With data breaches increasing exponentially, cyber security has again become a rallying point for policy makers. While there have been plenty of attempts to make life harder for hackers over the past decade, we’ve got precious little to show for it. So enough already with the politicking and posturing for the cameras, the time has come for real solutions.

It’s clear that the sharing of threat data is crucial, and can bolster cyber defenses across the board. Many states have enacted their own breach notification laws, and there are federal laws in various stages of failure, but at the federal level a strong law that trumps all existing state laws is still rippling on the horizon like a phantom lake in the desert.

ADVERTISEMENT
The breaches at Anthem and Premera exposed the Social Security numbers of some 91 million current and former patients. Target experienced a breach that impacted an estimated 70 to 110 million retail consumers. A cyber intrusion at J.P. Morgan put the sensitive information of 83 million financial accountholders—individuals as well as small businesses—in harm’s way. That’s just the tip of the iceberg. The types of information involved in today’s exposures are more varied—and much more damaging to consumers--than in years past. From financial data to sensitive personal information to medical records, hackers have been able to access an increasingly diverse cornucopia of material.

As well over 100 million Americans have been impacted by the seemingly endless parade of data breaches, the somewhat cynical hope is that perhaps we’ll reach a tipping point, and policy makers will equate privacy and data security issues with re-election. President Obama has called for increased communication and cyber threat information sharing between the private sector and government groups. Various pieces of legislation have been introduced in both the Senate and the House advocating for the development of business-focused Information Sharing and Analysis Centers (ISACs) to facilitate better data sharing and threat reporting while including a limited liability shield to organizations that share information.

A number of sectors have already established ISACs. They are becoming more common at financial and technology companies. Retailers are using ISACs, too, and they can be found in other spaces such as energy, oil, transportation, water and food.

But information sharing continues to be challenging, and for a variety of reasons—prime among them concern over the protection of intellectual property and trade secrets—there has been reluctance to participate. An ancillary concern impossible to shrug off is the fact that many privacy policies prohibit such sharing. Government agencies, as well, often exhibit a singular unwillingness to disseminate knowledge. There are valid reasons. For instance, when doing so might impede an active investigation or potentially compromise an intelligence source.

The very real issues faced by government and businesses alike are ignored at the peril of us all—because, until they are addressed, no meaningful legislation can (or will) be signed into law. That includes providing strong privacy protections for personal and consumer data, and protections for companies strong enough to encourage them to collaborate with peer organizations. A model for striking this balance might be found within HIPAA. As with the enticements presented to transition to electronic medical records (EMRs), similar incentives might be offered to businesses that participate in threat-sharing initiatives or adopt costly security protocols. This approach may appease businesses that don’t have the funds to invest in the development of an effective data security posture. It could also give them the impetus they need to freely collaborate with the ISACs.

Whether worries about NSA fishing expeditions are based on actual events or nebulous concerns, businesses are still hesitant to open themselves up to consumer distrust or potential class action lawsuits for the promise of precautions that will not be foolproof. The sharing of cyber threat information should be done for the sake of national security (not to create an opportunity for spies to pry into the private lives of Americans). That was President Obama’s message in his State of the Union address, but unless Congress follows up with decisive action, that message may be lost and progress stymied.

When better technology and systems enable organizations—whether private sector or government—to more effectively defend against and respond to cyber threats, the benefits of automation are obvious. However, we should be wary of adding layers of technology when cyber threat intelligence or other sensitive data may be put at risk of exposure as a result. Stringent protocols will be needed to ensure that the systems involved in information sharing are sufficiently protected against intrusion. Training for users at all levels, including government and private sector employees, will be difficult. Wetware, the term of art for human error, is the final frontier when faced with data security that works.

Cyber security investments outlined in the latest budget, such as those involving the Civilian Cyber Campus cross-government program, may prove to be important tools in facilitating better information sharing and faster identification of emerging threats. However, the expense of implementing and maintaining a truly effective program may outpace the available resources, and policy makers must still be prepared to positively influence and incentivize private sector adoption and participation rates.

So, who’s going to foot the bill? Which technology assets and platforms will be auto-shared? And who is eligible to receive this auto-shared data? The answer presented to each query will likely determine the success of any data-sharing legislation.

Levin is a consumer advocate with more than 30 years of experience and is a nationally recognized expert on security, privacy, identity theft, fraud, and personal finance. A former director of the New Jersey Division of Consumer Affairs, he is chairman and founder of IDT911.