Information | ||
Derechos | Equipo Nizkor
|
11Dec14
Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis
Contents
A Cybersecurity Problem: Misaligned Incentives
The Problem of Underused Information
Perceived Legal Barriers to Information Sharing
Economic Incentives to Not Share Information
Analysis of Firms' Incentives to ShareNew Threats
Developing and Sharing Countermeasures
So Why Do Some Firms Share Information?
Role of Consultants and Insurance Companies in Information SharingHow Can Organizations Share Information?
Categories of Information
Methods of Information Sharing
Public and Private Sector Information SharingISACs
Mandatory, Voluntary, and Incentivized SharingConsequences of Inadequate Information Sharing
Direct Effects on Security
Indirect Security Effects through the Market for Cybersecurity ProductsEffects of Greater Information Sharing
Selected Legislation in the 113th Congress to Encourage Information Sharing
H.R. 624: The Cyber Intelligence Sharing and Protection Act
Analysis
S. 2588: The Cybersecurity Information Sharing ActAnalysis
S. 2717: The Cyber Information Sharing Tax Credit ActAnalysis
Other LegislationConclusion: How Might Incentives Change?
Figures
Figure 1. Financial Services ISAC Membership Tiers
Figure 2.Financial Services ISAC Membership Tiers (Continued)
Summary
Data breaches, such as those at Target, Home Depot, Neiman Marcus, and JPMorgan Chase, affecting financial records of tens of millions of households seem to occur regularly. Companies typically respond by trying to increase their cybersecurity by hiring consultants and purchasing new hardware and software. Policy analysts have suggested that sharing information about these breaches could be an effective and inexpensive part of improving cybersecurity. Firms share information directly on an ad hoc basis and through private-sector, nonprofit organizations such as Information Sharing and Analysis Centers (ISACs) that can analyze and disseminate information.
Firms sometimes do not share information because of perceived legal risks, such as violating privacy or antitrust laws, and economic incentives, such as giving useful information to their competitors. A firm that has been attacked might prefer to keep such information private out of a worry that its sales or stock price will fall. Further, there are no existing mechanisms to reward firms for sharing information. Their competitors can take advantage of the information, but not contribute in turn. This lack of reciprocity, called "free riding" by economists, may discourage firms from sharing. In addition, the information shared may not be applicable to those receiving it, or it might be difficult to apply.
Because firms are reluctant to share information, other firms suffer from vulnerabilities that could be corrected. Further, by not sharing information about effective cybersecurity products and techniques, the size and quality of the market for cybersecurity products suffer.
Some industry leaders call for mandatory sharing of information concerning attacks. Other experts advocate a strictly voluntary approach, because they believe it could impose fewer regulatory costs on businesses and cost less for taxpayers.
Several bills have been introduced in the 113th Congress to encourage information sharing. H.R. 624, the Cyber Intelligence Sharing and Protection Act, and S. 2588, the Cybersecurity Information Sharing Act of 2014, aim to increase information sharing by directing the Department of Homeland Security and the Department of Justice to develop procedures for receiving and sharing information and by providing liability protection for private entities acting in good faith for a cybersecurity purpose. H.R. 624 passed the House, and S. 2588 was reported out of the Senate Select Committee on Intelligence.
Supporters of these two bills argue that they would make cyberspace more secure by increasing the amount and impact of information shared without significantly increasing costs to businesses or taxpayers. They would resolve certain legal issues pertaining to sharing information but do not address the question of why a company would find it in their interest to help a competitor. Opponents of the bills argue that they would make it legal for companies to retaliate against cyberattacks--which could hurt innocent third parties--and raise privacy concerns by allowing firms to share personally identifiable information with government agencies and other companies.
H.R. 624 and S. 2588 might increase the likelihood of informal information sharing networks developing. Although informal networks might not have the technical capabilities of an ISAC, they could be more flexible and discourage free-riding by cutting "takers" out of the network, which would alter the competitive incentives in favor of more information sharing. A third bill, S. 2727, the Cyber Information Sharing Tax Credit Act, could increase information sharing by providing a 100% tax credit for the costs of joining ISACs. No hearings have been held on S. 2727.
This report analyzes the incentives for companies to share information about cybersecurity breaches with other companies and the federal government.
Cybercrime continues to increase. The media reports data breaches exposing tens of millions of personal financial records at retailers such as Target, Home Depot, and TJ Maxx. The Ponemon Institute, an independent research institute, estimates that in 2013 the number of attacks on 59 companies based in the United States increased over that of 2012 and the average cost per attack also increased. |1| The Ponemon study found the average cost of a cybercrime incident in FY2014 was $12.7 million compared with $11.6 million in FY2013.
The Center for Strategic and International Studies estimates that cybercrime costs the global economy about $445 billion in a typical year. |2| The risks to critical infrastructure and national security from cyberattacks are harder to quantify, but the Bipartisan Policy Center recently concluded that the United States has a "September 10th ability to guard against cyberattacks." |3| President Obama and some Members of Congress have identified increasing cybersecurity as a priority. |4|
It would seem that companies could increase their cybersecurity at relatively little cost by sharing information about cyberattacks. The costs of a data breach can include detection, containment, repair, incident response, investigation, fraud losses, and lost sales. The cost of sharing information, including joining a specialized sharing organization, is likely to be less than $100,000.
One obstacle to reducing cybercrime is misaligned incentives, which reduce information sharing about cyberattacks. In the aftermath of a cyberattack, at least four groups could be notified: law enforcement, other companies, customers, and (for public companies) stockholders. In addition, certain regulated companies, such as banks and electrical utilities, could be required to notify their regulators of cyberattacks.
If companies notify law enforcement--typically either the Federal Bureau of Investigation (FBI) or the Secret Service--they do so in the hope that those responsible will be brought to justice and that some sort of recovery can be made. They notify other companies in the hope that greater information sharing will improve security. Customers are notified so that they can monitor their financial information to prevent financial fraud. The Securities and Exchange Commission (SEC) requires publicly traded companies to announce information that could affect investors' decisions to invest in a company.
This report analyzes information sharing by government with private companies, by private companies with the government, and among private companies. Sharing information with consumers is mentioned but is not the central focus of this report.
A Cybersecurity Problem: Misaligned Incentives
Understanding the economic incentives involved in cybersecurity and information sharing can improve the analysis of cybersecurity.
Companies that suffer a cybersecurity breach such as the theft of credit card information do not pay the full cost of the breach. Retailers honoring stolen credit cards have charges reversed (so-called chargebacks) and end up without merchandise or payment. Credit card issuers say that they are not fully compensated for replacing stolen cards. |5| Consumers must monitor their financial accounts and update automated bill payment accounts to guard against cyberattacks. |6|
Meanwhile, software companies frequently weigh the benefits of delays to improve security against the costs of late releases. |7| According to some industry observers, software developers can be under pressure to "ship early, ship often" and fix security and other bugs in a later iteration. |8| Similarly, companies may act in ways that they believe will preserve or increase their market share or profitability even at the expense of cybersecurity.
The Problem of Underused Information
Many in the cybersecurity field have suggested increasing cybersecurity information sharing between individuals, companies, non-governmental organizations, and governments as a way to increase security.
Many kinds of information can be shared to improve cybersecurity. This can include sharing ways to detect specific attacks and more general information about hardware, software, and procedures. It can include specific and general information about recovering from a data breach. The cost of sharing is relatively small, but the benefits can be large. Michael Daniel, the White House cybersecurity coordinator, described information sharing as "critical to effective cybersecurity," and legislation was introduced in 112th and 113th Congresses to promote information sharing. |9|
One kind of information sharing occurs when organizations learn from third parties (such as law enforcement) that information has been compromised. |10| For example, the Secret Service reportedly notified Target |11| and Home Depot |12| that their data systems had been breached.
Information sharing can also flow in the other direction: According to media reports, JPMorgan discovered that it had cybersecurity problems and asked the FBI for assistance. |13|
Sharing information has benefits. If a firm reports a cyberattack, law enforcement can begin searching for those responsible and possibly alert other organizations, which can review their cybersecurity arrangements to prevent similar attacks.
In some cases, broader sharing of information would benefit the attacked firm; if it does not have the resources for defense or other countermeasures, sharing information might allow another entity, such as a security consultant or the software developer, to develop a countermeasure. But sharing cybersecurity information with a competitor can give away security lessons that were learned at great expense. Moreover, some may fear that publicly revealing a cyber breach can scare customers away to competitors leading to reduced revenue and possibly stock price declines. In other words, the hacked company's competitors might benefit from the information or its revenue or stock price might decline. |14|
In 47 states and the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, companies can be required to notify consumers if personally identifiable information (PII) is breached. |15|
Typically, consumers are notified of the breach, advised to monitor financial accounts closely, and sometimes offered free credit monitoring or other assistance. |16| Some, including the chief information officer of the retailer Urban Outfitters, have argued that public disclosure can tip off attackers or waste time if information is breached but not stolen. |17|
Industry participants and outside observers appear to generally agree that there is less than optimal information sharing about attacks. |18| Although the amount of harm caused by inadequate information sharing is hard to measure, and increasing information sharing can be difficult, it has at times increased security. By contrast, while the broad outline of the Target credit card hack |19| had been widely discussed, Home Depot was the victim of a similar attack through a vendor whose security had been compromised. |20|
Information sharing would appear to be a relatively inexpensive way for a group of companies to improve their cybersecurity, but a review of recent data breaches shows that most of the details about breaches are released by third party experts, not the firms involved. The next section analyzes some of the reasons for this apparent reticence by firms.
Perceived Legal Barriers to Information Sharing
Firms and industry groups have expressed reluctance to share information in part because doing so might violate privacy or antitrust laws. |21| Another concern is exposing proprietary business information. |22|
To help assuage these fears, the Department of Justice (DOJ) has provided guidance that it will not consider generally accepted cybersecurity information sharing to be anticompetitive behavior. |23| Some cybersecurity experts, industry participants, and several Members of Congress remain concerned that firms are holding back information that could make cyberspace more secure. |24|
Economic Incentives to Not Share Information
In theory, sharing information about cybersecurity attacks and defenses has many benefits:
- Everyone would appear to benefit from eliminating duplication of costs and efforts.
- Sharing efforts could detect breaches faster and reduce damage caused by breaches.
- Sharing breach information and joint research efforts could lead to new ways to protect information.
In practice, there are also other considerations:
- Some argue that, despite official pronouncements, there are unresolved legal questions concerning privacy and antitrust issues surrounding sharing cybersecurity information.
- Some organizations may be reluctant to help competitors and, in extreme cases, might listen to what others share but offer nothing in return (free-riding in economic terms).
- If the shared information itself is breached by hackers, the organizations could be worse off than if they had not shared the information.
- Public disclosure of a breach may cost an organization customers and sales and affect its stock price.
Although there is some evidence that such fears have been exaggerated, evidence also suggests that they may be the primary factors preventing firms from sharing cybersecurity information. |25| Since Target's data breach was first revealed on December 18, 2013, its stock price has declined 3%. In the same time period, Costco's stock price increased 9%, while Walmart's declined 3% and Best Buy's declined 22%. However, other factors may have been at work; specifically, Target's stock price was already trending down.
The Information Sharing and Analysis Center (ISAC) Council emphasized to the Government Accountability Office (GAO) that "the benefits of sharing information are often difficult to discern, while the risks and costs of sharing are direct and foreseeable." |26| A survey of information technology executives found that their chief worry about data breaches was the loss in consumer confidence and resultant decline in revenue, not the losses directly caused by the breach. |27|
Analysis of Firms' Incentives to Share
To understand why companies may not share cybersecurity information, some theoretical scenarios applying basic game theory are examined.
Consider a firm that recognizes a new threat or a new (to it, at least) instance of a known threat, one to which its competitors are also potentially vulnerable. There are several possible outcomes depending on the characteristics of the threat and the firms.
If the threat to its profits is small, the firm may or may not choose to develop a countermeasure or share information about the threat, depending on its evaluation of potential reputational benefits for altruistically sharing the information. Some cyberattacks can be viewed as a cost of doing business, much like shoplifting is.
If the threat is significant, the firm may try to develop a custom countermeasure (for instance, hiring a security consultant to create a defense involving new procedures, software, or hardware). If the firm is unable to obtain a countermeasure, it may or may not have financial incentives to share information about the threat, depending on the possibility of another organization developing a countermeasure. Even if the firm believes that developing a countermeasure is unlikely or impossible, there might not be sufficient incentives to share the information compared with the advantages of not sharing with competitors.
Industries making similar products and using similar technologies can benefit more from information sharing, but as they are also more likely to be competitive, they may be less likely to share information. |28| Stronger industry associations could arguably counteract this effect.
Developing and Sharing Countermeasures
If the threat is more general, a firm that develops a countermeasure must decide whether it is better off with the competitive advantage that it now has against selling or giving away the countermeasure. Some firms, such as many in the defense industrial base, also sell cybersecurity services and could decide to sell it, while others, such as those in water treatment, might not be in a position to.
So Why Do Some Firms Share Information?
In most of the scenarios above, organizations might decide not to share information lest they diminish their competitive advantage. So why do organizations sometimes choose to share information?
One reason, as discussed above, may be that the threat is small and the firm wants to cultivate a reputation as a good corporate citizen. The legal requirement to maximize shareholder value does not translate into employing any means necessary increase the stock price. Cybersecurity is integral to national security and economic growth, and people may choose to share information even when it goes against the balance of their near-term economic incentive to foster a more secure nation and a more productive economy, even if the information must be shared anonymously.
Role of Consultants and Insurance Companies in Information Sharing
When an organization calls in outside experts to help after a data breach, these consultants use their accumulated knowledge to investigate, document, and remediate the breach. The contract terms are negotiated between the two parties and generally not disclosed to the public. Following general practices, it is likely that the outside experts agree not to disclose proprietary information. Nevertheless, the consultants leave with knowledge about the data breach, and this information can be used in consulting with other companies.
Following existing practices for property and casualty insurance, companies writing cyberinsurance are likely to assess the cyber security practices of a (potential) client. Following a data breach claim, a cyberinsurance company would be likely to conduct or monitor a third-party investigation of the breach. Thus, cyberinsurance companies could gather detailed, technical information on breaches and use this knowledge to prevent future breaches at other clients.
How Can Organizations Share Information?
This section analyzes how organizations share information and legislation introduced in the 113th Congress to encourage information sharing.
Organizations primarily share information about new types of threats, new instances of known threats, and best practices. Information about the effects of an attack can also be shared, even if the method of attack is unknown--for example, by notifying other firms that information has been stolen or that a resource is not operational.
Methods of Information Sharing
Certain types of information can be shared automatically to maximize its value. For instance, when some antivirus software detects malware, it automatically notifies the software vendor, which can analyze the information and update the antivirus software.
Prior to Target's 2013 data breach, which led to the theft of more than 40 million payment card details, Target had recently installed a security system to isolate new malware before it could damage the real system. This software reportedly includes the option to delete malware automatically, but according to a media investigation, "Target's security team turned that function off." |29| The report quoted a chief information security officer of another company who described the choice as normal, because "typically, as a security team, you want to have that last decision point of 'what do I do.'"
Machine autonomy has its issues. Machines generally are not as skilled as individuals in identifying proprietary or PII that should not be shared. Attackers could subvert autonomous information sharing software to further spread their reach or put their attacks on a list of approved programs (a "whitelist"). For effective machine-to-machine sharing to occur, firms need to have high levels of trust with each other and share technical expertise.
Public and Private Sector Information Sharing
Information can be shared within the private sector, within the public sector, and between the two. Government contractors may be subject to more stringent information sharing and disclosure requirements depending on the nature of the work and what department they are working with: the Department of Defense (DOD), for example, requires contractors to report potential exfiltration of classified information. |30| A subset of the private sector, the critical infrastructure industries, operates slightly differently than the rest by relying heavily on Information Sharing and Analysis Centers (ISACs).
In 1998, Presidential Decision Directive 63, on critical infrastructure protection, authorized the creation of ISACs and critical infrastructure sector coordinators to assist in their creation. |31|
ISACs are private-sector, nonprofit entities that collect, analyze, and share information on cybersecurity threats and best practices. |32| Some, such as the Defense Industrial Base ISAC and the Oil and Natural Gas ISAC, have mechanisms to share information anonymously between members and with the government. The government also uses ISACs as a tool to communicate with sectors rapidly, particularly in emergency situations. The government also runs some ISAC-like entities, such as the Financial Sector Cyber Intelligence Group. |33|
Sectors outside of critical infrastructure have also created ISACs, such as the Retail ISAC. Additionally, the Food ISAC, though classified as a critical infrastructure sector by the DHS, ceased operating due to a lack of information sharing. |34|
The Multi-State ISAC includes all 50 states, four U.S. territories, the District of Columbia, and many local governments. The electricity sector ISAC, run by the North American Electric Reliability Corporation, counts virtually all registered electricity providers as members.
Although the ISACs are sector specific, the multifaceted nature of modern corporations means that these boundaries are not always clear. For example, because the retailer Target owns a bank, the company became the first retailer to join the Financial Services ISAC (FS-ISAC). |35|
Membership in ISACs is voluntary, and levels of participation in ISACs vary. As shown in Figure 1 and Figure 2, the FS-ISAC offers membership tiers ranging from free (with limited benefits) to platinum (with full benefits) and costing $49,950 annually.
This has not equalized the participation rates among firms with varying levels of resources. New York State found that 60% of large banking organizations and 25% of small organizations were members of the FS-ISAC. |36| Nonetheless, the FS-ISAC has helped its members combat cybersecurity issues such as denial-of-service attacks. |37|
Although cybersecurity is important to the information technology industry, the IT-ISAC has 33 members. Many large cybersecurity vendors--such as Symantec, FireEye, and DocuSign--are members but many of the biggest companies in IT, including Google, Mozilla, Adobe, Apple, and Facebook, are not. |38| However, IT-ISAC shares information with other organizations, such as the IT Sector Coordinating Council, which has a broader membership to include, through other alliances, companies such as Google and Facebook. |39|
Generally, ISACs cannot prevent free-riding. If a company joins, there is usually no mechanism preventing it from receiving information even if it does not contribute information of its own. Free-riding has the potential to discourage information sharing. If a sharer consistently contributes without receiving information in return, it may decide that it is helping its competitors more than it is benefitting from sharing.
Source: Financial Services ISAC, Membership Benefits, https://www.fsisac.com/join.
Figure 2.Financial Services ISAC Membership Tiers (Continued)
Source: Financial Services ISAC, Membership Benefits, https://www.fsisac.com/join.
Mandatory, Voluntary, and Incentivized Sharing
The SEC requires publicly traded companies to disclose "material information," including with regard to cybersecurity risks and cyber incidents. The Supreme Court has ruled that information is material if there is "a substantial likelihood that the disclosure of the omitted fact would have been viewed by the reasonable investor as having significantly altered the 'total mix' of information made available." |40| One open issue is how quickly information must be announced. Cybersecurity breaches can require weeks or months of investigation and remediation. Law enforcement may be concerned that a public announcement will alert those responsible and allow them to take countermeasures.
As discussed above, DOD is reported to require that its contractors share information on potential security breaches. |41|
Some, such as Dan Geer, chief information security officer of In-Q-Tel (a nonprofit venture capital firm that serves the U.S. intelligence community) have called for mandatory sharing of some information. He has noted that multiple sources have estimated that third parties discover 75% of data breaches. Geer bases his proposed model on the systems used by the aviation industry, which voluntarily reports incidents that had a significant chance of causing damage, and the Center for Disease Control, which mandates reporting incidents above a certain threshold of harm. |42| Other experts advocate a strictly voluntary approach, because they believe it could impose fewer regulatory costs on businesses and cost less for taxpayers. |43|
Consequences of Inadequate Information Sharing
Inadequate cybersecurity information sharing is thought to result in suboptimal security. By not sharing, organizations might duplicate the same work. If the information is shared--with or without cost--the savings could, in theory, be applied to increasing cybersecurity or some other purpose.
Indirect Security Effects through the Market for Cybersecurity Products
Information differences between buyers and sellers of cybersecurity products could lower the size and quality of the market for cybersecurity products. Cybersecurity can be thought of as an example of a "market for lemons," a concept developed by George Akerlof, which he applied to the used car market. |44|
In a "lemon market," buyers cannot accurately assess a product's value before purchasing it, and sellers cannot credibly disclose the product's value because they have incentives to overstate the quality of their products. If the buyer cannot determine whether the product is better or worse than average, the buyer will be unwilling to pay more than the average price of all the products in the market. This means sellers of better than average quality products have difficulty selling their products for what they are worth, so they underinvest in product development, driving down the overall quality and size of the market.
Security products in general are prone to this problem. It is difficult or impossible to know whether a security product is working because it is good or because the attacks have been weak or few in number. The overall effect is that there are fewer products and relatively fewer good products to choose from, and buyers cannot be confident that they are getting a good value. One result could be less cybersecurity investment than would be optimal.
Effects of Greater Information Sharing
Sharing more information could reduce the information asymmetries and increase the size and quality of the market for cybersecurity products and make cyberspace more secure, allowing firms to better estimate the probability and costs of data breaches, for example. Sharing more information could also reduce duplication of effort, making dollars spent on cybersecurity more effective. Clear metrics of effectiveness and objective, trusted, third-party evaluation services do not appear to currently exist in the cybersecurity market. |45|
The advantages of information sharing are likely to be greatest when organizations are using similar technologies. For example, learning about a weakness in an operating system or application software has the most value to an organization using that operating system or application. It might provide a lesson to those using other software, but it is less likely to be directly applicable.
Another concern is that erroneous information could lead to new security holes. The reputation of those providing information can provide assurance that experts have reviewed and passed on the information.
Currently, a main enforcement mechanism for cybersecurity is the Federal Trade Commission's (FTC's) authority to sue companies for deceptive practices--for example, claiming that their products are "secure" when they do not employ common security practices. |46| Thus, a de facto standard exists for what constitutes acceptable cybersecurity, but it is based on a series of actions taken by organizations that do not need to publicize their security practices. Greater information sharing could make it easier for companies to implement uniform security practices.
Greater information sharing may, in some instances, effectively weaken cybersecurity by creating an overwhelming amount of information, eliminating the capacity to pay attention to truly important alerts. ISACs can help to mitigate this problem by analyzing information and sorting out what information is relevant to subsets of their members.
Some have argued that greater information sharing could encourage the growth of the $1.3 billion cyberinsurance market by allowing for more accurate assessment of risk and security products' effectiveness. |47| A more mature cyberinsurance market would itself make cyberspace more secure: Insurers promote practices that make the insured safer, which would decrease insurers' payouts. Insurers verify and inspect the systems they are insuring. However, some analysts believe that cyberinsurance will have limited utility as many of the losses, such as damage to one's reputation, are intangible and difficult to put a value on. |48|
Selected Legislation in the 113th Congress to Encourage Information Sharing
This section provides brief summaries of three bills that were introduced in the 113th Congress. For more details, see CRS Report R42114, Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions, by Eric A. Fischer and CRS Report R43317, Cybersecurity: Legislation, Hearings, and Executive Branch Documents, by Rita Tehan.
H.R. 624: The Cyber Intelligence Sharing and Protection Act
The House passed H.R. 624, the Cyber Intelligence Sharing and Protection Act (CISPA), on April 18, 2013. |49| CISPA directs the President to designate entities within DHS and DOJ to receive cybersecurity and cybercrime information, respectively, and to develop procedures to ensure realtime sharing with appropriate agencies, cybersecurity providers, and self-protected entities. The bill also requires the Director of National Intelligence to establish procedures for information sharing with entities and persons with appropriate security clearances.
CISPA authorizes the government to use shared information for cybersecurity purposes but not for regulatory purposes, and it prohibits the use of certain personally identifiable information (PII). CISPA exempts information shared with the federal government from public disclosure. The bill specifies that it shall not be construed to preclude the federal government from requiring an entity to report significant cyber incidents under another provision of law.
CISPA authorizes cybersecurity providers and self-protected entities to perform cybersecurity activities and share information for a cybersecurity purpose. The bill prohibits private entities from using such information to gain a competitive advantage, requires that they anonymize information to the greatest extent possible, and prohibits private entities from using such information for any non-cybersecurity purpose. CISPA also provides liability protection from civil or criminal causes of action against private entities acting in good faith for a cybersecurity purpose.
CISPA could increase information sharing. Firms that want to share information but have been advised that it is legally risky will be more likely to share information. (Although the bill does not address antitrust issues except to say that shared information cannot be used to gain a competitive advantage, the DOJ guidance discussed above addresses this issue.) |50| In particular, it aids sharing by firms that are not members of ISACs--smaller firms and firms not in critical infrastructure sectors--because ISACs already perform many of the functions that the government would perform under CISPA, such as anonymization, sharing, and analysis.
CISPA would not alter the fundamental economic incentives that cause many companies to choose not to share information, but it has the potential to indirectly allow incentives to change. Firms that perceive information sharing as a potentially profit-diminishing action could still be reluctant to share information. However, by giving companies greater legal protection to share outside of ISACs, informal sharing networks could develop in which companies could exclude free-riders. This would create positive norms of reciprocal sharing and receiving. However, the bill does not guarantee this outcome.
Civil liberties and privacy advocates have raised concerns with the bill. Their concerns center on the fact that H.R. 624 does not specify privacy protections but rather directs DHS, DOJ, the director of National Intelligence, and DOD to promulgate and review procedures to protect privacy and civil liberties rather than specifying those protections in the bill itself. |51|
The Office of Management and Budget (OMB) issued a statement of administration policy expressing President Obama's intent to veto the bill largely due to these concerns. |52|
S. 2588: The Cybersecurity Information Sharing Act
S. 2588, the Cybersecurity Information Sharing Act (CISA), was introduced by Senator Dianne Feinstein and passed by the Senate Select Committee on Intelligence on July 10, 2014. CISA is similar to the House's CISPA. In the 112th Congress, legislation similar to CISA and CISPA was introduced. CISA directs the federal government to promulgate information sharing and receiving procedures and policies to protect privacy and civil liberties. CISA also limits the federal government's authority to use the information to cybersecurity and cybercrime purposes.
CISA also provides liability protection for private entities fulfilling cybersecurity purposes in good faith. Additionally, CISA specifically exempts good faith sharing of cybersecurity information for cybersecurity purposes from antitrust causes of action--with exceptions to the exemption for certain explicitly anticompetitive behavior.
Unlike CISPA, CISA prohibits requiring an entity to provide information to the federal government.
Like CISPA, CISA itself does not fundamentally change the financial incentives for companies to share information. However, by explicitly providing antitrust protection, the bill would likely have a greater chance than CISPA of encouraging the development of informal networks with norms of reciprocal sharing. Yet by prohibiting the federal government from requiring the sharing of information, S. 2588 deprives the government of a powerful tool that might increase the sharing of cybersecurity information among private-sector participants.
S. 2717: The Cyber Information Sharing Tax Credit Act
S. 2717, the Cyber Information Sharing Tax Credit Act (CISTCA) was introduced in the Senate on July 31, 2013, by Senator Kirsten Gillibrand. The bill would provide refundable tax credits for all expenses, except travel costs, associated with joining an ISAC. |53|
S. 2717 is unusual in providing a 100% tax credit for the action it promotes. More common is for a credit to cover only some of the cost of the action. |54| Under the bill, it would be in more companies' best interests to join its respective ISAC, because it would be refunded nearly all of the expenses associated with joining and participating in its ISAC. |55| Under S. 2717, there would be little after-tax cost to joining an ISAC.
For many ISACs, the bill will have little to no impact, as their membership is already at or near 100% of their sectors. However, for other ISACs, such as the retail or IT ISACs, the bill could potentially increase membership. The costs associated with joining an ISAC can be daunting for smaller firms, as evidenced by their lower rates of participation in the FS-ISAC, for example. |56|
The competitive incentives to not share information would remain intact. Still, the bill could increase the amount and spread of information shared.
In the 112th Con gress, S. 3414, the Cybersecurity Act of 2012, would have required critical infrastructure entities to share "significant cyber incidents." S. 3414 would also have provided tangible incentives to share, such as prioritized technical assistance, threat alerts, public recognition, expedited security clearances, and liability protection. |57|
Conclusion: How Might Incentives Change?
Each of these three bills introduced in the 113th Congress aim to make cyberspace more secure by increasing the amount and impact of information shared while not significantly increasing costs to businesses or taxpayers. They do not address the competitive incentives to not share information.
However, CISPA and CISA increase the likelihood of informal information sharing networks developing. Although informal networks might not have the technical capabilities of an ISAC, they can arguably discourage free-riding by cutting "takers" out of the network, which would alter incentives in favor of more information sharing. This arguably requires a serious commitment to prioritizing the good of the sector over the good of the individual firm during the initial phase of informal sharing. CISPA and CISA also increase the likelihood that the markets for cybersecurity products and cyberinsurance will grow in size and quality.
There are other ways that behavior could change: more mandatory information sharing, for example. In 47 states and the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, companies must disclose when PII has been breached. Several bills have been introduced that would harmonize this "quilt" of state laws with a federal law. |58| General Motors' recent failure to announce safety information either to the public or senior management arguably warns that disclosure requirements are not always followed.
[Source: By N. Eric Weiss, Congressional Research Service, Washington D.C., 11Dec14. N. Eric Weiss is a Specialist in Financial Economics.]
Notes:
1. Ponemon Institute, 2014 Cost of Cyber Crime Study: United State: United States, October 2014, https://ssl.www8.hp.com/ww/en/secure/pdf/4aa5-5208enw.pdf. The Ponemon report looks at the average cost of cybercrime per incident for 59 companies, not the total cost in the United States. [Back]
2. McAfee and the Center for Strategic and International Studies, Net Losses: Estimating the Global Cost of Cybercrime, June 2014, http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf. [Back]
3. Bipartisan Policy Center, Reflections on the Tenth Anniversary of the 9/11 Commission Report, Washington, DC, July 2014, p. 7, http://bipartisanpolicy.org/sites/default/files/files/%20BPC%209-11%20Commission.pdf. The reference to September 10th is a comparison to the relative lack of airplane security that existed prior to the September 11, 2001 attacks on the World Trade Centers and the Pentagon. [Back]
4. See, for example, U.S. Senate Committee on Banking, Housing, and Urban Affairs, "Johnson, Crapo Seek Information on Cybersecurity," press release, October 21, 2014, http://www.banking.senate.gov/public/index.cfm?FuseAction=Newsroom.PressReleases&ContentRecord_id=0dd1c77a-a2c4-861b-300d-92d66f74a086. [Back]
5. Nicholas Ballasy, "Home Depot Breach Costs CUs $60 M," Credit Union Times, October 30, 2014, http://www.cutimes.com/2014/10/30/home-depot-breach-costs-cus-60m. [Back]
6. Tyler Moore and Ross Anderson, Economics and Internet Security: a Survey of Recent Analytical, Empirical, and Behavioral Research, Computer Science Group, Harvard University, 2011, p. 1, ftp://ftp.deas.harvard.edu/techreports/tr-03-11.pdf. [Back]
7. Ross Anderson, "Why Information Security Is Hard--An Economic Perspective," 17th Annual Computer Security Applications Conference, December 10, 2001, http://www.cl.cam.ac.uk/~rja14/Papers/econ.pdf. [Back]
8. Andrew Leonard, "Triumph of the Free-Software Will," Salon, October 31, 2000, http://www.salon.com/2000/10/31/software_passion/. [Back]
9. For details, see CRS Report R42114, Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions, by Eric A. Fischer. [Back]
10. Ellen Nakashima, "U.S. Notified 3,000 Companies in 2013 about Cyberattacks," Washington Post, March 24, 2014, http://www.washingtonpost.com/world/national-security/2014/03/24/74aff686-aed9-11e3-96dc-d6ea14c099f9_story.html. [Back]
11. Matt Townsend, Lindsey Rupp, and Lauren Coleman-Lochner, "U.S. Secret Service Probes Card Security Breach at Target," Bloomberg, December 19, 2013, http://www.bloomberg.com/news/2013-12-19/u-s-secret-service-investigating-card-security-breach-at-target.html. [Back]
12. Mark Hosenball and Nandita Bose, "UPDATE 3: Home Depot in Contact with Secret Service over Alleged Breach-- Source," September 4, 2014, http://www.reuters.com/article/2014/09/04/usa-homedepot-dataprotection-idUSL1N0R517720140904. [Back]
13. Michael Corkery, Jessica Silver-Greenberg, and David E. Sanger, "Obama Had Security Fears on JPMorgan Data Breach," New York Times, October 8, 2014, http://dealbook.nytimes.com/2014/10/08/cyberattack-on-jpmorgan-raises-alarms-at-white-house-and-on-wall-street/. [Back]
14. Academic research suggests that cybersecurity breaches depress stock prices. See, for example, Griselda Sinanaj and Jan Muntermann, "Assessing Corporate Reputational Damage of Data Breaches: An Empirical Analysis," 26th Bled e Conference, Bled, Slovenia, June 2013, https://domino.fov.uni-mb.si/proceedings.nsf/Proceedings/820BFAD242085887C1257B8A002F0B02/$File/07_Sinanaj.pdf; and Edward A. Morse, Vasant Raval, and John R. Wingender Jr., "Market Price Effects of Data Security Breaches," Information Security Journal: A Global Perspective, vol. 20, no. 6 (November 11, 2011), pp. 263-273. For a contrary view by reporters, see Sarah Halzack, "Home Depot and JPMorgan Are Doing Fine. Is It a Sign We're Numb to Data Breaches?" Washington Post, October 6, 2012, http://www.washingtonpost.com/news/get-there/wp/2014/10/06/home-depot-and-jpmorgan-are-doing-fine-is-it-a-sign-were-numb-to-data-breaches/. [Back]
15. The definition of PII and the thresholds for consumer notification vary by state. For more information on state laws, see CRS Report R42475, Data Security Breach Notification Laws, by Gina Stevens. PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, Social Security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. For more on PII, see Erika McCallister, Tim Grance, and Karen Scarfone, "Guide to Protecting the Confidentiality of Personally Identifiable Information (PII): Recommendations of the National Institute of Standards and Technology," U.S. Department of Commerce, National Institute of Standards and Technology, April 2010, pp. 2-1, http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf. See, also, National Council of State Legislatures, "Security Breach Notification Laws," September 3, 2014, http:// http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx. [Back]
16. For example, see Home Depot's recent data breach announcement. Home Depot, "The Home Depot Completes Malware Elimination and Enhanced Encryption of Payment Data in All U.S. Stores: Provides Further Investigation Details, Updates Outlook," press release, September 18, 2014, https://corporate.homedepot.com/MediaCenter/Documents/Press%20Release.pdf. [Back]
17. Danny Yadron, "Executives Rethink Merits of Going Public with Data Breaches," Wall Street Journal, August 4, 2013, http://online.wsj.com/articles/a-contrarian-view-on-data-breaches-1407194237?mod=mktw. [Back]
18. Ray Suarez, "Examining Cyber Security with Homeland Security Secretary Janet Napolitano," PBS NewsHour, February 15, 2013, http://www.pbs.org/newshour/bb/science-jan-june13-cybersecurity_02-15/. [Back]
19. For more information about the Target data breach, see CRS Report R43496, The Target Data Breach: Frequently Asked Questions, by N. Eric Weiss and Rena S. Miller. [Back]
20. Jeffrey Roman, "Home Depot, Target: Same Breach Script," Bank Info Security, November 10, 2014, http://www.bankinfosecurity.com/home-depot-target-same-breach-script-a-7544/op-1. [Back]
21. Securities Industry and Financial Markets Association, "Principles for Effective Cybersecurity Regulatory Guidance," press release, October 20, 2014, http://www.sifma.org/issues/item.aspx?id=8589951691. [Back]
22. For more information, see CRS Legal Sidebar WSLG483, Obstacles to Private Sector Cyber Threat Information Sharing, by Edward C. Liu. [Back]
23. Department of Justice, "Department of Justice, Federal Trade Commission Issue Antitrust Policy Statement on Sharing Cybersecurity Information," press release, April 10, 2014, http://www.justice.gov/opa/pr/justice-department-federal-trade-commission-issue-antitrust-policy-statement-sharing. [Back]
24. Office of Management and Budget, "Statement of Administration Policy, H.R. 624--Cyber Intelligence Sharing and Protection Act," April 16, 2013, http://www.whitehouse.gov/sites/default/files/omb/legislative/sap/113/saphr624r_20130416.pdf. [Back]
25. See Alessandro Acquisti, Allan Friedman, and Rahul Telang, "Is There a Cost to Privacy Breaches? An Event Study," presented at the Workshop on the Economics of Information Security 2006, http://www.heinz.cmu.edu/~acquisti/papers/acquisti-friedman-telang-privacy-breaches.pdf; and Ali Alper Yayla and Qing Hu, "The Impact of Information Security Events on the Stock Value of Firms: The Effect of Contingency Factors," Journal of Information Technology, vol. 26, no. 1 (May 4, 2010), http://www.palgrave-journals.com/jit/journal/v26/n1/abs/jit20104a.html. [Back]
26. U.S. Government Accountability Office, "Critical Infrastructure Protection: Improving Information Sharing with Infrastructure Sectors," July 2004, pp. 9-10, http://www.gao.gov/products/GAO-04-780. [Back]
27. Esther Gal-Or and Anindya Ghose, "The Economic Incentives for Sharing Security Information," Information Systems Research, vol. 16, no. 2 (June 2005), p. 187, http://pages.stern.nyu.edu/~aghose/ISR.pdf. [Back]
28. For more on the effects of product similarity, see Esther Gal-Or and Anindya Ghose, "The Economic Incentives for Sharing Security Information," Information Systems Research, vol. 16, no. 2 (June 2005), p. 187, http://pages.stern.nyu.edu/~aghose/ISR.pdf. [Back]
29. Michael Riley et al., "Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It," Bloomberg Businessweek, March 13, 2014, http://www.businessweek.com/printer/articles/189573-missed-alarms-and-40-million-stolen-credit-card-numbers-how-target-blew-it. [Back]
30. Jon W. Burd, "Cybersecurity Developments: Does the NIST "Voluntary" Framework Portend New Requirements for Contractors," Wiley Rein LLP, 2013, http://www.wileyrein.com/publications.cfm?sp=articles&newsletter=3&id=9264. [Back]
31. The critical sectors are chemicals, communications, commercial facilities, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government, healthcare and public health, information technology, nuclear, transportation, and water and waste water. For more information, see National Telecommunications and Information Administration, "Presidential Decision Directive 63 on Critical Infrastructure Protection," 63 Federal Register 41804-41806, August 5, 1998. [Back]
32. ISAC Council, "Government-Private Sector Relations," January 31, 2004, http://www.isaccouncil.org/images/Government_Private_Sector_Relations_013104.pdf. [Back]
33. Zachary Goldfarb and Ellen Nakashima, "Lew Says Financial Industry Could Do More to Prevent Cyberattacks," Washington Post, July 16, 2014, http://www.washingtonpost.com/business/economy/lew-says-financial-industry-could-do-more-to-prevent-cyberattacks/2014/07/16/6909e970-0d22-11e4-8341-b8072b1e7348_story.html. [Back]
34. Joseph Straw, "Food Sector Abandons Its ISAC," Security Management, http://www.securitymanagement.com/article/food-sector-abandons-its-isac-004590. [Back]
35. CRS Report R43496, The Target Data Breach: Frequently Asked Questions, by N. Eric Weiss and Rena S. Miller. [Back]
36. New York State Department of Financial Services, Report on Cyber Security in the Banking Sector, May 2014, p. 4, http://www.dfs.ny.gov/about/press2014/pr140505_cyber_security.pdf. [Back]
37. The White House, "Getting Serious about Information Sharing for Cybersecurity," April 10, 2014, http://www.whitehouse.gov/blog/2014/04/10/getting-serious-about-information-sharing-cybersecurity. [Back]
38. IT-ISAC, Members, August 7 2014, http://www.it-isac.org/#!members/c1tsl. [Back]
39. Letter from Brian Willis, president, IT-ISAC, to Dr. Melissa Hathaway, acting senior director for cyberspace, NSC, February 27, 2009, http://www.whitehouse.gov/files/documents/cyber/Willis%20Brian%20-%20IT%20ISAC%20Final%20Letter%20to%20Dr%20Hathaway.pdf. [Back]
40. TSC Industries, Inc. v. Northway, Inc., 426 U.S. 438 (1976). For a discussion of recent controversies involving disclosure (or nondisclosure) of "material information," see Steven Davidoff Solomon, "In Corporate Disclosure, a Murky Definition of Material," New York Times, April 5, 2011, http://dealbook.nytimes.com/2011/04/05/in-corporate-disclosure-a-murky-definition-of-material/?_php=true&_type=blogs&_r=0. [Back]
41. Jon W. Burd, "Cybersecurity Developments: Does the NIST 'Voluntary' Framework Portend New Requirements for Contractors?" Wiley Rein LLP, 2013, http://www.wileyrein.com/publications.cfm?sp=articles&newsletter=3&id=9264. [Back]
42. Dan Geer, "Cybersecurity as Realpolitik," keynote address at Black Hat USA 2014, Las Vegas, NV, August 6, 2014, http://geer.tinho.net/geer.blackhat.6viii14.txt. [Back]
43. David Inserra and Paul Rosenzweig, "Cybersecurity Information Sharing: One Step towards U.S. Security, Prosperity, and Freedom in Cyberspace," Heritage Foundation, April 1, 2014, http://www.heritage.org/research/reports/2014/04/cybersecurity-information-sharing-one-step-toward-us-security-prosperity-and-freedom-in-cyberspace. [Back]
44. George Akerlof, "The Market for 'Lemons': Quality Uncertainty and the Market Mechanism," Quarterly Journal of Economics, vol. 84, no. 3 (August 1970), pp. 488-500. [Back]
45. In addition, an organization's cybersecurity depends on all the defensive measures that it has taken. A perfect anti-virus program does not exist, but even if it did it would not protect against other types of attack. [Back]
46. Federal Trade Commission v. Wyndham Worldwide Corporation, et al., Civil Action No. 13-1887 (ES) (U.S. District Court of New Jersey 2014). For CRS legal analyses of these issues see, for example, CRS Legal Sidebar WSLG947, FTC v. Wyndham Worldwide Corp.: NJ Federal District Court Upholds the FTC's Authority to Regulate Data Security as an Unfair Trade Practice, by Gina Stevens [Back]
47. Nicole Perlroth and Elizabeth A. Harris, "Cyberattack Insurance a Challenge for Business," New York Times, June 8, 2014, http://www.nytimes.com/2014/06/09/business/cyberattack-insurance-a-challenge-for-business.html?_r=0. [Back]
49. In the 112th Congress, a similar bill, H.R. 3523, the Cyber Intelligence Sharing and Protection Act, also passed the House. [Back]
50. Letter from Joel I. Klein, assistant attorney general, to Barbara Greenspan, Esq., associate general counsel, Electric Power Research Institute, October 2, 2000, http://www.justice.gov/atr/public/busreview/6614.pdf. [Back]
51. For more information, see CRS Report WSLG480, Privacy and Civil Liberties Issues Raised by CISPA, by Andrew Nolan. [Back]
52. Office of Management and Budget, "Statement of Administration Policy, H.R. 624 - Cyber Intelligence Sharing and Protection Act," April 16, 2013, http://www.whitehouse.gov/sites/default/files/omb/legislative/sap/113/saphr624r_20130416.pdf. [Back]
53. Senator Kirsten Gillibrand, "Gillibrand Introduces New Cyber-Security Legislation," press release, July 31, 2014, http://www.gillibrand.senate.gov/newsroom/press/release/gillibrand-introduces-new-cyber-security-legislation-after-new-9/11-commission-report-released-last-week-concluded-a-9/10-ability-to-protect-against-cyber-attacks. [Back]
54. For more information on tax credits, see CRS Report R42726, The Corporate Income Tax System: Overview and Options for Reform, by Mark P. Keightley and Molly F. Sherlock and CRS Report RL32808, Overview of the Federal Tax System, by Molly F. Sherlock and Donald J. Marples. [Back]
55. A company that has no tax liability in a year would not benefit from the tax credit. [Back]
56. New York State Department of Financial Services, "Report on Cyber Security in the Banking Sector," May 2014, p. 4, http://www.dfs.ny.gov/about/press2014/pr140505_cyber_security.pdf. [Back]
57. For information on other legislation, including bills passed in previous Congresses, see CRS Report R42114, Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions, by Eric A. Fischer. [Back]
58. For more information, see CRS Report R42475, Data Security Breach Notification Laws, by Gina Stevens and CRS Report R42474, Selected Federal Data Security Breach Legislation, by Kathleen Ann Ruane. [Back]
Privacy and counterintelligence
This document has been published on 14Jan15 by the Equipo Nizkor and Derechos Human Rights. In accordance with Title 17 U.S.C. Section 107, this material is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. |