Devices provide imperfect information security protection, even if they are considered acceptable for purposes of satisfying a legal obligation to follow industry security standards. An advanced warning system that predicts the likelihood of cyber attack may ultimately be more effective and less costly if well designed and executed.
Private organizations have tremendous technical capacity to inspect and analyze online traffic and potentially to predict vulnerabilities and threats.
The White House is discussing plans for a Cyber Threat Intelligence Integration Center (CTIIC) within the office of the Director of National Intelligence. Those who applaud this move also caution that the CTIIC’s effectiveness will be limited if cyber threat data isn’t gathered and analyzed in collaboration with the private sector.
In an essay to Lawfare, Steve Slick describes the role of the CTIIC and limitations on its effectiveness: “The Internet’s basic design allows actors to conceal their identities, or even attribute their actions to others. IC collection of cyber threat data is structurally limited to the extent it excludes the large body of relevant information that Americans, U.S. businesses, and other private organizations choose not to volunteer to the government.”
On Thursday, April 23, a panel comprised of Joe Burton, Mark Silvestri, Jon Stanley and me, moderated by Bill Rogers, will explore the technical, legal and ethical issues raised by private sector cooperation in cyber threat analysis and prediction. Our legal track panel at RSA Conference explores the potential for the private sector to contribute meaningfully to the national effort to detect and thwart cyber attack before it happens.
- Assuming the detection capacity and threat analytics are already sufficiently developed by these players, will they share information with government agencies like CTIIC and under what circumstances should they be compelled to do so?
- What are the legal restrictions currently preventing such sharing?
- How will data accuracy and accountability concerns affect the ethical analysis and the liability concerns, for both those who may rely on the threat predictions as well as those conducting them?
- Can or should the government compel cooperation for national security reasons? What regulatory safe harbors would be appropriate in such circumstances?
RSA Conference participants are invited to join the discussion on April 23 in Room 2007 Moscone West and anticipate the next legal frontier in cyber security.