Models for Cybersecurity Incident Information Sharing and Reporting Policies
18 Pages Posted: 1 Apr 2015 Last revised: 13 Aug 2016
Date Written: August 13, 2014
Reporting requirements represent the area of cybersecurity policy where governments have been most active, to date, but depending on their purpose, these reporting policies vary greatly with regard to what kinds of information entities are expected to report, and to whom. Right now, the European Union is in the process of passing a Network and Information Security Directive (NISD) and the U.S. Congress appears to be moving towards a final version of its Cybersecurity Information Sharing Act (CISA), both of which function primarily to encourage — or require — that more information about cybersecurity incidents be shared with — or reported to — entities other than the ones who detect those incidents. The two policies share a common underlying principle — that everyone would benefit if information about cybersecurity incidents were discussed among and available to more actors — but they seek to establish completely different information reporting and sharing models.
This divergence reflects the ways in which policies built on spreading cybersecurity incident information more widely work to fulfill several different goals, including protecting people whose information has been breached, helping others in real time to defend against threats that have been previously experienced or identified by others, and contributing to a better understanding long-term of the types of threats observed and effectiveness of various countermeasures. Each of these three goals has very different implications for security reporting regimes and may pose different challenges for both defenders and regulators. Through comparisons of the current pending policies in the U.S. and E.U., as well as other existing cybersecurity incident reporting and data breach notification policies, this analysis proposes templates for the designing policy measures intended to meet these three different goals, including the ways in which each of those goals shape whom information is shared with, what information is shared, the timeline for sharing that information, and the relative benefits of mandatory versus voluntary regimes. This analysis also explores the pitfalls of trying to conflate multiple goals under a single reporting regime, using the example of the E.U. directive, which attempts to combine elements of all three goals.
Policy-makers have different roles to play in promoting these distinct goals of security reporting, all of which may be challenging for private actors to address adequately in the absence of government intervention, but for different reasons. While many existing and proposed cybersecurity policies focus on short-term reporting requirements intended to protect consumers and aid real-time threat remediation, it is the third purpose of information reporting — the long-term data collection about incidents and security interventions — that is in many ways most central to the establishment of effective policies governing security actions and outcomes. Without that information, policy-makers have no means of determining which defensive measures have the greatest impact or what the consequences of security breaches actually are. These policies could therefore serve as a first step in the cybersecurity policy-making process — setting the stage for defenders and policy-makers alike to gain a better grasp of what the security landscape looks like and how it can be improved. Given the large number and great variety of different actors involved in security threats and defending against them, any individual firm or actor is very limited in terms of what can be learned from their own security data. Combining the threat data from defenders who play different roles in the security ecosystem, serve different customers, have insight into different layers of the network, and impact each other’s security is central to figuring out where policy-makers may need to intervene and how.
Keywords: cybersecurity, information sharing, security policy
Suggested Citation: Suggested Citation