Cyber-Threat Data Sharing Off to Slow Start Despite U.S. Legislation
In January, President Obama signed the Cybersecurity Act of 2015, but companies remain in a holding pattern, waiting for legal clarity and demonstrable benefits before sharing sensitive information.Sharing information on cyber-threats has garnered a great deal of U.S. government support over the past 18 months. In February 2015, President Obama signed Executive Order 13691, encouraging collaboration between private companies and with the government through organizations known as information sharing and analysis organizations, or ISAOs. Nearly a year later, Congress passed a 2,009-page military spending bill that included among its provisions the Cybersecurity Act of 2015, a law that affords companies legal protections in exchange for sharing information with the government about cyber-attacks. This past summer, the Department of Homeland Security released guidelines for sharing details of attacks with the federal government. Despite the government action, companies have been reticent to begin sharing data on the attacks hitting their networks. One report found that while nearly 140 organizations were connected to DHS's Automated Indicator Sharing system, only one company was sharing any significant amount of information.
Nine months after the Cybersecurity Act became law, the complexity of information sharing and the natural human reluctance to reveal details about network and data breaches means that convincing organizations to share continues to be difficult, Chris Coleman, CEO of threat-intelligence firm LookingGlass, told eWEEK.