Privacy and data sharing have always had an uneasy relationship, but ongoing conversations among companies, legislators and advocacy groups are making it easier to share knowledge about cyber-threats without compromising sensitive information.
“There are natural disincentives for companies to share,” said Ari Schwartz, the Managing Director of Cybersecurity Services Venable. “It could get out that they had an incident, and their brand might be impacted. You might also be breaking privacy laws or anti-trust laws. I came up with a list of about 12 things when I was in government that were liability concerns for companies.”
Schwartz, who was Special Assistant to the President and Senior Director for Cybersecurity at the White House National Security Council, was speaking at a panel on privacy and cyber-threat sharing at the 2016 RSA conference in San Francisco.
Some of those concerns, he said, have been addressed through the Cybersecurity Information Sharing Act (CISA), a federal law that provides a framework designed to encourage companies to voluntarily share cyber-threat information with the government.
While CISA moves things forward, both panellists agreed that there are issues yet to be resolved.
“We don’t have a common vocabulary yet,” said Harriet Pearson, a partner at the multi-national law firm Hogan Lovells. “When we say ‘information sharing,’ you may know as security professionals what the information is, but the lawyers and privacy people in your organization might not have the same concepts.”
Bad communication, she said, can exacerbate concerns about email content or other sensitive, private information being shared.
Pearson, who spent many years as IBM’s Chief Privacy Officer, says it’s getting easier to bridge such gaps and find solutions that satisfy all parties. CISA required the Attorney General and the Secretary of Homeland Security to issue interim guidelines this past February.
“However you interact with the information-sharing your organization might do, there’s a way to do it differently now,” she said. “Something changed when Homeland Security and the Department of Justice issued new guidelines. We’re maturing.”
The legal framework isn’t the only thing that’s changing. Schwartz and Pearson described how companies are creating their own policies, and building automated sharing tools that accommodate both privacy and information-sharing concerns from the start.
“Sometimes there can be tension,” said Schwartz. “On the other hand, there are places where privacy works very well with security. And if you create something well from the beginning, you have less privacy concerns.”
Pearson described how “data minimization” can help find the balance between privacy and sharing.
“You minimize the amount of sensitive personal information being shared,” she said. “Do you need to look at the content of email? Probably not. You want situational awareness, but do you really need to know what I’m doing all day long? The answer might be yes, but sometimes it’s no. Minimization is a term in the privacy world that’s now coming into the security world as well.”
Picture credit - Eduardo Ustaran @ustaran