Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Public-Private Cybersecurity Collaboration
1. Running head: PUBLIC-PRIVATE INFORMATION SHARING 1
Cybersecurity Challenge: Public-Private Sectors - Information Sharing
Deloris Bryant
CRJ-475Z – Senior Project
Dr. Shanna Van Slyke
May 12, 2015
2. PUBLIC-PRIVATE INFORMATION SHARING 2
Abstract
Even though there is fear among the private sector regarding information sharing when it comes
to cybersecurity, there should be information sharing between the public-private sectors because
collaboration is the key to unite in the fight against cybercrimes. Cybersecurity is a shared
responsibility and collaboration is the key to unite in the fight against cybercrimes and to
promote awareness, educate each other and share information that is not only timely and
significant but also actionable. The greater the trust that is developed, the effectiveness of the
communication and information sharing will become more comfortable and the flow of
information will happen. This research paper will bring to the forefront the need and importance
of information sharing; analyze the concerns raised by many companies and how sharing
information can be done effectively.
Keywords: cybersecurity, cyberattacks, information sharing, public-private sectors
3. PUBLIC-PRIVATE INFORMATION SHARING 3
Cybersecurity is a critical issue that faces the entire spectrum of society. Incidents of
cyberattacks and threats are real and the need for more collaboration is unyielding. The
complexity, sophistication and ever-evolving threat environment that exists puts cybersecurity
out of reach of any single entity. Cybersecurity is not something that can be ignored by the
government, individuals or corporations. The expanding problem with cyberattacks has brought
up the need for companies to work with various agencies of the government that are involved
with cybersecurity investigations, mitigation efforts or regulating cybersecurity standards.
Government involvement means that companies will be working with agencies that may have a
totally different agenda when it involves cyberattacks. It is important that both the public and
the private sector navigate through the cyber process together.
Navigating together would mean that there is a need to share information on cyber
threats, but many continue to be untrusting for fear of regulatory laws and liability concerns.
Even though there is fear among the private sector regarding information sharing when it comes
to cybersecurity, there should be information sharing between the public and private sector
because collaboration is the key to unite in the fight against cybercrimes and to promote
awareness, educate each other and share information that is not only timely and significant but
also actionable. The greater the trust that is developed, the effectiveness of the communication
and information sharing between the public-private sectors will become more comfortable and
the flow of information will happen. This research paper will bring to the forefront the need and
importance of information sharing; analyze the concerns raised by many companies, and how
sharing information can be done effectively.
4. PUBLIC-PRIVATE INFORMATION SHARING 4
Importance of Information Sharing
General Keith Alexander chief of the US Cyber Command spoke before congress to
advise them that seventy-five percent of the country’s computers have been exploi ted by
criminals (Hearing before the Committee on Armed Services, House of Representatives, 12th
Congress, March 16, 2011). Are we doing enough to protect ourselves against cybercrimes?
You turn on the news or surf the web and more than not you will hear or read of another incident
of cyber theft. The Center for Strategic and International Studies estimates a loss of $100 billion
in intellectual property alone in the U.S. This estimate is about 0.6% of the U.S. economy and
this number does not even include other types of cybercrimes (Nakashima & Peterson, 2014).
So what exactly are cyber incidents? The National Institute of Standards and Technology
(NIST) Special Publication 800-61 (rev. 2) defines security incidents as “a violation or imminent
threat of violation of computer security policies, acceptable use policies, or standard security
practices” (Cichonski, Millar, Grance, & Scarfone, 2012). Additional related terms are also
defined by NIST as “an occurrence that actually or potentially jeopardizes the confidentiality,
integrity, or availability of an information system or the information the system processes, stores,
or transmits or that constitutes a violation or imminent threat of violation of security policies,
security procedures, or acceptable use policies” (Kissel, R, 2013).
Now that we have a clear understanding of what cyber incidents are, the sharing of
information as it relates to cyber incidents is to pull together the strengths of the public-private
sectors in order to respond to cyber threats, attacks, and vulnerabilities. A joint effort is needed
if we are to prevent and mitigate cyber incidents in this every changing cyber world. A
defensive and innovative approach will be required if we are to overcome the next wave of
attacks.
5. PUBLIC-PRIVATE INFORMATION SHARING 5
A survey conducted by the Ponemon Institute sponsored by Hewlett-Packard involved
257 separate companies that agreed to participate and allowed the Ponemon Institute to perform
an analysis of all costs incurred by their organization as a result of a cyber-incident. The survey
found that the sophistication and number of breaches has increased 176 percent in the last 4
years. This survey also found that the average time to detect an attack was 170 days and
although “some attacks take longer to resolve” the average time to resolve an attack once it was
detected was 45 days (Ponemon Institute LLC, 2014).
Figure 1: Time to resolve an attack (Ponemon Institute LLC, 2014)
The financial losses incurred during this time could be in the millions to say nothing of the
possibility of proprietary information or other private data being stolen.
Another survey conducted by the Ponemon Institute, this time sponsored by IBM,
involved 61 separate companies that experienced some kind of data breach. In 2014,
unfortunately, many companies especially in the retail sector became front page news when a
data breach occurred with their company. This survey looked into the consequences of data
6. PUBLIC-PRIVATE INFORMATION SHARING 6
breaches. What they found was that $5.9 million was the cost incurred by companies due to
getting hit by data breaches, on average. This figure is up from the $5.4 million the previous
year. Loss of business cost went from $3.03 million to $3.2 million. These costs include but are
not limited to reputation loss, loss of customers, and activities involved in try to acquire new
customers. This survey also found that cyberattacks with the highest data breach costs were
either criminal or malicious attack. With an average of $246 for every record that was
compromised resulting from these two types of attacks makes for a very costly breach for any
company to endure. This is followed by cyberattacks at the hands of employee’s mistakes or
system glitches which has a much lower cost of $160 and $171, respectively (Ponemon Institute
LLC, 2014).
Although the studies above put dollars to incidents, it is really difficult to a put a solid
figure for the cost of data breaches or any other type of cybercrimes. To say the least,
improvements in information sharing between the public-private sectors regarding cyber threats
would be cost-effective. Even though the public-private sectors try to protect themselves against
any losses, private entities are looking at profit earnings and the bottom line where as the public
sector is more concerned with not divulging intelligence as it relates to national security. Also
the public sector focuses on who is responsible for the attacks whereas the private sector does not
really care who is responsible they just want it to stop. Both sectors have different agendas but
yet have the same issue.
Early detection, termination or prevention of cyberattacks is a major benefit of
information sharing. This sharing of information brings together parties that can and will
complement each other in their abilities to unite in order to solve problems that they themselves
cannot address individually. Technical data is at the top of the list of information that needs to
7. PUBLIC-PRIVATE INFORMATION SHARING 7
be shared; additional information that should be included but not limited to risk assessment
procedures and best practices. All participants require that only authorized parties view secure
private and privileged information. Trust between all parties is needed for this flow of
information to stream down the appropriate channels seamlessly. This would not only be a
financial savings but also savings in manpower.
The speed in which information is shared should be a priority for both sectors. The
frequency of cyberattacks has increased to the point that some organizations fall behind in
preventive measures that they fall victim to an attack. Delaying sharing information until all the
‘I’s are dotted and ‘T’s crossed make the information outdated and not actionable in this fast
paced cyber domain. Any delay in getting critical information to the public-private sector can
diminish its effectiveness to fend off a cyberattacks. Some organizations worry about sending
information too early. This can be remedied by investigating all reliable information as soon as
possible and then send the information with a disclaimer attached indicating that the information
being sent is preliminary and that further investigation will be needed. Some recipients may
already be aware of the situation and may already have an insight to a solution that worked for
them. This is what information sharing is all about; forwarding and sharing timely information
that is technical in nature to aid in the fight against cyberattacks.
Developing Trust between the Public-Private Sectors
Former NSA Director Keith Alexander stated at a cybersecurity panel hosted by PwC,
“We need real-time or near real-time situational awareness, and we have got to have cyber
legislation that allows us to go between industry and government to do that”. (Norton, 2014)
The value of information is important as not to waste time, money and manpower on irrelevant
information. Benefits of timely information sharing can be measured by the quality of
8. PUBLIC-PRIVATE INFORMATION SHARING 8
information, cost savings, and relevance of the information that is shared. Trust is not a
farfetched idea that we expect between the public-private sectors. You will never have 100
percent trust between these two sectors but when needed to prevent a crisis situation, temporary
trust is needed in order to collaborate and pass along much needed information is desired. It can
be said that “the partner you don’t trust today may be your best friend tomorrow” (Diego
Fernandez Vazquez, Oscar Pastor Acosta, Brown, Reid, & Spirito, 2012). One needs to
remember that trust is a two-way street. If low quality or generic information is passed along by
the public sector; then the private sector will reciprocate by providing low quality or generic
information. Remembering that an overwhelming number of infrastructures, hardware and
software in use was developed and is managed by the private sector there are many instances
where you will find that the public sector seeks out the private sector for help to respond to and
prevent a cyber-incident.
For the private sector, where a majority of the innovators are, they expect a quick turn
around when communicating with the public sector and this is rarely the case when it comes to
information sharing. The private sector is in the business of doing business and as such expects
the value of information to be top notch. The trust between these two sectors diminishes due to
the fact that the private sector truly believes that the public sector filters its communication. If
we are truly going to be partners in crime to fight the fight in the cyber domain, then the
challenge here is to commit to one another that information sharing will be done in a significant
way (Givens & Busch, 2013, 6(1), 39-50). Neither sector can operate under the assumption that
just because they are painting a pretty picture to make it look like they are committed to working
together, that this is really the case. To really get a handle on cybersecurity, adding fluff to an
9. PUBLIC-PRIVATE INFORMATION SHARING 9
already volatile situation does no one any good if that fluff is only filled with generic
information. This is not the ideal way to develop trust between partners.
Risk Management
Trust and collaboration is vital to information sharing and protection when it comes to
identifying vulnerabilities and threats. There are always risks that will arise out of the public-
private sector collaboration and risk management is vital for this type of partnership. However,
this collaboration can intensify the distrust that exists between the public-private sectors.
Retaining control over activities and decision making can make for a difficult partnership but the
trade-off is that you will have a comprehensive group that brings with them the expertise needed
to manage risks. As they say, “two heads are better than one”. In this case, a positive to this
relationship would be that the greater number of partners translates to diversified information
that can prevent and manage risks of cyber threats. (Navare & Gemikonakli, 2010) Symantec
did a study that showed the “most significant risk at 42%” (Navare et al.) is cyberattacks. In
addition Symantec created a report based on data collected through the last couple of years to
show the increasing number of attacks and how intensive and damaging these cyberattacks can
be to an organization. They show that there was a 23 percent increase in breaches between 2013
and 2014. The sector where the most identities were exposed was in the retail sector at 59
percent. (Symantec, 2015)
10. PUBLIC-PRIVATE INFORMATION SHARING 10
Figure 2: Symantec Data Breach Report for 2013-2014 (Symantec, 2015)
This holds true with the recent breaches with retail giants like Target, The Home Depot and
Neman Marcus. These numbers may seem staggering but the key to risk management is real-
time, actionable and timely information. There are various ways to manage risks and depending
on the type of organization, threats will be calculated and assessed internally and this is where
the collaboration of public-private sectors comes into play. In order for collaboration to be
effective, there needs to be a solid understanding, mutually agreed, as to the appropriate risk
information that needs to be passed along to the decision makers. It is up to these decision
makers to make sure that threat information is passed on with the appropriate mitigation plans or
at the very least a “heads up” message so that others can collaborate to come up with a mitigation
plan. Early, timely mitigation of threats is significant to risk management and the cooperation of
the public-private sectors is needed to accomplish this endeavor.
11. PUBLIC-PRIVATE INFORMATION SHARING 11
While progress may be slow and steady, the main object here is to improving risk
management to ensure that key concepts are understood by everyone. Cybersecurity specialist
and experts in the public-private sectors need to coordinate, connect and join forces to define risk
strategies at all levels. The main purpose for risk management is not only to help decision
makers make better decisions in the cyber domain but also to prepare and expect the worst.
There is no reason to reinvent the wheel here. The public-private sectors all have some kind of
risk management process currently in place. The task here is to incorporate organizational wide
cyber risks into the already existing risk management plan. There is no way to predict when the
next cyberattacks will happen but with the proper plan in place, mitigating the attacks will be
resolved more quickly.
Regular communication is a vital part of information sharing. Improving awareness not
only within your organization but also with your counterparts in other organizations of current
situations affecting the organization impacts the effectiveness in responding to an attack or
potential attack. Setting standards for detection and protecting systems will enable early, timely
mitigation efforts. These standards should be tested regularly and improvements should be made
as needed. Finally, risk strategies fall at all levels but oversight falls on the executives and board
of directors of an organization. They control budgets and oversee the entire risk management
plan. They are also the ones that are called on the red carpet if a breach happens to their
organization. It would be appropriate for them to make sure everyone is held accountable for
their actions as it relates to the cyber risks within their organization.
There is not a single organization out there that is 100 percent protected from a
cyberattacks. As mentioned previously, communication is vital toward mitigating efforts but the
public-private sectors are still hesitant to share information. One way to further the cooperation
12. PUBLIC-PRIVATE INFORMATION SHARING 12
of the public-private sectors is to provide incentives with the intent to remove obstacles that
could prevent information sharing between parties.
Incentives Can Go a Long Way
Mr. John M. McConnell, director of national intelligence under presidents George W.
Bush and Barack Obama and NSA director under Presidents George H.W. Bush and Bill Clinton
believes that information sharing is “the backbone of security”. (Rosenbush, 2014) Mr.
McConnell thinks that an effective and quick response to breaches could happen if behaviors
with the public and private sectors changed so that there would be incentives for information
sharing. One incentive would be legal protection should an entity share information regarding
any breaches, threats or vulnerabilities. In addition, if we are to expand the idea of information
sharing then there needs to be liability protection put in place and to make sure that there are no
repercussions from any regulatory bodies with which information is shared. Without this
guarantee, the private sector will limit the amount of information they share which could be
detrimental to others who may need that information. Everyone knows that the public sector is
pretty slow to respond and share information. The need here is for the public sector to share
intelligence and security information in a timely manner, which it currently does not. Any hoops
that one needs to get through needs to be eliminated so information can flow to the private
sector. Without this timely flow of information, the private sector will never feel that the
government is truly a partner in crime to fight any cyber threats that are present. (Bucci, 2014)
We need to work together proactively in dealing with cyber risks.
The ability to limit the damage of cyberattacks diminishes without timely information.
The biggest concern as it relates to limiting the damages of cyberattacks is, of course, the
availability of timely information. Generally, system administrators have control and the ability
13. PUBLIC-PRIVATE INFORMATION SHARING 13
to detect activities within their systems. Given the apparent need for timely response to
cyberattacks, who has the ultimate control to employ defensive measures and to transfer
information related to an incident? Today no one administrator has control over any one
system which can limit the visibility of potential cyberattacks. In addition, technological
restrictions to identify and assess an attack along with policy concerns enhance the restriction of
timely information.
There is a need to minimize damages with a proactive method of sharing timely information
that will allow the public-private sectors to better predict and anticipate events which in turn will
enable them to respond in a precise timely manner. The public sector does not see what the
private sector sees; does not see the footprints left behind in an attack. Cooperation from the
private sector is needed so that the public sector can see what they see and get a better
understanding of the attack so that future attacks can be prevented. Effective communication
and understanding is needed in crucial areas to include (Denning & Denning, 2010, pg. 29-31):
The relationship between an attack and recovery time
Determining who initiated the attack so as to facilitate a timely and precise response
Being able to evaluate the direct and indirect effects and damages of an attack
Determine the requirements needed to receive warnings and indications of a potential
cyber attack
A firm understanding of exactly how attacks work so that the response can be effective
The speed of the notification process and notifying relevant personnel to handle and start
mitigation process is essential. The quicker the notification process, the faster an assessment of a
cyber-incident can happen and that information passed along leading to an improved success rate
for mitigating the damages due to the attack. Benefits of information sharing can be difficult to
14. PUBLIC-PRIVATE INFORMATION SHARING 14
distinguish while the cost and risks of sharing information is direct and calculable (Prieto, 2006).
Due to the vast landscape and complexities of cyberattacks, speed of the incident and the
massive breach of data that may be involved establishing an effective approach can be a huge
challenge. There are steps that can be taken to ensure that information sharing is actionable and
timely. The first major step is to recognize that there are many current public-private
partnerships in existence and there is a need to leverage and build these partnerships into the
cyber domain. A couple additional steps in the right direction would include: identify
weaknesses on both sides and work to strengthen those weakness, and address concerns
regarding liability and privacy protection for the private sector.
Private Sector Concerns
“Cybersecurity is a shared responsibility.” (US-CERT, n.d.) Computer Emergency
Readiness Team (US-CERT) is an organization that is part of the Department of Homeland
Security whose main goal is to improve communication regarding cybersecurity. They provide
alerts about current exploits, vulnerability, breaches or any other security issues in a timely
fashion. Partnership with the private sector is one goal they strive towards to better secure the
cyber domain. Although US-CERT believes that responsibility should be shared, there is fear
among the private sector regarding information sharing when it comes to cybersecurity. Private
sector remains suspicious of government efforts to increase cybersecurity collaboration and these
concerns have been thrown in the forefront due to the recent increase in identity theft and data
breaches. The private sector is worried that any information shared will be used by other
regulatory agencies against them. In addition, organizations tend to be reluctant to releasing
information on cyber threats or attacks because this poses not only competitive concerns but also
concerns regarding antitrust and privacy laws. (SIFMA, 2014) Many in the private sector will
15. PUBLIC-PRIVATE INFORMATION SHARING 15
only work with the government when they are in crisis mode instead of working with the
government in an ongoing proactive manner. This is an area that needs attention and this barrier
that is stopping the flow of information needs to be brought down. It is understandable that the
level of sensitivity does play a role in what information is shared and how quickly that
information is shared.
Giving up Control
The exchange of information between the public-private sectors is vital. During
investigations (C-Span, 2014) it is too late. Instead there needs to be a step taken before the
exchange of information and that is collaboration. Although this would be the ideal solution,
companies are still hesitant to share information or collaborate with other entities which can lead
to other companies becoming vulnerable to the same type of attacks. (Information Technology
Industry Council) The fear here is that companies do not want to give up control of their
processes and risk allowing other entities to explore privileged information which can be
discoverable through a Freedom of Information Act (FOIA) request (United States Department
of Justice, n.d.). Many companies feel they are better equipped to handle a breach better than the
government so why reach out and set off alarms when it is unnecessary. Handling it in-house
without government interference allows them to keep control of the situation and have no
worries about the government intruding into their systems. Every company has their own
strategy in place to handle breaches or any security issues and the fear is that the government
will come in and change the strategy that is in place or mandate that they change their strategy
because the government feels that it is inadequate.
16. PUBLIC-PRIVATE INFORMATION SHARING 16
Timing
Another issue with government involvement is timing. Everyone knows when dealing
with the government it is always a “hurry up and wait” scenario. Most of the problems lie with
all the constraints and bureaucratic hoops some agencies have to jump through to get something
done. If a company has to wait for the government’s involvement, the time to quickly implement
a solution could be lost. Companies are independent and given the government’s reputation for
information leaks, they are understandably concerned about private/privileged information
leaking and don’t need the “negative perception that this company has partnered “too closely”
with the government” (Germano, 2014). There is also the issue of not knowing what agency,
department or appropriate individual to contact in a breach situation. There needs to be some
kind of clarity so that the private sector knows who to contact and what type of information to
share and the appropriate time to share it. The public sector needs to do the same but there is
always some kind of constraint. The National security obligation which may involve clearance
issues that may restrict the government from releasing some of the information to the private
sector seems to be the major constraint. This is where balancing national security and other
related restrictions may prevent the proper public-private sector information sharing to happen
more smoothly.
Negative Exposure and Liability
Many companies have a fear of negative exposure due to a security breach. If the public
sector gets involved then the fear is that they may be included in a press release that the
government may feel is necessary to information the general public. This will have a negative
impact on the company before the company has a chance to thoroughly investigate the problem.
What type of information is disclosed, when it is disclosed and whether the company is put in a
17. PUBLIC-PRIVATE INFORMATION SHARING 17
bad light due to the breach is their concern. If concerns from public disclosures, data breaches
and vulnerabilities in their systems are not enough, corporate executives are also facing legal
liabilities for inadequate protection of their business.
That is exactly what happened with Target when the government questioned the
company’s best practices. The Target data breach during the holiday season in 2013 is a good
example of why the private sector has a fear of information sharing. Target was a victim of a
sophisticated cyberattack that “resulted in the theft of 40 million credit card numbers, 70 million
addresses, phone numbers, and other personal information” (Carton, 2014) and yet the
government’s first reaction was to question the company’s best practices as it related to data
privacy. (Committee On Energy and Commerce, 2014) Target responded by stating that “their
security measures were “among the best-in-class” (Carton, 2014) and that they were “certified as
meeting the standard for the payment card industry in September 2013” (John, 2014). Target
paid the ultimate price for this breach which resulted in a profit loss of 46 percent and reportedly
spent $61 million to try and rectify the situation. (Riley, Elgin, Lawrence, & Matlack, 2014)
Yes, the company made mistakes but this “blame the victim mindset” (C-Span, 2014) needs to
end so that the government and private sector can work together to prevent incidents like this
from happening in the future.
Trust and Risk
The trust factor plays a very large and important role in sharing information between the
public-private sectors when speed of the shared information increases risks of any unauthorized
parties getting to information can be reduced. The reluctance of some in the private sector to
provide information to the public sector is that they need to obtain assurance that any and all
proprietary information, whether that is computer systems or their in-house strategy in dealing
18. PUBLIC-PRIVATE INFORMATION SHARING 18
with incidents, not be divulged. Liability concerns are obviously not only about customer’s
private information or the breach itself but also about how well the company responded and how
quickly the issue was resolved. Concerns of a breach leak have to do with claims of inadequacy
on the company’s part. Disclosure of such information may trigger complaints of negligence,
inadequate security protection or that the company misrepresented the severity of the situation.
Despite the rising incidents of identity theft and data security breaches, many organizations deem
the costs of adding security measures to be higher than the losses from cyber theft. As a result
organizations have absorbed any losses incurred by data security breaches rather than reveal a
weakness in their cybersecurity procedures, all to save face and protect the reputation of the
organization and values that shareholders continue to expect.
Other liability concerns that a company has is when it involves the content and timing of
the disclosure and notification of a breach. The Target breach was one instance where many of
the complaints were about why the company did not notify the public sooner. Company’s
reluctances to release any information could be due to regulatory issues. There are many
government agencies that could reach out and grab a company for security or regulatory
violations. These agencies all have their own agendas and a different idea on how to approach a
security breach which is disclosed by a company. Some may encourage disclosure while others
bring down the hands of the law, blaming companies for lack of security and holding companies
liable for breaches which in turn could lead to civil and criminal charges against anyone involved
at the company.
Regulatory Issues
Some breaches goes way beyond the when and how bad the breach is and what agencies
will get involved. The fear is not only about their own customers, clients and shareholders but
19. PUBLIC-PRIVATE INFORMATION SHARING 19
from agencies like the SEC, FTC, FCC, CFPB and others alike. All have different agendas,
regulations and standards on how they approach a cyber-breach situation. The major fear for the
private sector is regulatory laws. What if they are not following federal regulatory requirements?
This is a risk that some companies are not willing to take to share information about a threat they
may have found. The agencies feared the most is the FTC and the SEC.
Federal Trade Commission (FTC) is a government agency that was initially “established
to play a critical role in combating anticompetitive conduct and mergers” (Brill, 2014). Entering
into the new age of technology, another area of consumer protection the FTC begun enforcing is
data security. They have litigated and settled with many companies for their failure to protect
consumer data. The latest suit against Wyndham Worldwide Corporation (Federal Trade
Commission), a global hospitality company, and three of their subsidiaries charging them with
failures in their data security procedures which led to three data breaches in a matter of two
years. The FTC claims that the company misrepresented their security measures to protect
consumer information. After the first breach occurred, Wyndham failed to put additional
security measures in place to not only detect access that was not authorized but also to fix
security vulnerability. This failure is what leads to their data security being breached twice more
in less than two years.
The FTC is not the only agency that has issued some kind of guidelines for organizations
to follow when it involves data security. The latest data breaches involving retail giants like
Target and Neman Marcus, the Payment Card Industry Council issued security guidelines that
are stricter and are meant for any retailers, banks or credit card companies that process credit
card transactions. Noncompliance of the security guidelines could result in fines. Many
agencies have increased their oversight for security measures that companies are expected to
20. PUBLIC-PRIVATE INFORMATION SHARING 20
follow and maintain. In 2011 the Security and Exchange Commission (SEC) released guidance
for public traded companies regarding their obligation to release and disclose incidents of
cyberattacks (Clarke & Olcott, 2014). The Chairman of the Commerce, Science and
Transportation Committee teamed up with four United States Senators to write a letter to the
Chairman of the U.S. Securities and Exchange Commission asking for clarification of disclosure
requirements and reiterating the importance of information sharing by telling her that:
Securing cyberspace is one of the most important and urgent challenges of our
time. In light of the growing threat and the national security and economic
ramifications of successful attacks against American businesses, it is essential that
corporate leaders know their responsibility for managing and disclosing
information security risk. (Rockefeller, Menendez, Whitehouse, Warner, &
Blumenthal, 2011)
Cybersecurity issues are not something just for the IT department to decipher and
manage. Board of directors and executives of companies need to educate themselves regarding
data security within their respective organizations because they are now being held accountable
for failure to secure data. Accountability goes all the way up the ladder and the added
responsibility of prioritizing and overseeing risk management is an added responsibility they
must endure. After all, a business in in the business of making money and the financial and
economic impact of a data breach could result in lawsuits, operational and reputational damage
along with the loss of their competitive advantage.
There are no laws that mandate notifications; notifications are all voluntary. Since it is a
voluntary system, it is uncertain what information to release and to whom to release it to. Some
kind of a balance is needed for liability protection against the private sector from the public
21. PUBLIC-PRIVATE INFORMATION SHARING 21
sector if security breach information is released. Some might say that partnering up with the
government might hinder some situations that can cause further harm. There are proactive
measures that a company can take but how far can they legally go without the assistance of the
government. The challenge here is to have some kind of protection against breaches so that there
will be open communication between the public-private sector in order to solve and prevent
cyber issues. There is insurance that is available to organizations, that is similar the identity theft
protection insurance for individuals, which will protect them by absorbing some of the costs
related to data breaches. But without timely information, the ability to limit the damage of
cyberattacks diminishes and more companies may fall victim to the same attack. An important
step in uniting against cybercrimes is awareness of various situations as they are happening. No
one sector can fight the fight alone. The need for an environment where information sharing and
collaboration is done in a timely and relevant manner is essential if we are to mitigate cyber
risks.
Unite in the Fight against Cybercrimes
Organizations are always weighing the pros and cons of information sharing. Does the
risk of sharing versus not sharing impact the organization in a negative way? Misinterpreted
information or late information can be detrimental to any organization public or private. The
turnaround in the mindset of the public-private sectors is the result of the many recent data
breaches such as the Target, which rocked and ruined many consumers 2013 holiday season.
Other recent data breaches include Neiman Marcus, White Lodging, Michaels, 11 casinos
spanning across 4 states (Nevada, Colorado, Iowa and Missouri), and The Home Depot just to
name a few. The responsibility of a failed attempt to secure the information highway falls on the
public-private sectors. Neither can protect against cyber risks alone. Both sectors know that it
22. PUBLIC-PRIVATE INFORMATION SHARING 22
will be impossible to attain 100 percent security of their systems so there is a need to change
behaviors in a positive way in order to reduce cyber risks.
Senator Tom Carper (D-Del), Ranking Member of the Homeland Security and
Governmental Affairs Committee stated this challenge the best:
Given the threats we face today in cyber space, it’s imperative that Congress, the
Administration, and stakeholders work together on legislation to bolster our
nation’s cyber defenses, and do so with a sense of urgency. (Committee, 2015)
The public sector is stepping up their efforts in this war against cybercrimes by working
to pass bills, working on amendments and passing resolutions. Democrats and republicans alike
are joining forces to sponsor bills and legislations that work towards protecting our great nation
against cybercrimes. Anyone interested in see the progress the public sector is making towards
this fight can look at Congress.gov which will show the progress that both the house and senate
is making toward cybersecurity. You will not find one legislation or bill that will cover all
aspects that concern both the public and private sector. As a result you will find that the public
sector is constantly working to introduce new bills with information not covered previously or
amend bills to cover concerns of both parties.
Public Sector Contribution
President Obama is stepping up to the plate and pushing cybersecurity efforts by
announcing new proposals and urging congress to pass any legislative efforts that are presented.
It is the President’s goal to protect the nation’s cyber world against cyberattacks that affect both
the public and private sectors. He is urging Congress to put bipartisan aside and work together to
advance proposals to resolve the challenges of information sharing between the public and
private sectors. The latest action by the White House shows that the government is clearly aware
23. PUBLIC-PRIVATE INFORMATION SHARING 23
of the need for information sharing between the public and private sector. They are also aware
that mandating specific information sharing would place an undue burden on the private sector.
To address these concerns, any proposed legislation or bill provides voluntary standards for
information sharing. In January 2015, new legislation was announced by President Obama that
addresses privacy concerns along with concerns regarding private sector liability. This specific
bill includes wording to include that the voluntary information sharing is to include only
indicators specifically related to the technical aspect of the threat. Information related to any
person(s) private information is to be removed before the threat information is shared. In
addition, privacy concerns and liability protection is also specifically address in this new
legislation to protect the private sector when sharing cyber threat information with the public
sector. No new bill or legislation is every going to be perfect and please all sectors all the time
but this legislation does show that the public sector is making a good faith effort to address the
privacy and liability concerns that many in the private sector has that prevents them from sharing
information with the public sector.
Although each bill and legislation seems to blur together at times, each does address,
revises or modifies specific concerns raised by both the public and private sectors. Other recent
announcements of advancements in the fight against cybersecurity area include:
Protecting Cyber Networks Act (sponsor: Rep. Nunes, Devin (R-CA-22) which has
passed the house and was received in the senate aims to help the private sector share cyber threat
information by removing some legal obstacles. Some might say that the far-reaching
interpretation of this bill could be abused by some public agencies, this bill is meant to state stern
requirements on how the public agencies can use information they obtain. (Congress, 2015)
24. PUBLIC-PRIVATE INFORMATION SHARING 24
The Cybersecurity Information Sharing Act of 2015 (CISA) (U.S. Senate Committee,
2015) was approved by the Senate Select Committee on Intelligence. This bill allows for the
sharing of information between the government and the private sector with liability protection so
as to facilitate the sharing of data relating to cybersecurity threats. This bill, like others that are
up for consideration, reiterate that information sharing is voluntary, that the private sectors needs
only to share information as it relates directly to the cybersecurity threat, and that the information
is to be used for cybersecurity resolutions only. Vice Chairman Dianne Feinstein (D-Calif.)
made it very clear that the main objective of this bill is to have the public-private sectors “share
information about cybersecurity threats – NOT personal information – in order to better defend
against attacks” (Committee, 2015).
Cyber Intelligence Sharing and Protection Act (CISPA) is introduced to address the “real-
time sharing of actionable, situational cyber threat information” (Congress, 2015) between the
public-private sectors.
National Cybersecurity Protection Advancement Act of 2015 has passed the House and is
an amendment to the Homeland Security Act of 2002 that improves the sharing of information in
addition to clarifying privacy protection as it relates to cybersecurity risk. This measure won
with an overwhelming House vote of 355 to 63 in favor of the bill. The next step for this
legislation is the pass the Senate and head for the President’s desk for signature. (Congress,
2015)
The key to any policy, strategy or initiative is “real-time” information sharing and
“actionable intelligence” (U.S., 2014) which many of the above bills reiterate. Legislations that
reinforce the capability that all entities can work together to develop a more effective agenda to
react to cyber threats is what the President is striving for. Trust starts with communication and
25. PUBLIC-PRIVATE INFORMATION SHARING 25
the public sector is making great strides towards building a professional relationship with the
private sector by listening to their concerns and adopting those concerns in recently presented
bills. The greater the trust that is developed, the effectiveness of the communication and
information sharing between the public and private sector will become more comfortable and the
flow of information will happen. (Givens & Busch, 2013)
No one entity can ward off cyber threats alone. There needs to be a solid collaboration
between the public-private sectors to promote awareness, educate and share information that is
not only “relevant, timely, but actionable” (C-Span, 2014). The government is making every
effort to address concerns that the private sector raises regarding information sharing that will
better protect themselves and their customers. President Obama is pushing the government to
come up with ways to better communicate cyber threats and so he “directed the Director of
National Intelligence (DNI) to establish the Cyber Threat Intelligence Integration Center
(CTIIC)” (The White House, n.d.). This center was created to coordinate efforts to better assess
cyber threats, share information rapidly with other existing government cyber groups about
current threats and those individuals that are involved. President Obama’s commitment to fight
cybercrimes is backed up with $14 billion added to the new budget to protect networks,
governments and others, in addition to critical infrastructures. Lisa Monaco, who is the assistant
to the president for homeland security and counterterrorism, stated that the private sector can and
should expect the public sector to respond quickly when they share cyber information. She
specified that the public sector will: (Pellerin, 2015)
-- Provide as much information as it can about the threat to help companies
protect their networks and critical information;
26. PUBLIC-PRIVATE INFORMATION SHARING 26
-- Coordinate a quick and unified response from government experts, including
those at the Department of Homeland Security and the FBI;
-- Look to determine who the actors are and hold them to account; and
-- Bring to bear, as government experts respond to attacks, all the available tools
and draw on the full range of government resources to disrupt threats.
An excellent example of collaboration to fight cybercrimes is the Sony Pictures
Entertainment attack. Within hours of the intrusion, Sony contacted the FBI and they were able
to join forces during the investigation of the cyber incident. (Federal Bureau of Investigation,
2014) By Sony’s rapid reporting of the attack, the FBI was able to use their resources to identify
who was behind the attacks. The public sector is committed to working with the private sector
and will continue to do so in a way that will protect the civil and privacy rights of all involved.
Another example of the effort the government is making to improve information sharing
is an “online collaboration called Project Interoperability” (Paul, 2014). This is a platform that
will enable both the government and the private sector to not only share information but to work
together to develop techniques and standards to fight cybercrime. The project’s website states
that “information interoperability is the ability to transfer and use information in a consistent,
efficient way across multiple organizations and IT systems” (United States Government, n.d.).
This web-based tool is meant to develop a system of communication between the public-private
sectors so that no matter what level or role in the organization you have, you will be able to
utilize this website. The ability to share information with individuals who speak the same
language and have the same understanding of the struggles about safeguarding a system is
exactly the type of collaboration that is needed.
27. PUBLIC-PRIVATE INFORMATION SHARING 27
Public-Private Sectors Collaboration
For public-private collaboration to work, they need to be on the same page and speak the
same language when sharing information. Structured Threat Information Expression (STIX),
Cyber Observables eXpression (CybOX), and Trusted Automated eXchange of Indicator
Information (TAXII) are three tools that will aid both the public and private sector to focus on
the collection and distribution of cyber threats between the two sectors. These tools are
constantly evolving as more members join to exchange cyber threat information. No tool is
perfect at its initial roll out and these three tools are no different. They will continue to improve
as both public and private sectors communicate and better define protocols, concepts and
specifics that are needed to combat cyber threats.
STIX uses a standardized XML programming language to send data regarding cyber threats.
The MITRE Corp. and The Department of Homeland Security collaborated in developing this
tool to address issues like interoperability, threat indicators and mitigation efforts. The main
objective of this language was to make it flexible, automatable, extensible and easy-to-read by
everyone. Information that can be shared using this platform includes: (Barnum, 2014)
Cyber observables
Indicators
Incidents
Adversary Tactics, Techniques, and Procedures
Exploit Targets
Courses of Action
Cyber Attack Campaigns
Cyber Threat Actors
28. PUBLIC-PRIVATE INFORMATION SHARING 28
Figure 2: A high level representation of how STIX works (Connolly, Davidson, Richard, &
Skorupka, 2012)
STIX is the language to communicate information and cyber observables are represented
in the Cyber Observable eXchange (CybOX) language. CybOX provides a tool for “addressing
cyber observables across and among this full range of use cases improving consistency,
efficiency, interoperability, and overall situational awareness” (Corporation, 2015). Trusted
Automated eXchange of Indicator Information (TAXII) is the means by which both STIX and
CybOX information is transported.
Establishing a mechanism for which all parties can share information is ineffective if
there is not a secure way to transport that information. Without a secure means of transporting
data, organizations will limit the type of information shared. TAXII is an exchange that allows
the transportation of cyber threat information. The exchange of detection, prevention and
mitigation efforts all can be sent in a secure way. With the ability to encrypt, authenticate, alert
and query between systems, TAXII enables organizations to not only leverage agreed standards
29. PUBLIC-PRIVATE INFORMATION SHARING 29
to “enable the sharing of actionable indicators” (Connolly, Davison, Richard, & Skorupka, 2012)
but also enables timely and secure sharing of threat information.
Figure 3: A high level vision of how TAXXII works (Connolly et al., 2012)
The ability for humans to manually digest data in large volumes in a timely manner and act on it
is near impossible. When it comes to minimizing damages and recovery time from cyberattacks,
time sensitive actions is necessary. Timely transfer of information can also reduce confusion to
allow the public-private sectors to better predict and anticipate future events. These tools allow
for proper communication and actionable information to be shared in a timely manner.
Private Sector Contribution
The importance of information sharing between the public and private sectors is
important enough that there are both individuals and companies collaborating to produce
methods to share data securely. They believe in their method so much so that they have applied
for and are waiting or have been granted United States patent protection. In November 2014,
the United States Patent and Trademark Office (USPTO) held an information session to discuss
the efforts of both the public and private sector to combat cybercrimes. TC2400 is the
30. PUBLIC-PRIVATE INFORMATION SHARING 30
technology center where patent applications in the field of information security are examined.
Subject matters related to data and user protection, security policies, access control, monitoring,
and countermeasures are the area of concentration for TC2400. The USPTO is enthusiastic
about examining cybersecurity patents and is aware that their examiners, currently numbering
200 examiners who are dedicated to this technology, need further training in order to better
understand the specific nature of best standards and emerging technology. Currently the average
time from initial filing to first action by an examiner is about 16 months, granting patent
protection could take about three years. With the speed that technology changes and cyber
threats increase, there is a need for the USPTO to somehow accelerate the process.
There are organizations that are taking the initiative to develop methods and standards to
better protect themselves. The top 5 companies filing patent applications in the field of
information security are: IBM (173 patents), Symantec (103 patents), Google (71 patents),
Microsoft (67 patents) and Samsung (64 patents) (United States Patent and Trademark Office,
2014).
Large corporations are not the only organizations that are developing improved responses
to cyber threats. Swan Island Networks, Inc., a company based out of Portland, OR, who
provides business intelligence solutions. They started out as a software engineering lab working
with the U.S. government and in 2009, took their R&D to the private sector. The Trusted
Information Exchange Service (TIES) was launched and currently “help protect more than 250
large enterprises and 20% of Fortune 100 companies every day”. (Swan Island Networks, 2015)
Being the innovators that they are, they filed a patent application in April 2013 for “Human-
Authorized Trust Service”, patent application number 20130312115 (Jennings & Jones). The
claims of this patent application define methods that allow trusted access to data between two
31. PUBLIC-PRIVATE INFORMATION SHARING 31
parties. This application is currently in the review process and has not yet been granted
exclusive rights and protection.
Another private sector company, Norse Corporation, a leader in live attack intelligence
based out of Mateo, CA has also filed a patent application (patent application number:
61508493) in July 2012. Their patent claims defines systems and methods for “ gathering,
classifying, and evaluating real time security intelligence data concerning security threats
presented by an IP address, and reporting in real time the degree and character of such security
threats” (USPTO, 2012). Their application is currently in the review process and has not yet
been granted exclusive rights and protection.
The USPTO embraces the role the private sector is playing in cybersecurity. Their goal
is to work diligently to approve innovative product and services as quickly and efficiently as
possible.
Conclusion
With the ever growing and real threats cybersecurity poses, the need to mitigate cyber
risks is crucial. There is no easy solution to the cybersecurity challenge of information sharing.
There is no foolproof protection against cyberattacks and navigating through best practices and
standards starts with information sharing. President Obama, early in his first term, made
cybersecurity a priority. The President is constantly making noise about cybersecurity and how
the public-private sector must work together to come up with a mutually agreed upon method for
information sharing. The public sector is working to improve by introducing new legislation and
updating previous ones to address concerns from both sectors. They are committed to pull
together all their resources to coordinate responses to breaches in a united timely manner. In
addition, they will work to break through the barrier that is preventing timely, actionable
32. PUBLIC-PRIVATE INFORMATION SHARING 32
information sharing by providing quantifiable information regarding a cyber-threat or
cyberattack that will help the private sector to better protect their systems and other critical
information. The threats in the cyber domain can get complicated but through coordinated
efforts from both the public and private sector, preemptive measures can be taken to mitigate
cyberattacks remembering that this is a two-way street. If the public sector is willing to share
information then the private sector must reciprocate in kind with the same quantifiable
information.
The private sector needs to remember that information on cyber threats covers limited
technical type of information and should not let the fear prevent them from open communication
with the many government agencies. The challenge here is to have some kind of protection
against breaches, the sharing of privileged information and liability concerns so that there will be
open communication between the public-private sector in order to solve and prevent cyber
issues. The private sector made their concerns known and the public sector has responded by
approving legislation such as The Cybersecurity Information Sharing Act of 2013 (CISA).
President Obama’s executive directive has made it very clear that his administration is putting
cybersecurity at the top of their priority list. The private sector needs to do the same and learn
from the lack of communication that caused the many data breaches of 2014. The consequences
of not making cybersecurity a top priority within the organization will lead not only to data theft
but also the reputation loss, and loss of customers not to mention the cost involved due to a
cyberattacks. Given the sophisticated nature of some of the cyberattacks, a disaster is in the
making if cybersecurity is not made a priority. Cultural changes will need to be made within the
private sector because although cybersecurity is technical in nature, the way cybersecurity is
33. PUBLIC-PRIVATE INFORMATION SHARING 33
managed is human. Changing the mindset of the private sector starts at the executive level of an
organization to effective combat cyber-threats in a timely fashion.
As President Obama’s presidential term is coming to an end, his cybersecurity initiative
needs to continue with the next administration. It should not matter whether the next president is
Democratic or Republican because cyberattacks do not care what party you represent. We need
to do more to strengthen security in the cyber domain so that we can create a better world for our
children. There is always going to be a need to reiterate that open communication and
information sharing between the public-private sectors will be an ongoing challenge.
Collaboration is the key to unite in the fight against cybercrimes and the public-private sector
must jump in with both feet to educate each other so that every action to mitigate a cyber-threat
will be timely, significant and actionable.
34. PUBLIC-PRIVATE INFORMATION SHARING 34
References
Barnum, S. (2014, February 20). Standardizing cyber threat intelligence information with the
Structured Threat Information eXpression (STIX). MITRE Corporation, v1.1, Rev. 1.
Retrieved from http://stix.mitre.org/about/documents/STIX_Whitepaper_v1.1.pdf
Brill, J. (2014, November 6). What's past is prologue: FTC's competition and consumer
protection priorities. Presenter at the ABA Fall Forum Keynote Address. Retrieved from
https://www.ftc.gov/es/system/files/documents/public_statements/597211/141106abafallf
orum-2.pdf
C-Span. (2014, August 22). Cybersecurity challenges. Retrieved from http://www.c-
span.org/video/?321116-7/discussion-cybersecurity-threats
Carton, B. (2014, May 29). ISS recommends ouster of seven Target directors for data breach
failures. Retrieved from http://https://www.complianceweek.com/blogs/enforcement-
action/iss-recommends-ouster-of-seven-target-directors-for-data-breach-
failures#.VUBi_iFVhBc
Cichonski, Millar, Grance, & Scarfone. (2012, August). National Institute of Standards and
Technology (U.S.), Special Publication 800-61 (SP 800-61, rev. 2). Computer security
incident handling guide: Recommendations of the National Institute of Standards and
Technology. Gaithersburg, MD: U.S. Dept. of Commerce, National Institute of Standards
and Technology.
Clarke, R., & Olcott, J. (2014, March). The board's role in cybersecurity. Retrieved from
http://www.kispertgroup.com/wp-
content/uploads/2014/06/Good_Harbor_Directors_Note_Cyber.pdf
35. PUBLIC-PRIVATE INFORMATION SHARING 35
Committee, I. (2015, March 18). Senate Intelligence Committee introduces cybersecurity bill,
addresses privacy concerns. Retrieved from
http://www.intelligence.senate.gov/press/record.cfm?id=358715
Committee, U. S. (2015, March 12). Sen. Carper statement on the cybersecurity information
sharing act (CISA). Retrieved from http://www.hsgac.senate.gov/media/minority-
media/sen-carper-statement-on-the-cybersecurity-information-sharing-act-cisa
Congress, 1. (2015, February 2). H.R.234 - Cyber Intelligence Sharing and Protection Act.
Retrieved from http://https://www.congress.gov/bill/114th-congress/house-
bill/234?q=%7B%22search%22%3A%5B%22cyber+intelligence%22%5D%7D
Congress, 1. (2015, April 22). H.R.1560 - Protecting cyber networks act. Retrieved from
http://https://www.congress.gov/bill/114th-congress/house-
bill/1560?q=%7B%22search%22%3A%5B%22The+Protecting+Cyber+Networks+Act%
22%5D%7D
Congress, 1. (2015, April 23). H.R.1731 - National cybersecurity protection advancement act of
2015. Retrieved from http://https://www.congress.gov/bill/114th-congress/house-
bill/1731?q=%7B%22search%22%3A%5B%22cybersecurity%22%5D%7D
Connolly, J., Davidson, M., Richard, M., & Skorupka, C. (2012, November 8). The trusted
automated eXchange of indicator information (TAXII). Retrieved from
http://taxii.mitre.org/about/documents/Introduction_to_TAXII_White_Paper_November_
2012.pdf
Corporation, MITRE. (2015, April 14). CybOX, v2.1. Retrieved from http://cybox.mitre.org/
Denning, P. J., & Denning, D. E. (2010). Discussing cyber attack. Communications of the ACM,
53(9), 29-31.
36. PUBLIC-PRIVATE INFORMATION SHARING 36
Federal Bureau of Investigation. (2014, December 29). Update on Sony Investigation. Retrieved
from http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation
Federal Trade Commission. (2012, June 26). FTC files complaint against Wyndham hotels for
failure to protect consumers' personal information. Retrieved from
http://https://www.ftc.gov/news-events/press-releases/2012/06/ftc-files-complaint-
against-wyndham-hotels-failure-protect
Fernandez Vazquez, D., Pastor Acosta, O., Brown, S., Reid, E., & Spirito, C. (2012, June).
Conceptual framework for cyber defense information sharing within trust relationships.
In Cyber Conflict (CYCON), 2012 4th International Conference on (pp. 1-17). IEEE.
Germano, J. H. (2014, October). Cybersecurity partnerships: A new era of public-private
collaboration. Retrieved from
http://www.lawandsecurity.org/Portals/0/Documents/Cybersecurity.Partnerships.pdf
Givens, A. D., & Busch, N. E. (2013). Information sharing and public-private partnerships: The
impact on homeland security. Retrieved from http://www.austengivens.com/wp-
content/uploads/2013/05/Givens-and-Busch_Information-Sharing-and-Public-Private-
Partnerships.pdf
Givens, A. D., & Busch, N. E. (2013). Realizing the promise of public-private partnerships in US
critical infrastructure protection. Internaional Journal of Critical Infrastructure
Protection, 6(1), 39-50.
Hearing before the Committee on Armed Services, House of Representatives, 12th Congress
(March 16, 2011). National defense authorization act for fiscal year 2012: (H.A.S.C. No.
112-26). (statement of General Keith B. Alexander, US Cyber Command). Retrieved
from http://fas.org/irp/congress/2011_hr/cybercom.pdf
37. PUBLIC-PRIVATE INFORMATION SHARING 37
Jennings, C., & Jones, D. M. (2013, November 21). Publication 20130312115 - Human-
authorized trust service. Retrieved from
http://www.ptodirect.com/Results/Publications?p=1&r=34&query=%40PD%3E%3D201
31119%3C%3D20131125
John, P. (2014, March 18). Target breach lesson: PCI compliance isn't enough. Retrieved from
http://www.technewsworld.com/story/80160.html
Kissel, R. (2013, May). National Institute of Standards and Technology (U.S.) (NISTIR 7298,
rev. 2). Glossary of key information security terms.
Nakashima, E., & Peterson, A. (2014, June 9). Report: Cybercrime and espionage costs $445
billion annually. Retrieved from http://www.washingtonpost.com/world/national-
security/report-cybercrime-and-espionage-costs-445-billion-
annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.html
National Institute of Standards and Technology. (2014, February 12). Framework for improving
critical infrastructure cybersecurity. Retrieved from
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf
Navare, J., & Gemikonakli, O. (2010, September). Governance and risk management of network
and information security: the role of public private partnerships in managing the existing
and emerging risks. Paper presented at the Global Security, Safety, and Sustainability –
6th International Conference, ICGS3, Braga, Portugal. Retrieved from
https://www.researchgate.net/publication/221193068_Governance_and_Risk_Manageme
nt_of_Network_and_Information_Security_The_Role_of_Public_Private_Partnerships_i
n_Managing_the_Existing_and_Emerging_Risks
38. PUBLIC-PRIVATE INFORMATION SHARING 38
Norton, S. (2014, September 30). Former NSA director: Better information sharing needed on
cybersecurity. Retrieved from http://blogs.wsj.com/cio/2014/09/30/former-nsa-director-
better-information-sharing-needed-on-cybersecurity/
Pager, T. (2015, March 19). Private sector remains wary of government efforts to increase
cybersecurity collaboration. Retrieved from http://nationalsecurityzone.org/site/private-
sector-remains-wary-of-government-efforts-to-increase-cybersecurity-collaboration/
Paul, K. (2014, March 24). Fork it, grab it, use it: Announcing project interoperability.
Retrieved from http://www.ise.gov/blog/kshemendra-paul/fork-it-grab-it-use-it-
announcing-project-interoperability
Pellerin, C. (2015, February 11). New threat center to integrate cyber intelligence. Retrieved
from http://www.defense.gov/news/newsarticle.aspx?id=128164
Ponemon Institute LLC. (2014, May). 2014 cost of data breach study: United States. Retrieved
from http://www-01.ibm.com/common/ssi/cgi-
bin/ssialias?subtype=WH&infotype=SA&appname=GTSE_SE_SE_USEN&htmlfid=SE
L03017USEN&attachment=SEL03017USEN.PDF#loaded
Ponemon Institute LLC. (2014, October). 2014 Global report on the cost of cyber crime.
Retrieved from http://https://ssl.www8.hp.com/ww/en/secure/pdf/4aa5-5207enw.pdf
Prieto, D. (2006). Information sharing with the private sector. Seeds of disaster, roots of
response: how private action can reduce public vulnerability.
https://scholar.google.com/citations?view_op=view_citation&continue=/scholar%3Fq%3
Dprieto%26hl%3Den%26as_sdt%3D0,16%26scilib%3D1&citilm=1&citation_for_view=
ZLNwTTgAAAAJ:2osOgNQ5qMEC&hl=en&oi=p
Riley, M., Elgin, B., Lawrence, D., & Matlack, C. (2014, March 13). Missed alarms and 40
million stolen credit card numbers: How target blew it. Retrieved from
39. PUBLIC-PRIVATE INFORMATION SHARING 39
http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epic-hack-
of-credit-card-data
Rockefeller, J. D., Menendez, R., Whitehouse, S., Warner, M., & Blumenthal, R. (2011, May
11). Letter to Ms. Mary Schapiro, Chairman U.S. Security and Exchange Commission.
Retrieved from
http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=4ceb6c11-b613-4e21-
92c7-a8e1dd5a707e
Rosenbush, S. (2014, June 20). Former NSA Chief Mike McConnell says culture, not tech, is
key to cyber defense. Retrieved from http://blogs.wsj.com/cio/2014/06/20/former-nsa-
chief-mike-mcconnell-says-culture-not-tech-is-key-to-cyber-defense/
SIFMA. (2014, October 20). Principles for effective cybersecurity regulatory guidance.
Retrieved from http://www.sifma.org/issues/item.aspx?id=8589951691
Swan Island Networks. (2015). About Swan Island Networks, Inc. doi:swanisland.net/company
Symantec. (2015, April). Internet security threat report. V20. Retrieved from
http://https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-
security-threat-report-volume-20-2015-social_v2.pdf
U.S. (2014, November 3). Partners in cybercrime prevention. Retrieved from
http://www.nationaljournal.com/library/198396
United States Department of Justice. (n.d.). What is FOIA? Retrieved from
http://www.foia.gov/index.html
United States Government. (n.d.). Project Interoperability. project-interoperability.github.io/
United States Patent and Trademark Office. (2014, November 14). Cybersecurity partnership.
Retrieved from http://www.uspto.gov/about/contacts/phone_directory/pat_tech/nov2014-
cybersecurity-partnership-presentation.pdf
40. PUBLIC-PRIVATE INFORMATION SHARING 40
United States Senate Committee. (2015, March 12). Sen. Carper statement on the cybersecurity
information sharing act (CISA). Retrieved from
http://www.hsgac.senate.gov/media/minority-media/sen-carper-statement-on-the-
cybersecurity-information-sharing-act-cisa
USPTO. (2012, July 16). Norse Corporation Patent Appl. No.: 13/550,354. Retrieved from
http://patft.uspto.gov/netacgi/nph-
Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-
bool.html&r=3&f=G&l=50&co1=AND&d=PTXT&s1=cybersecurity&s2=google&OS=c
ybersecurity+AND+google&RS=cybersecurity+AND+google
White House. (n.d.). The comprehensive national cybersecurity initiative. Retrieved from
http://www.whitehouse.gov/issues/foreign-policy/cybersecurity/national-initiative
The White House. (2015, February 25). Fact sheet: Cyber threat intelligence integration center.
Retrieved from http://https://www.whitehouse.gov/the-press-office/2015/02/25/fact-
sheet-cyber-threat-intelligence-integration-center