaches with the government and fellow corporations is the right thing to do, isn't it? There's a difference of opinion on this one, and it is exemplified by the positions of Peter George, president and CEO of Fidelis Security Systems, and Philip Lieberman, president and CEO of Lieberman Software.
Businesses should not withhold breach information because that makes it impossible to develop a full understanding of threats and a strategy for combating them, George writes in a face-off with Lieberman at Network World. Attacks follow patterns and leave behind footprints that could be studied to gain insight into the routes cybercrooks are taking. "The only way to battle these adversaries is to go on the offensive, and that requires sharing knowledge about the attacks--and the knowledge sharing has to span federal agencies and the private sector," he writes.
George argues for a much-expanded role for the government, which he says should require security breach disclosure so that companies can begin to build better defenses. A clearinghouse of breach information should be built and companies should be allowed to make use of it if they agree to "rigid reporting requirements." They should have to disclose not only breaches but also the forensics about them.
"All information will be located centrally and a communication and collaboration process will be put in place to keep track of each foreign fingerprint found on a corporation's network," he writes. "We cannot treat breaches as individual threats anymore, but as pieces to a larger puzzle that will someday allow us to detect threats before they enter our networks."
That's all well and good, but how would it affect the bottom line of a company that starts disclosing breaches? Not in a good way, argues Lieberman, who writes that companies have a duty to shareholders to not put their value unnecessarily at risk.
"Exposing details of your data breach could damage shareholder value if it diminishes the corporation's reputation or triggers fines and sanctions from regulators and industry groups," Lieberman warns. "The disclosure might also inhibit the organization's access to capital (both private and public) if it raises questions about corporate governance. Such disclosure may also trigger both frivolous as well as well-founded lawsuits."
Disclosure could also prompt more attacks, he writes. The government needs to deliver clear guidelines about breach reporting requirements. The current patchwork of state breach disclosure laws and actions to fine companies that have been breached further victimize victims of attack.
Proposed rules giving companies immunity from prosecution if they inform law enforcement about breaches would be beneficial. "The lack of actionable corporate security requirements--and the fact that there is no safe harbor for organizations that disclose data breaches and cooperate with prosecution--creates a perverse scenario where it's simply not in a corporation's interest to divulge any more than is required by law," he writes. "In fact, it can be argued that a corporate officer who discloses more than the legal minimum ought to be terminated for disregarding the organization's responsibility to its shareholders."
- go to the debate at Network World