Legal liability slows cybersharing, experts say

 

The executive order President Obama signed Friday would make it easier for government agencies and private companies to share information in case of a cyber attack.

But company executives and others who attended the White House Summit on Cybersecurity and Consumer Protection are far from agreement when it comes to embracing the idea of information-sharing with the government.

Companies are worried that sharing private information with the government could open them up to lawsuits or regulatory action.

Privacy advocates are fearful such an exchange could create another venue for the government to collect Americans’ personal information, especially in the post-Edward Snowden era.

Experts say the executive action signed by Obama isn’t likely to fully address either of those major issues, causing some to question how much the White House can actually accomplish.

The privacy-versus-information debate took center stage at one of Friday’s panels. The discussion among panelists that included Symantec’s Chief Executive Officer Michael Brown, FirstBank’s Chief Executive John Ikard and Jennifer Granick, the director of civil liberties at Stanford’s Center for Internet and Society was relentless. The issues remained unresolved.

Information sharing has been at the heart of much proposed federal legislation. But Congress has yet to come to a consensus on an information-sharing bill. There’s no sign that’s going to change soon.

Granick said there are three key unresolved issues: The government should not be allowed to tap into private networks; there should be no exemptions to privacy laws for the government; and the federal government needs to recognize that increasing penalties for violations of the Computer Fraud and Abuse Act won’t motivate companies to be upfront about revealing breaches. Granick also pointed out that companies are worried that they might be held libel for revealing a breach that may be construed as a mistake.

“North Korea isn’t going to stop hacking Sony just because all CFAA (Computer Fraud and Abuse Act) crimes are now 10-year felonies instead of misdemeanors,” she said. “But the people who are going to be chilled by that are researchers who are developing threat information and want to share it with the public.

FirstBank’s Ikard also questioned parts of Obama’s order.

“How much does [a company] share? How much intimate information can [a company] give [the government]?” he asked. “Even though this partnership would be a great source of information sharing, we still need legislation in place to allow [companies] to release information in a confidential setting.”

But others said they were encouraged by the President’s executive order, calling it an encouraging step in the right direction.

Symantec’s Brown said it would help keep the administration’s cyber agenda in the public discussion and provide more details on some of the more opaque parts of the White House’s agenda on information sharing.

“Symantec’s ability to secure outcomes for customers is largely a function of being able to see more, so we can analyze more,” Brown said during his remarks on the panel. “We’ve seen that sharing information works and, frankly, we’d like to do this on a more consistent basis with the government as well.”