SlideShare ist ein Scribd-Unternehmen logo

Public-Private Cybersecurity Collaboration

Als DOCX, PDF herunterladen
M
msdee3362
1 von 40
Running head: PUBLIC-PRIVATE INFORMATION SHARING 1 Cybersecurity Challenge: Public-Private Sectors - Information Sharing Deloris Bryant CRJ-475Z – Senior Project Dr. Shanna Van Slyke May 12, 2015
PUBLIC-PRIVATE INFORMATION SHARING 2 Abstract Even though there is fear among the private sector regarding information sharing when it comes to cybersecurity, there should be information sharing between the public-private sectors because collaboration is the key to unite in the fight against cybercrimes. Cybersecurity is a shared responsibility and collaboration is the key to unite in the fight against cybercrimes and to promote awareness, educate each other and share information that is not only timely and significant but also actionable. The greater the trust that is developed, the effectiveness of the communication and information sharing will become more comfortable and the flow of information will happen. This research paper will bring to the forefront the need and importance of information sharing; analyze the concerns raised by many companies and how sharing information can be done effectively. Keywords: cybersecurity, cyberattacks, information sharing, public-private sectors
PUBLIC-PRIVATE INFORMATION SHARING 3 Cybersecurity is a critical issue that faces the entire spectrum of society. Incidents of cyberattacks and threats are real and the need for more collaboration is unyielding. The complexity, sophistication and ever-evolving threat environment that exists puts cybersecurity out of reach of any single entity. Cybersecurity is not something that can be ignored by the government, individuals or corporations. The expanding problem with cyberattacks has brought up the need for companies to work with various agencies of the government that are involved with cybersecurity investigations, mitigation efforts or regulating cybersecurity standards. Government involvement means that companies will be working with agencies that may have a totally different agenda when it involves cyberattacks. It is important that both the public and the private sector navigate through the cyber process together. Navigating together would mean that there is a need to share information on cyber threats, but many continue to be untrusting for fear of regulatory laws and liability concerns. Even though there is fear among the private sector regarding information sharing when it comes to cybersecurity, there should be information sharing between the public and private sector because collaboration is the key to unite in the fight against cybercrimes and to promote awareness, educate each other and share information that is not only timely and significant but also actionable. The greater the trust that is developed, the effectiveness of the communication and information sharing between the public-private sectors will become more comfortable and the flow of information will happen. This research paper will bring to the forefront the need and importance of information sharing; analyze the concerns raised by many companies, and how sharing information can be done effectively.
PUBLIC-PRIVATE INFORMATION SHARING 4 Importance of Information Sharing General Keith Alexander chief of the US Cyber Command spoke before congress to advise them that seventy-five percent of the country’s computers have been exploi ted by criminals (Hearing before the Committee on Armed Services, House of Representatives, 12th Congress, March 16, 2011). Are we doing enough to protect ourselves against cybercrimes? You turn on the news or surf the web and more than not you will hear or read of another incident of cyber theft. The Center for Strategic and International Studies estimates a loss of $100 billion in intellectual property alone in the U.S. This estimate is about 0.6% of the U.S. economy and this number does not even include other types of cybercrimes (Nakashima & Peterson, 2014). So what exactly are cyber incidents? The National Institute of Standards and Technology (NIST) Special Publication 800-61 (rev. 2) defines security incidents as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices” (Cichonski, Millar, Grance, & Scarfone, 2012). Additional related terms are also defined by NIST as “an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies” (Kissel, R, 2013). Now that we have a clear understanding of what cyber incidents are, the sharing of information as it relates to cyber incidents is to pull together the strengths of the public-private sectors in order to respond to cyber threats, attacks, and vulnerabilities. A joint effort is needed if we are to prevent and mitigate cyber incidents in this every changing cyber world. A defensive and innovative approach will be required if we are to overcome the next wave of attacks.
PUBLIC-PRIVATE INFORMATION SHARING 5 A survey conducted by the Ponemon Institute sponsored by Hewlett-Packard involved 257 separate companies that agreed to participate and allowed the Ponemon Institute to perform an analysis of all costs incurred by their organization as a result of a cyber-incident. The survey found that the sophistication and number of breaches has increased 176 percent in the last 4 years. This survey also found that the average time to detect an attack was 170 days and although “some attacks take longer to resolve” the average time to resolve an attack once it was detected was 45 days (Ponemon Institute LLC, 2014). Figure 1: Time to resolve an attack (Ponemon Institute LLC, 2014) The financial losses incurred during this time could be in the millions to say nothing of the possibility of proprietary information or other private data being stolen. Another survey conducted by the Ponemon Institute, this time sponsored by IBM, involved 61 separate companies that experienced some kind of data breach. In 2014, unfortunately, many companies especially in the retail sector became front page news when a data breach occurred with their company. This survey looked into the consequences of data
PUBLIC-PRIVATE INFORMATION SHARING 6 breaches. What they found was that $5.9 million was the cost incurred by companies due to getting hit by data breaches, on average. This figure is up from the $5.4 million the previous year. Loss of business cost went from $3.03 million to $3.2 million. These costs include but are not limited to reputation loss, loss of customers, and activities involved in try to acquire new customers. This survey also found that cyberattacks with the highest data breach costs were either criminal or malicious attack. With an average of $246 for every record that was compromised resulting from these two types of attacks makes for a very costly breach for any company to endure. This is followed by cyberattacks at the hands of employee’s mistakes or system glitches which has a much lower cost of $160 and $171, respectively (Ponemon Institute LLC, 2014). Although the studies above put dollars to incidents, it is really difficult to a put a solid figure for the cost of data breaches or any other type of cybercrimes. To say the least, improvements in information sharing between the public-private sectors regarding cyber threats would be cost-effective. Even though the public-private sectors try to protect themselves against any losses, private entities are looking at profit earnings and the bottom line where as the public sector is more concerned with not divulging intelligence as it relates to national security. Also the public sector focuses on who is responsible for the attacks whereas the private sector does not really care who is responsible they just want it to stop. Both sectors have different agendas but yet have the same issue. Early detection, termination or prevention of cyberattacks is a major benefit of information sharing. This sharing of information brings together parties that can and will complement each other in their abilities to unite in order to solve problems that they themselves cannot address individually. Technical data is at the top of the list of information that needs to
PUBLIC-PRIVATE INFORMATION SHARING 7 be shared; additional information that should be included but not limited to risk assessment procedures and best practices. All participants require that only authorized parties view secure private and privileged information. Trust between all parties is needed for this flow of information to stream down the appropriate channels seamlessly. This would not only be a financial savings but also savings in manpower. The speed in which information is shared should be a priority for both sectors. The frequency of cyberattacks has increased to the point that some organizations fall behind in preventive measures that they fall victim to an attack. Delaying sharing information until all the ‘I’s are dotted and ‘T’s crossed make the information outdated and not actionable in this fast paced cyber domain. Any delay in getting critical information to the public-private sector can diminish its effectiveness to fend off a cyberattacks. Some organizations worry about sending information too early. This can be remedied by investigating all reliable information as soon as possible and then send the information with a disclaimer attached indicating that the information being sent is preliminary and that further investigation will be needed. Some recipients may already be aware of the situation and may already have an insight to a solution that worked for them. This is what information sharing is all about; forwarding and sharing timely information that is technical in nature to aid in the fight against cyberattacks. Developing Trust between the Public-Private Sectors Former NSA Director Keith Alexander stated at a cybersecurity panel hosted by PwC, “We need real-time or near real-time situational awareness, and we have got to have cyber legislation that allows us to go between industry and government to do that”. (Norton, 2014) The value of information is important as not to waste time, money and manpower on irrelevant information. Benefits of timely information sharing can be measured by the quality of
PUBLIC-PRIVATE INFORMATION SHARING 8 information, cost savings, and relevance of the information that is shared. Trust is not a farfetched idea that we expect between the public-private sectors. You will never have 100 percent trust between these two sectors but when needed to prevent a crisis situation, temporary trust is needed in order to collaborate and pass along much needed information is desired. It can be said that “the partner you don’t trust today may be your best friend tomorrow” (Diego Fernandez Vazquez, Oscar Pastor Acosta, Brown, Reid, & Spirito, 2012). One needs to remember that trust is a two-way street. If low quality or generic information is passed along by the public sector; then the private sector will reciprocate by providing low quality or generic information. Remembering that an overwhelming number of infrastructures, hardware and software in use was developed and is managed by the private sector there are many instances where you will find that the public sector seeks out the private sector for help to respond to and prevent a cyber-incident. For the private sector, where a majority of the innovators are, they expect a quick turn around when communicating with the public sector and this is rarely the case when it comes to information sharing. The private sector is in the business of doing business and as such expects the value of information to be top notch. The trust between these two sectors diminishes due to the fact that the private sector truly believes that the public sector filters its communication. If we are truly going to be partners in crime to fight the fight in the cyber domain, then the challenge here is to commit to one another that information sharing will be done in a significant way (Givens & Busch, 2013, 6(1), 39-50). Neither sector can operate under the assumption that just because they are painting a pretty picture to make it look like they are committed to working together, that this is really the case. To really get a handle on cybersecurity, adding fluff to an
PUBLIC-PRIVATE INFORMATION SHARING 9 already volatile situation does no one any good if that fluff is only filled with generic information. This is not the ideal way to develop trust between partners. Risk Management Trust and collaboration is vital to information sharing and protection when it comes to identifying vulnerabilities and threats. There are always risks that will arise out of the public- private sector collaboration and risk management is vital for this type of partnership. However, this collaboration can intensify the distrust that exists between the public-private sectors. Retaining control over activities and decision making can make for a difficult partnership but the trade-off is that you will have a comprehensive group that brings with them the expertise needed to manage risks. As they say, “two heads are better than one”. In this case, a positive to this relationship would be that the greater number of partners translates to diversified information that can prevent and manage risks of cyber threats. (Navare & Gemikonakli, 2010) Symantec did a study that showed the “most significant risk at 42%” (Navare et al.) is cyberattacks. In addition Symantec created a report based on data collected through the last couple of years to show the increasing number of attacks and how intensive and damaging these cyberattacks can be to an organization. They show that there was a 23 percent increase in breaches between 2013 and 2014. The sector where the most identities were exposed was in the retail sector at 59 percent. (Symantec, 2015)
PUBLIC-PRIVATE INFORMATION SHARING 10 Figure 2: Symantec Data Breach Report for 2013-2014 (Symantec, 2015) This holds true with the recent breaches with retail giants like Target, The Home Depot and Neman Marcus. These numbers may seem staggering but the key to risk management is real- time, actionable and timely information. There are various ways to manage risks and depending on the type of organization, threats will be calculated and assessed internally and this is where the collaboration of public-private sectors comes into play. In order for collaboration to be effective, there needs to be a solid understanding, mutually agreed, as to the appropriate risk information that needs to be passed along to the decision makers. It is up to these decision makers to make sure that threat information is passed on with the appropriate mitigation plans or at the very least a “heads up” message so that others can collaborate to come up with a mitigation plan. Early, timely mitigation of threats is significant to risk management and the cooperation of the public-private sectors is needed to accomplish this endeavor.
PUBLIC-PRIVATE INFORMATION SHARING 11 While progress may be slow and steady, the main object here is to improving risk management to ensure that key concepts are understood by everyone. Cybersecurity specialist and experts in the public-private sectors need to coordinate, connect and join forces to define risk strategies at all levels. The main purpose for risk management is not only to help decision makers make better decisions in the cyber domain but also to prepare and expect the worst. There is no reason to reinvent the wheel here. The public-private sectors all have some kind of risk management process currently in place. The task here is to incorporate organizational wide cyber risks into the already existing risk management plan. There is no way to predict when the next cyberattacks will happen but with the proper plan in place, mitigating the attacks will be resolved more quickly. Regular communication is a vital part of information sharing. Improving awareness not only within your organization but also with your counterparts in other organizations of current situations affecting the organization impacts the effectiveness in responding to an attack or potential attack. Setting standards for detection and protecting systems will enable early, timely mitigation efforts. These standards should be tested regularly and improvements should be made as needed. Finally, risk strategies fall at all levels but oversight falls on the executives and board of directors of an organization. They control budgets and oversee the entire risk management plan. They are also the ones that are called on the red carpet if a breach happens to their organization. It would be appropriate for them to make sure everyone is held accountable for their actions as it relates to the cyber risks within their organization. There is not a single organization out there that is 100 percent protected from a cyberattacks. As mentioned previously, communication is vital toward mitigating efforts but the public-private sectors are still hesitant to share information. One way to further the cooperation
PUBLIC-PRIVATE INFORMATION SHARING 12 of the public-private sectors is to provide incentives with the intent to remove obstacles that could prevent information sharing between parties. Incentives Can Go a Long Way Mr. John M. McConnell, director of national intelligence under presidents George W. Bush and Barack Obama and NSA director under Presidents George H.W. Bush and Bill Clinton believes that information sharing is “the backbone of security”. (Rosenbush, 2014) Mr. McConnell thinks that an effective and quick response to breaches could happen if behaviors with the public and private sectors changed so that there would be incentives for information sharing. One incentive would be legal protection should an entity share information regarding any breaches, threats or vulnerabilities. In addition, if we are to expand the idea of information sharing then there needs to be liability protection put in place and to make sure that there are no repercussions from any regulatory bodies with which information is shared. Without this guarantee, the private sector will limit the amount of information they share which could be detrimental to others who may need that information. Everyone knows that the public sector is pretty slow to respond and share information. The need here is for the public sector to share intelligence and security information in a timely manner, which it currently does not. Any hoops that one needs to get through needs to be eliminated so information can flow to the private sector. Without this timely flow of information, the private sector will never feel that the government is truly a partner in crime to fight any cyber threats that are present. (Bucci, 2014) We need to work together proactively in dealing with cyber risks. The ability to limit the damage of cyberattacks diminishes without timely information. The biggest concern as it relates to limiting the damages of cyberattacks is, of course, the availability of timely information. Generally, system administrators have control and the ability
PUBLIC-PRIVATE INFORMATION SHARING 13 to detect activities within their systems. Given the apparent need for timely response to cyberattacks, who has the ultimate control to employ defensive measures and to transfer information related to an incident? Today no one administrator has control over any one system which can limit the visibility of potential cyberattacks. In addition, technological restrictions to identify and assess an attack along with policy concerns enhance the restriction of timely information. There is a need to minimize damages with a proactive method of sharing timely information that will allow the public-private sectors to better predict and anticipate events which in turn will enable them to respond in a precise timely manner. The public sector does not see what the private sector sees; does not see the footprints left behind in an attack. Cooperation from the private sector is needed so that the public sector can see what they see and get a better understanding of the attack so that future attacks can be prevented. Effective communication and understanding is needed in crucial areas to include (Denning & Denning, 2010, pg. 29-31):  The relationship between an attack and recovery time  Determining who initiated the attack so as to facilitate a timely and precise response  Being able to evaluate the direct and indirect effects and damages of an attack  Determine the requirements needed to receive warnings and indications of a potential cyber attack  A firm understanding of exactly how attacks work so that the response can be effective The speed of the notification process and notifying relevant personnel to handle and start mitigation process is essential. The quicker the notification process, the faster an assessment of a cyber-incident can happen and that information passed along leading to an improved success rate for mitigating the damages due to the attack. Benefits of information sharing can be difficult to
PUBLIC-PRIVATE INFORMATION SHARING 14 distinguish while the cost and risks of sharing information is direct and calculable (Prieto, 2006). Due to the vast landscape and complexities of cyberattacks, speed of the incident and the massive breach of data that may be involved establishing an effective approach can be a huge challenge. There are steps that can be taken to ensure that information sharing is actionable and timely. The first major step is to recognize that there are many current public-private partnerships in existence and there is a need to leverage and build these partnerships into the cyber domain. A couple additional steps in the right direction would include: identify weaknesses on both sides and work to strengthen those weakness, and address concerns regarding liability and privacy protection for the private sector. Private Sector Concerns “Cybersecurity is a shared responsibility.” (US-CERT, n.d.) Computer Emergency Readiness Team (US-CERT) is an organization that is part of the Department of Homeland Security whose main goal is to improve communication regarding cybersecurity. They provide alerts about current exploits, vulnerability, breaches or any other security issues in a timely fashion. Partnership with the private sector is one goal they strive towards to better secure the cyber domain. Although US-CERT believes that responsibility should be shared, there is fear among the private sector regarding information sharing when it comes to cybersecurity. Private sector remains suspicious of government efforts to increase cybersecurity collaboration and these concerns have been thrown in the forefront due to the recent increase in identity theft and data breaches. The private sector is worried that any information shared will be used by other regulatory agencies against them. In addition, organizations tend to be reluctant to releasing information on cyber threats or attacks because this poses not only competitive concerns but also concerns regarding antitrust and privacy laws. (SIFMA, 2014) Many in the private sector will
PUBLIC-PRIVATE INFORMATION SHARING 15 only work with the government when they are in crisis mode instead of working with the government in an ongoing proactive manner. This is an area that needs attention and this barrier that is stopping the flow of information needs to be brought down. It is understandable that the level of sensitivity does play a role in what information is shared and how quickly that information is shared. Giving up Control The exchange of information between the public-private sectors is vital. During investigations (C-Span, 2014) it is too late. Instead there needs to be a step taken before the exchange of information and that is collaboration. Although this would be the ideal solution, companies are still hesitant to share information or collaborate with other entities which can lead to other companies becoming vulnerable to the same type of attacks. (Information Technology Industry Council) The fear here is that companies do not want to give up control of their processes and risk allowing other entities to explore privileged information which can be discoverable through a Freedom of Information Act (FOIA) request (United States Department of Justice, n.d.). Many companies feel they are better equipped to handle a breach better than the government so why reach out and set off alarms when it is unnecessary. Handling it in-house without government interference allows them to keep control of the situation and have no worries about the government intruding into their systems. Every company has their own strategy in place to handle breaches or any security issues and the fear is that the government will come in and change the strategy that is in place or mandate that they change their strategy because the government feels that it is inadequate.
PUBLIC-PRIVATE INFORMATION SHARING 16 Timing Another issue with government involvement is timing. Everyone knows when dealing with the government it is always a “hurry up and wait” scenario. Most of the problems lie with all the constraints and bureaucratic hoops some agencies have to jump through to get something done. If a company has to wait for the government’s involvement, the time to quickly implement a solution could be lost. Companies are independent and given the government’s reputation for information leaks, they are understandably concerned about private/privileged information leaking and don’t need the “negative perception that this company has partnered “too closely” with the government” (Germano, 2014). There is also the issue of not knowing what agency, department or appropriate individual to contact in a breach situation. There needs to be some kind of clarity so that the private sector knows who to contact and what type of information to share and the appropriate time to share it. The public sector needs to do the same but there is always some kind of constraint. The National security obligation which may involve clearance issues that may restrict the government from releasing some of the information to the private sector seems to be the major constraint. This is where balancing national security and other related restrictions may prevent the proper public-private sector information sharing to happen more smoothly. Negative Exposure and Liability Many companies have a fear of negative exposure due to a security breach. If the public sector gets involved then the fear is that they may be included in a press release that the government may feel is necessary to information the general public. This will have a negative impact on the company before the company has a chance to thoroughly investigate the problem. What type of information is disclosed, when it is disclosed and whether the company is put in a
PUBLIC-PRIVATE INFORMATION SHARING 17 bad light due to the breach is their concern. If concerns from public disclosures, data breaches and vulnerabilities in their systems are not enough, corporate executives are also facing legal liabilities for inadequate protection of their business. That is exactly what happened with Target when the government questioned the company’s best practices. The Target data breach during the holiday season in 2013 is a good example of why the private sector has a fear of information sharing. Target was a victim of a sophisticated cyberattack that “resulted in the theft of 40 million credit card numbers, 70 million addresses, phone numbers, and other personal information” (Carton, 2014) and yet the government’s first reaction was to question the company’s best practices as it related to data privacy. (Committee On Energy and Commerce, 2014) Target responded by stating that “their security measures were “among the best-in-class” (Carton, 2014) and that they were “certified as meeting the standard for the payment card industry in September 2013” (John, 2014). Target paid the ultimate price for this breach which resulted in a profit loss of 46 percent and reportedly spent $61 million to try and rectify the situation. (Riley, Elgin, Lawrence, & Matlack, 2014) Yes, the company made mistakes but this “blame the victim mindset” (C-Span, 2014) needs to end so that the government and private sector can work together to prevent incidents like this from happening in the future. Trust and Risk The trust factor plays a very large and important role in sharing information between the public-private sectors when speed of the shared information increases risks of any unauthorized parties getting to information can be reduced. The reluctance of some in the private sector to provide information to the public sector is that they need to obtain assurance that any and all proprietary information, whether that is computer systems or their in-house strategy in dealing
PUBLIC-PRIVATE INFORMATION SHARING 18 with incidents, not be divulged. Liability concerns are obviously not only about customer’s private information or the breach itself but also about how well the company responded and how quickly the issue was resolved. Concerns of a breach leak have to do with claims of inadequacy on the company’s part. Disclosure of such information may trigger complaints of negligence, inadequate security protection or that the company misrepresented the severity of the situation. Despite the rising incidents of identity theft and data security breaches, many organizations deem the costs of adding security measures to be higher than the losses from cyber theft. As a result organizations have absorbed any losses incurred by data security breaches rather than reveal a weakness in their cybersecurity procedures, all to save face and protect the reputation of the organization and values that shareholders continue to expect. Other liability concerns that a company has is when it involves the content and timing of the disclosure and notification of a breach. The Target breach was one instance where many of the complaints were about why the company did not notify the public sooner. Company’s reluctances to release any information could be due to regulatory issues. There are many government agencies that could reach out and grab a company for security or regulatory violations. These agencies all have their own agendas and a different idea on how to approach a security breach which is disclosed by a company. Some may encourage disclosure while others bring down the hands of the law, blaming companies for lack of security and holding companies liable for breaches which in turn could lead to civil and criminal charges against anyone involved at the company. Regulatory Issues Some breaches goes way beyond the when and how bad the breach is and what agencies will get involved. The fear is not only about their own customers, clients and shareholders but
PUBLIC-PRIVATE INFORMATION SHARING 19 from agencies like the SEC, FTC, FCC, CFPB and others alike. All have different agendas, regulations and standards on how they approach a cyber-breach situation. The major fear for the private sector is regulatory laws. What if they are not following federal regulatory requirements? This is a risk that some companies are not willing to take to share information about a threat they may have found. The agencies feared the most is the FTC and the SEC. Federal Trade Commission (FTC) is a government agency that was initially “established to play a critical role in combating anticompetitive conduct and mergers” (Brill, 2014). Entering into the new age of technology, another area of consumer protection the FTC begun enforcing is data security. They have litigated and settled with many companies for their failure to protect consumer data. The latest suit against Wyndham Worldwide Corporation (Federal Trade Commission), a global hospitality company, and three of their subsidiaries charging them with failures in their data security procedures which led to three data breaches in a matter of two years. The FTC claims that the company misrepresented their security measures to protect consumer information. After the first breach occurred, Wyndham failed to put additional security measures in place to not only detect access that was not authorized but also to fix security vulnerability. This failure is what leads to their data security being breached twice more in less than two years. The FTC is not the only agency that has issued some kind of guidelines for organizations to follow when it involves data security. The latest data breaches involving retail giants like Target and Neman Marcus, the Payment Card Industry Council issued security guidelines that are stricter and are meant for any retailers, banks or credit card companies that process credit card transactions. Noncompliance of the security guidelines could result in fines. Many agencies have increased their oversight for security measures that companies are expected to
PUBLIC-PRIVATE INFORMATION SHARING 20 follow and maintain. In 2011 the Security and Exchange Commission (SEC) released guidance for public traded companies regarding their obligation to release and disclose incidents of cyberattacks (Clarke & Olcott, 2014). The Chairman of the Commerce, Science and Transportation Committee teamed up with four United States Senators to write a letter to the Chairman of the U.S. Securities and Exchange Commission asking for clarification of disclosure requirements and reiterating the importance of information sharing by telling her that: Securing cyberspace is one of the most important and urgent challenges of our time. In light of the growing threat and the national security and economic ramifications of successful attacks against American businesses, it is essential that corporate leaders know their responsibility for managing and disclosing information security risk. (Rockefeller, Menendez, Whitehouse, Warner, & Blumenthal, 2011) Cybersecurity issues are not something just for the IT department to decipher and manage. Board of directors and executives of companies need to educate themselves regarding data security within their respective organizations because they are now being held accountable for failure to secure data. Accountability goes all the way up the ladder and the added responsibility of prioritizing and overseeing risk management is an added responsibility they must endure. After all, a business in in the business of making money and the financial and economic impact of a data breach could result in lawsuits, operational and reputational damage along with the loss of their competitive advantage. There are no laws that mandate notifications; notifications are all voluntary. Since it is a voluntary system, it is uncertain what information to release and to whom to release it to. Some kind of a balance is needed for liability protection against the private sector from the public
PUBLIC-PRIVATE INFORMATION SHARING 21 sector if security breach information is released. Some might say that partnering up with the government might hinder some situations that can cause further harm. There are proactive measures that a company can take but how far can they legally go without the assistance of the government. The challenge here is to have some kind of protection against breaches so that there will be open communication between the public-private sector in order to solve and prevent cyber issues. There is insurance that is available to organizations, that is similar the identity theft protection insurance for individuals, which will protect them by absorbing some of the costs related to data breaches. But without timely information, the ability to limit the damage of cyberattacks diminishes and more companies may fall victim to the same attack. An important step in uniting against cybercrimes is awareness of various situations as they are happening. No one sector can fight the fight alone. The need for an environment where information sharing and collaboration is done in a timely and relevant manner is essential if we are to mitigate cyber risks. Unite in the Fight against Cybercrimes Organizations are always weighing the pros and cons of information sharing. Does the risk of sharing versus not sharing impact the organization in a negative way? Misinterpreted information or late information can be detrimental to any organization public or private. The turnaround in the mindset of the public-private sectors is the result of the many recent data breaches such as the Target, which rocked and ruined many consumers 2013 holiday season. Other recent data breaches include Neiman Marcus, White Lodging, Michaels, 11 casinos spanning across 4 states (Nevada, Colorado, Iowa and Missouri), and The Home Depot just to name a few. The responsibility of a failed attempt to secure the information highway falls on the public-private sectors. Neither can protect against cyber risks alone. Both sectors know that it
PUBLIC-PRIVATE INFORMATION SHARING 22 will be impossible to attain 100 percent security of their systems so there is a need to change behaviors in a positive way in order to reduce cyber risks. Senator Tom Carper (D-Del), Ranking Member of the Homeland Security and Governmental Affairs Committee stated this challenge the best: Given the threats we face today in cyber space, it’s imperative that Congress, the Administration, and stakeholders work together on legislation to bolster our nation’s cyber defenses, and do so with a sense of urgency. (Committee, 2015) The public sector is stepping up their efforts in this war against cybercrimes by working to pass bills, working on amendments and passing resolutions. Democrats and republicans alike are joining forces to sponsor bills and legislations that work towards protecting our great nation against cybercrimes. Anyone interested in see the progress the public sector is making towards this fight can look at Congress.gov which will show the progress that both the house and senate is making toward cybersecurity. You will not find one legislation or bill that will cover all aspects that concern both the public and private sector. As a result you will find that the public sector is constantly working to introduce new bills with information not covered previously or amend bills to cover concerns of both parties. Public Sector Contribution President Obama is stepping up to the plate and pushing cybersecurity efforts by announcing new proposals and urging congress to pass any legislative efforts that are presented. It is the President’s goal to protect the nation’s cyber world against cyberattacks that affect both the public and private sectors. He is urging Congress to put bipartisan aside and work together to advance proposals to resolve the challenges of information sharing between the public and private sectors. The latest action by the White House shows that the government is clearly aware
PUBLIC-PRIVATE INFORMATION SHARING 23 of the need for information sharing between the public and private sector. They are also aware that mandating specific information sharing would place an undue burden on the private sector. To address these concerns, any proposed legislation or bill provides voluntary standards for information sharing. In January 2015, new legislation was announced by President Obama that addresses privacy concerns along with concerns regarding private sector liability. This specific bill includes wording to include that the voluntary information sharing is to include only indicators specifically related to the technical aspect of the threat. Information related to any person(s) private information is to be removed before the threat information is shared. In addition, privacy concerns and liability protection is also specifically address in this new legislation to protect the private sector when sharing cyber threat information with the public sector. No new bill or legislation is every going to be perfect and please all sectors all the time but this legislation does show that the public sector is making a good faith effort to address the privacy and liability concerns that many in the private sector has that prevents them from sharing information with the public sector. Although each bill and legislation seems to blur together at times, each does address, revises or modifies specific concerns raised by both the public and private sectors. Other recent announcements of advancements in the fight against cybersecurity area include: Protecting Cyber Networks Act (sponsor: Rep. Nunes, Devin (R-CA-22) which has passed the house and was received in the senate aims to help the private sector share cyber threat information by removing some legal obstacles. Some might say that the far-reaching interpretation of this bill could be abused by some public agencies, this bill is meant to state stern requirements on how the public agencies can use information they obtain. (Congress, 2015)
PUBLIC-PRIVATE INFORMATION SHARING 24 The Cybersecurity Information Sharing Act of 2015 (CISA) (U.S. Senate Committee, 2015) was approved by the Senate Select Committee on Intelligence. This bill allows for the sharing of information between the government and the private sector with liability protection so as to facilitate the sharing of data relating to cybersecurity threats. This bill, like others that are up for consideration, reiterate that information sharing is voluntary, that the private sectors needs only to share information as it relates directly to the cybersecurity threat, and that the information is to be used for cybersecurity resolutions only. Vice Chairman Dianne Feinstein (D-Calif.) made it very clear that the main objective of this bill is to have the public-private sectors “share information about cybersecurity threats – NOT personal information – in order to better defend against attacks” (Committee, 2015). Cyber Intelligence Sharing and Protection Act (CISPA) is introduced to address the “real- time sharing of actionable, situational cyber threat information” (Congress, 2015) between the public-private sectors. National Cybersecurity Protection Advancement Act of 2015 has passed the House and is an amendment to the Homeland Security Act of 2002 that improves the sharing of information in addition to clarifying privacy protection as it relates to cybersecurity risk. This measure won with an overwhelming House vote of 355 to 63 in favor of the bill. The next step for this legislation is the pass the Senate and head for the President’s desk for signature. (Congress, 2015) The key to any policy, strategy or initiative is “real-time” information sharing and “actionable intelligence” (U.S., 2014) which many of the above bills reiterate. Legislations that reinforce the capability that all entities can work together to develop a more effective agenda to react to cyber threats is what the President is striving for. Trust starts with communication and
PUBLIC-PRIVATE INFORMATION SHARING 25 the public sector is making great strides towards building a professional relationship with the private sector by listening to their concerns and adopting those concerns in recently presented bills. The greater the trust that is developed, the effectiveness of the communication and information sharing between the public and private sector will become more comfortable and the flow of information will happen. (Givens & Busch, 2013) No one entity can ward off cyber threats alone. There needs to be a solid collaboration between the public-private sectors to promote awareness, educate and share information that is not only “relevant, timely, but actionable” (C-Span, 2014). The government is making every effort to address concerns that the private sector raises regarding information sharing that will better protect themselves and their customers. President Obama is pushing the government to come up with ways to better communicate cyber threats and so he “directed the Director of National Intelligence (DNI) to establish the Cyber Threat Intelligence Integration Center (CTIIC)” (The White House, n.d.). This center was created to coordinate efforts to better assess cyber threats, share information rapidly with other existing government cyber groups about current threats and those individuals that are involved. President Obama’s commitment to fight cybercrimes is backed up with $14 billion added to the new budget to protect networks, governments and others, in addition to critical infrastructures. Lisa Monaco, who is the assistant to the president for homeland security and counterterrorism, stated that the private sector can and should expect the public sector to respond quickly when they share cyber information. She specified that the public sector will: (Pellerin, 2015) -- Provide as much information as it can about the threat to help companies protect their networks and critical information;
PUBLIC-PRIVATE INFORMATION SHARING 26 -- Coordinate a quick and unified response from government experts, including those at the Department of Homeland Security and the FBI; -- Look to determine who the actors are and hold them to account; and -- Bring to bear, as government experts respond to attacks, all the available tools and draw on the full range of government resources to disrupt threats. An excellent example of collaboration to fight cybercrimes is the Sony Pictures Entertainment attack. Within hours of the intrusion, Sony contacted the FBI and they were able to join forces during the investigation of the cyber incident. (Federal Bureau of Investigation, 2014) By Sony’s rapid reporting of the attack, the FBI was able to use their resources to identify who was behind the attacks. The public sector is committed to working with the private sector and will continue to do so in a way that will protect the civil and privacy rights of all involved. Another example of the effort the government is making to improve information sharing is an “online collaboration called Project Interoperability” (Paul, 2014). This is a platform that will enable both the government and the private sector to not only share information but to work together to develop techniques and standards to fight cybercrime. The project’s website states that “information interoperability is the ability to transfer and use information in a consistent, efficient way across multiple organizations and IT systems” (United States Government, n.d.). This web-based tool is meant to develop a system of communication between the public-private sectors so that no matter what level or role in the organization you have, you will be able to utilize this website. The ability to share information with individuals who speak the same language and have the same understanding of the struggles about safeguarding a system is exactly the type of collaboration that is needed.
PUBLIC-PRIVATE INFORMATION SHARING 27 Public-Private Sectors Collaboration For public-private collaboration to work, they need to be on the same page and speak the same language when sharing information. Structured Threat Information Expression (STIX), Cyber Observables eXpression (CybOX), and Trusted Automated eXchange of Indicator Information (TAXII) are three tools that will aid both the public and private sector to focus on the collection and distribution of cyber threats between the two sectors. These tools are constantly evolving as more members join to exchange cyber threat information. No tool is perfect at its initial roll out and these three tools are no different. They will continue to improve as both public and private sectors communicate and better define protocols, concepts and specifics that are needed to combat cyber threats. STIX uses a standardized XML programming language to send data regarding cyber threats. The MITRE Corp. and The Department of Homeland Security collaborated in developing this tool to address issues like interoperability, threat indicators and mitigation efforts. The main objective of this language was to make it flexible, automatable, extensible and easy-to-read by everyone. Information that can be shared using this platform includes: (Barnum, 2014)  Cyber observables  Indicators  Incidents  Adversary Tactics, Techniques, and Procedures  Exploit Targets  Courses of Action  Cyber Attack Campaigns  Cyber Threat Actors
PUBLIC-PRIVATE INFORMATION SHARING 28 Figure 2: A high level representation of how STIX works (Connolly, Davidson, Richard, & Skorupka, 2012) STIX is the language to communicate information and cyber observables are represented in the Cyber Observable eXchange (CybOX) language. CybOX provides a tool for “addressing cyber observables across and among this full range of use cases improving consistency, efficiency, interoperability, and overall situational awareness” (Corporation, 2015). Trusted Automated eXchange of Indicator Information (TAXII) is the means by which both STIX and CybOX information is transported. Establishing a mechanism for which all parties can share information is ineffective if there is not a secure way to transport that information. Without a secure means of transporting data, organizations will limit the type of information shared. TAXII is an exchange that allows the transportation of cyber threat information. The exchange of detection, prevention and mitigation efforts all can be sent in a secure way. With the ability to encrypt, authenticate, alert and query between systems, TAXII enables organizations to not only leverage agreed standards
PUBLIC-PRIVATE INFORMATION SHARING 29 to “enable the sharing of actionable indicators” (Connolly, Davison, Richard, & Skorupka, 2012) but also enables timely and secure sharing of threat information. Figure 3: A high level vision of how TAXXII works (Connolly et al., 2012) The ability for humans to manually digest data in large volumes in a timely manner and act on it is near impossible. When it comes to minimizing damages and recovery time from cyberattacks, time sensitive actions is necessary. Timely transfer of information can also reduce confusion to allow the public-private sectors to better predict and anticipate future events. These tools allow for proper communication and actionable information to be shared in a timely manner. Private Sector Contribution The importance of information sharing between the public and private sectors is important enough that there are both individuals and companies collaborating to produce methods to share data securely. They believe in their method so much so that they have applied for and are waiting or have been granted United States patent protection. In November 2014, the United States Patent and Trademark Office (USPTO) held an information session to discuss the efforts of both the public and private sector to combat cybercrimes. TC2400 is the
PUBLIC-PRIVATE INFORMATION SHARING 30 technology center where patent applications in the field of information security are examined. Subject matters related to data and user protection, security policies, access control, monitoring, and countermeasures are the area of concentration for TC2400. The USPTO is enthusiastic about examining cybersecurity patents and is aware that their examiners, currently numbering 200 examiners who are dedicated to this technology, need further training in order to better understand the specific nature of best standards and emerging technology. Currently the average time from initial filing to first action by an examiner is about 16 months, granting patent protection could take about three years. With the speed that technology changes and cyber threats increase, there is a need for the USPTO to somehow accelerate the process. There are organizations that are taking the initiative to develop methods and standards to better protect themselves. The top 5 companies filing patent applications in the field of information security are: IBM (173 patents), Symantec (103 patents), Google (71 patents), Microsoft (67 patents) and Samsung (64 patents) (United States Patent and Trademark Office, 2014). Large corporations are not the only organizations that are developing improved responses to cyber threats. Swan Island Networks, Inc., a company based out of Portland, OR, who provides business intelligence solutions. They started out as a software engineering lab working with the U.S. government and in 2009, took their R&D to the private sector. The Trusted Information Exchange Service (TIES) was launched and currently “help protect more than 250 large enterprises and 20% of Fortune 100 companies every day”. (Swan Island Networks, 2015) Being the innovators that they are, they filed a patent application in April 2013 for “Human- Authorized Trust Service”, patent application number 20130312115 (Jennings & Jones). The claims of this patent application define methods that allow trusted access to data between two
PUBLIC-PRIVATE INFORMATION SHARING 31 parties. This application is currently in the review process and has not yet been granted exclusive rights and protection. Another private sector company, Norse Corporation, a leader in live attack intelligence based out of Mateo, CA has also filed a patent application (patent application number: 61508493) in July 2012. Their patent claims defines systems and methods for “ gathering, classifying, and evaluating real time security intelligence data concerning security threats presented by an IP address, and reporting in real time the degree and character of such security threats” (USPTO, 2012). Their application is currently in the review process and has not yet been granted exclusive rights and protection. The USPTO embraces the role the private sector is playing in cybersecurity. Their goal is to work diligently to approve innovative product and services as quickly and efficiently as possible. Conclusion With the ever growing and real threats cybersecurity poses, the need to mitigate cyber risks is crucial. There is no easy solution to the cybersecurity challenge of information sharing. There is no foolproof protection against cyberattacks and navigating through best practices and standards starts with information sharing. President Obama, early in his first term, made cybersecurity a priority. The President is constantly making noise about cybersecurity and how the public-private sector must work together to come up with a mutually agreed upon method for information sharing. The public sector is working to improve by introducing new legislation and updating previous ones to address concerns from both sectors. They are committed to pull together all their resources to coordinate responses to breaches in a united timely manner. In addition, they will work to break through the barrier that is preventing timely, actionable
PUBLIC-PRIVATE INFORMATION SHARING 32 information sharing by providing quantifiable information regarding a cyber-threat or cyberattack that will help the private sector to better protect their systems and other critical information. The threats in the cyber domain can get complicated but through coordinated efforts from both the public and private sector, preemptive measures can be taken to mitigate cyberattacks remembering that this is a two-way street. If the public sector is willing to share information then the private sector must reciprocate in kind with the same quantifiable information. The private sector needs to remember that information on cyber threats covers limited technical type of information and should not let the fear prevent them from open communication with the many government agencies. The challenge here is to have some kind of protection against breaches, the sharing of privileged information and liability concerns so that there will be open communication between the public-private sector in order to solve and prevent cyber issues. The private sector made their concerns known and the public sector has responded by approving legislation such as The Cybersecurity Information Sharing Act of 2013 (CISA). President Obama’s executive directive has made it very clear that his administration is putting cybersecurity at the top of their priority list. The private sector needs to do the same and learn from the lack of communication that caused the many data breaches of 2014. The consequences of not making cybersecurity a top priority within the organization will lead not only to data theft but also the reputation loss, and loss of customers not to mention the cost involved due to a cyberattacks. Given the sophisticated nature of some of the cyberattacks, a disaster is in the making if cybersecurity is not made a priority. Cultural changes will need to be made within the private sector because although cybersecurity is technical in nature, the way cybersecurity is
PUBLIC-PRIVATE INFORMATION SHARING 33 managed is human. Changing the mindset of the private sector starts at the executive level of an organization to effective combat cyber-threats in a timely fashion. As President Obama’s presidential term is coming to an end, his cybersecurity initiative needs to continue with the next administration. It should not matter whether the next president is Democratic or Republican because cyberattacks do not care what party you represent. We need to do more to strengthen security in the cyber domain so that we can create a better world for our children. There is always going to be a need to reiterate that open communication and information sharing between the public-private sectors will be an ongoing challenge. Collaboration is the key to unite in the fight against cybercrimes and the public-private sector must jump in with both feet to educate each other so that every action to mitigate a cyber-threat will be timely, significant and actionable.
PUBLIC-PRIVATE INFORMATION SHARING 34 References Barnum, S. (2014, February 20). Standardizing cyber threat intelligence information with the Structured Threat Information eXpression (STIX). MITRE Corporation, v1.1, Rev. 1. Retrieved from http://stix.mitre.org/about/documents/STIX_Whitepaper_v1.1.pdf Brill, J. (2014, November 6). What's past is prologue: FTC's competition and consumer protection priorities. Presenter at the ABA Fall Forum Keynote Address. Retrieved from https://www.ftc.gov/es/system/files/documents/public_statements/597211/141106abafallf orum-2.pdf C-Span. (2014, August 22). Cybersecurity challenges. Retrieved from http://www.c- span.org/video/?321116-7/discussion-cybersecurity-threats Carton, B. (2014, May 29). ISS recommends ouster of seven Target directors for data breach failures. Retrieved from http://https://www.complianceweek.com/blogs/enforcement- action/iss-recommends-ouster-of-seven-target-directors-for-data-breach- failures#.VUBi_iFVhBc Cichonski, Millar, Grance, & Scarfone. (2012, August). National Institute of Standards and Technology (U.S.), Special Publication 800-61 (SP 800-61, rev. 2). Computer security incident handling guide: Recommendations of the National Institute of Standards and Technology. Gaithersburg, MD: U.S. Dept. of Commerce, National Institute of Standards and Technology. Clarke, R., & Olcott, J. (2014, March). The board's role in cybersecurity. Retrieved from http://www.kispertgroup.com/wp- content/uploads/2014/06/Good_Harbor_Directors_Note_Cyber.pdf
PUBLIC-PRIVATE INFORMATION SHARING 35 Committee, I. (2015, March 18). Senate Intelligence Committee introduces cybersecurity bill, addresses privacy concerns. Retrieved from http://www.intelligence.senate.gov/press/record.cfm?id=358715 Committee, U. S. (2015, March 12). Sen. Carper statement on the cybersecurity information sharing act (CISA). Retrieved from http://www.hsgac.senate.gov/media/minority- media/sen-carper-statement-on-the-cybersecurity-information-sharing-act-cisa Congress, 1. (2015, February 2). H.R.234 - Cyber Intelligence Sharing and Protection Act. Retrieved from http://https://www.congress.gov/bill/114th-congress/house- bill/234?q=%7B%22search%22%3A%5B%22cyber+intelligence%22%5D%7D Congress, 1. (2015, April 22). H.R.1560 - Protecting cyber networks act. Retrieved from http://https://www.congress.gov/bill/114th-congress/house- bill/1560?q=%7B%22search%22%3A%5B%22The+Protecting+Cyber+Networks+Act% 22%5D%7D Congress, 1. (2015, April 23). H.R.1731 - National cybersecurity protection advancement act of 2015. Retrieved from http://https://www.congress.gov/bill/114th-congress/house- bill/1731?q=%7B%22search%22%3A%5B%22cybersecurity%22%5D%7D Connolly, J., Davidson, M., Richard, M., & Skorupka, C. (2012, November 8). The trusted automated eXchange of indicator information (TAXII). Retrieved from http://taxii.mitre.org/about/documents/Introduction_to_TAXII_White_Paper_November_ 2012.pdf Corporation, MITRE. (2015, April 14). CybOX, v2.1. Retrieved from http://cybox.mitre.org/ Denning, P. J., & Denning, D. E. (2010). Discussing cyber attack. Communications of the ACM, 53(9), 29-31.
PUBLIC-PRIVATE INFORMATION SHARING 36 Federal Bureau of Investigation. (2014, December 29). Update on Sony Investigation. Retrieved from http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation Federal Trade Commission. (2012, June 26). FTC files complaint against Wyndham hotels for failure to protect consumers' personal information. Retrieved from http://https://www.ftc.gov/news-events/press-releases/2012/06/ftc-files-complaint- against-wyndham-hotels-failure-protect Fernandez Vazquez, D., Pastor Acosta, O., Brown, S., Reid, E., & Spirito, C. (2012, June). Conceptual framework for cyber defense information sharing within trust relationships. In Cyber Conflict (CYCON), 2012 4th International Conference on (pp. 1-17). IEEE. Germano, J. H. (2014, October). Cybersecurity partnerships: A new era of public-private collaboration. Retrieved from http://www.lawandsecurity.org/Portals/0/Documents/Cybersecurity.Partnerships.pdf Givens, A. D., & Busch, N. E. (2013). Information sharing and public-private partnerships: The impact on homeland security. Retrieved from http://www.austengivens.com/wp- content/uploads/2013/05/Givens-and-Busch_Information-Sharing-and-Public-Private- Partnerships.pdf Givens, A. D., & Busch, N. E. (2013). Realizing the promise of public-private partnerships in US critical infrastructure protection. Internaional Journal of Critical Infrastructure Protection, 6(1), 39-50. Hearing before the Committee on Armed Services, House of Representatives, 12th Congress (March 16, 2011). National defense authorization act for fiscal year 2012: (H.A.S.C. No. 112-26). (statement of General Keith B. Alexander, US Cyber Command). Retrieved from http://fas.org/irp/congress/2011_hr/cybercom.pdf
PUBLIC-PRIVATE INFORMATION SHARING 37 Jennings, C., & Jones, D. M. (2013, November 21). Publication 20130312115 - Human- authorized trust service. Retrieved from http://www.ptodirect.com/Results/Publications?p=1&r=34&query=%40PD%3E%3D201 31119%3C%3D20131125 John, P. (2014, March 18). Target breach lesson: PCI compliance isn't enough. Retrieved from http://www.technewsworld.com/story/80160.html Kissel, R. (2013, May). National Institute of Standards and Technology (U.S.) (NISTIR 7298, rev. 2). Glossary of key information security terms. Nakashima, E., & Peterson, A. (2014, June 9). Report: Cybercrime and espionage costs $445 billion annually. Retrieved from http://www.washingtonpost.com/world/national- security/report-cybercrime-and-espionage-costs-445-billion- annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.html National Institute of Standards and Technology. (2014, February 12). Framework for improving critical infrastructure cybersecurity. Retrieved from http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf Navare, J., & Gemikonakli, O. (2010, September). Governance and risk management of network and information security: the role of public private partnerships in managing the existing and emerging risks. Paper presented at the Global Security, Safety, and Sustainability – 6th International Conference, ICGS3, Braga, Portugal. Retrieved from https://www.researchgate.net/publication/221193068_Governance_and_Risk_Manageme nt_of_Network_and_Information_Security_The_Role_of_Public_Private_Partnerships_i n_Managing_the_Existing_and_Emerging_Risks
PUBLIC-PRIVATE INFORMATION SHARING 38 Norton, S. (2014, September 30). Former NSA director: Better information sharing needed on cybersecurity. Retrieved from http://blogs.wsj.com/cio/2014/09/30/former-nsa-director- better-information-sharing-needed-on-cybersecurity/ Pager, T. (2015, March 19). Private sector remains wary of government efforts to increase cybersecurity collaboration. Retrieved from http://nationalsecurityzone.org/site/private- sector-remains-wary-of-government-efforts-to-increase-cybersecurity-collaboration/ Paul, K. (2014, March 24). Fork it, grab it, use it: Announcing project interoperability. Retrieved from http://www.ise.gov/blog/kshemendra-paul/fork-it-grab-it-use-it- announcing-project-interoperability Pellerin, C. (2015, February 11). New threat center to integrate cyber intelligence. Retrieved from http://www.defense.gov/news/newsarticle.aspx?id=128164 Ponemon Institute LLC. (2014, May). 2014 cost of data breach study: United States. Retrieved from http://www-01.ibm.com/common/ssi/cgi- bin/ssialias?subtype=WH&infotype=SA&appname=GTSE_SE_SE_USEN&htmlfid=SE L03017USEN&attachment=SEL03017USEN.PDF#loaded Ponemon Institute LLC. (2014, October). 2014 Global report on the cost of cyber crime. Retrieved from http://https://ssl.www8.hp.com/ww/en/secure/pdf/4aa5-5207enw.pdf Prieto, D. (2006). Information sharing with the private sector. Seeds of disaster, roots of response: how private action can reduce public vulnerability. https://scholar.google.com/citations?view_op=view_citation&continue=/scholar%3Fq%3 Dprieto%26hl%3Den%26as_sdt%3D0,16%26scilib%3D1&citilm=1&citation_for_view= ZLNwTTgAAAAJ:2osOgNQ5qMEC&hl=en&oi=p Riley, M., Elgin, B., Lawrence, D., & Matlack, C. (2014, March 13). Missed alarms and 40 million stolen credit card numbers: How target blew it. Retrieved from
PUBLIC-PRIVATE INFORMATION SHARING 39 http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epic-hack- of-credit-card-data Rockefeller, J. D., Menendez, R., Whitehouse, S., Warner, M., & Blumenthal, R. (2011, May 11). Letter to Ms. Mary Schapiro, Chairman U.S. Security and Exchange Commission. Retrieved from http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=4ceb6c11-b613-4e21- 92c7-a8e1dd5a707e Rosenbush, S. (2014, June 20). Former NSA Chief Mike McConnell says culture, not tech, is key to cyber defense. Retrieved from http://blogs.wsj.com/cio/2014/06/20/former-nsa- chief-mike-mcconnell-says-culture-not-tech-is-key-to-cyber-defense/ SIFMA. (2014, October 20). Principles for effective cybersecurity regulatory guidance. Retrieved from http://www.sifma.org/issues/item.aspx?id=8589951691 Swan Island Networks. (2015). About Swan Island Networks, Inc. doi:swanisland.net/company Symantec. (2015, April). Internet security threat report. V20. Retrieved from http://https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet- security-threat-report-volume-20-2015-social_v2.pdf U.S. (2014, November 3). Partners in cybercrime prevention. Retrieved from http://www.nationaljournal.com/library/198396 United States Department of Justice. (n.d.). What is FOIA? Retrieved from http://www.foia.gov/index.html United States Government. (n.d.). Project Interoperability. project-interoperability.github.io/ United States Patent and Trademark Office. (2014, November 14). Cybersecurity partnership. Retrieved from http://www.uspto.gov/about/contacts/phone_directory/pat_tech/nov2014- cybersecurity-partnership-presentation.pdf
PUBLIC-PRIVATE INFORMATION SHARING 40 United States Senate Committee. (2015, March 12). Sen. Carper statement on the cybersecurity information sharing act (CISA). Retrieved from http://www.hsgac.senate.gov/media/minority-media/sen-carper-statement-on-the- cybersecurity-information-sharing-act-cisa USPTO. (2012, July 16). Norse Corporation Patent Appl. No.: 13/550,354. Retrieved from http://patft.uspto.gov/netacgi/nph- Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch- bool.html&r=3&f=G&l=50&co1=AND&d=PTXT&s1=cybersecurity&s2=google&OS=c ybersecurity+AND+google&RS=cybersecurity+AND+google White House. (n.d.). The comprehensive national cybersecurity initiative. Retrieved from http://www.whitehouse.gov/issues/foreign-policy/cybersecurity/national-initiative The White House. (2015, February 25). Fact sheet: Cyber threat intelligence integration center. Retrieved from http://https://www.whitehouse.gov/the-press-office/2015/02/25/fact- sheet-cyber-threat-intelligence-integration-center

Empfohlen

Whitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationWhitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationNexon Asia Pacific
 
Managed security services for financial services firms
Managed security services for financial services firmsManaged security services for financial services firms
Managed security services for financial services firmsJake Weaver
 
IMC 618 - Public Relations Campaign
IMC 618 - Public Relations CampaignIMC 618 - Public Relations Campaign
IMC 618 - Public Relations CampaignStephanie Holman
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010Scientia Groups
 
Risky Business
Risky BusinessRisky Business
Risky BusinessSamantha Park
 
Cyber for Counties Guidebook
Cyber for Counties Guidebook Cyber for Counties Guidebook
Cyber for Counties Guidebook Kristin Judge
 
White Paper - Nuix Cybersecurity - US Localized
White Paper - Nuix Cybersecurity - US LocalizedWhite Paper - Nuix Cybersecurity - US Localized
White Paper - Nuix Cybersecurity - US LocalizedStuart Clarke
 
Data Breach Guide 2013
Data Breach Guide 2013Data Breach Guide 2013
Data Breach Guide 2013- Mark - Fullbright
 

Empfohlen

Whitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationWhitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationNexon Asia Pacific
 
Managed security services for financial services firms
Managed security services for financial services firmsManaged security services for financial services firms
Managed security services for financial services firmsJake Weaver
 
IMC 618 - Public Relations Campaign
IMC 618 - Public Relations CampaignIMC 618 - Public Relations Campaign
IMC 618 - Public Relations CampaignStephanie Holman
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010Scientia Groups
 
Risky Business
Risky BusinessRisky Business
Risky BusinessSamantha Park
 
Cyber for Counties Guidebook
Cyber for Counties Guidebook Cyber for Counties Guidebook
Cyber for Counties Guidebook Kristin Judge
 
White Paper - Nuix Cybersecurity - US Localized
White Paper - Nuix Cybersecurity - US LocalizedWhite Paper - Nuix Cybersecurity - US Localized
White Paper - Nuix Cybersecurity - US LocalizedStuart Clarke
 
Data Breach Guide 2013
Data Breach Guide 2013Data Breach Guide 2013
Data Breach Guide 2013- Mark - Fullbright
 
Technologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible CyberspaceTechnologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible Cyberspacemark-smith
 
Online Trust Alliance Recommendations
Online Trust Alliance RecommendationsOnline Trust Alliance Recommendations
Online Trust Alliance RecommendationsMeg Weber
 
Fall2015SecurityShow
Fall2015SecurityShowFall2015SecurityShow
Fall2015SecurityShowAdam Heller
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2Adela Cocic
 
Policy Guide for Legislators
Policy Guide for LegislatorsPolicy Guide for Legislators
Policy Guide for LegislatorsKristin Judge
 
You Are the Target
You Are the TargetYou Are the Target
You Are the TargetEMC
 
Volume2 chapter1 security
Volume2 chapter1 securityVolume2 chapter1 security
Volume2 chapter1 securityat MicroFocus Italy ❖✔
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutionsJonny Nässlander
 
SucessfulInsiderThreat
SucessfulInsiderThreatSucessfulInsiderThreat
SucessfulInsiderThreatHammerNJ
 
Cybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future AttacksCybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future AttacksStrategy&, a member of the PwC network
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the newsunnyjoshi88
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeErnst & Young
 
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceCyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceStatewide Insurance Brokers
 
BLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyBLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyCasey Fleming
 
Securing Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay RobertsonSecuring Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay RobertsonEljay Robertson
 
2012 Data Breach Investigations Report
2012 Data Breach Investigations Report 2012 Data Breach Investigations Report
2012 Data Breach Investigations Report Verizon Thought Leadership
 
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015Robert Craig
 
140707_Cyber-Security
140707_Cyber-Security140707_Cyber-Security
140707_Cyber-SecurityTara Gravel
 
F5 Hero Asset - Inside the head of a Hacker Final
F5 Hero Asset - Inside the head of a Hacker FinalF5 Hero Asset - Inside the head of a Hacker Final
F5 Hero Asset - Inside the head of a Hacker FinalShallu Behar-Sheehan FCIM
 
3. nguyen phuong hoa
3. nguyen phuong hoa3. nguyen phuong hoa
3. nguyen phuong hoatagctn
 
8. ly tieu an ly
8. ly tieu an ly8. ly tieu an ly
8. ly tieu an lytagctn
 

Weitere ähnliche Inhalte

Was ist angesagt?

Technologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible CyberspaceTechnologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible Cyberspacemark-smith
 
Online Trust Alliance Recommendations
Online Trust Alliance RecommendationsOnline Trust Alliance Recommendations
Online Trust Alliance RecommendationsMeg Weber
 
Fall2015SecurityShow
Fall2015SecurityShowFall2015SecurityShow
Fall2015SecurityShowAdam Heller
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2Adela Cocic
 
Policy Guide for Legislators
Policy Guide for LegislatorsPolicy Guide for Legislators
Policy Guide for LegislatorsKristin Judge
 
You Are the Target
You Are the TargetYou Are the Target
You Are the TargetEMC
 
SucessfulInsiderThreat
SucessfulInsiderThreatSucessfulInsiderThreat
SucessfulInsiderThreatHammerNJ
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the newsunnyjoshi88
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeErnst & Young
 
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceCyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceStatewide Insurance Brokers
 
BLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyBLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyCasey Fleming
 
Securing Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay RobertsonSecuring Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay RobertsonEljay Robertson
 
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015Robert Craig
 
140707_Cyber-Security
140707_Cyber-Security140707_Cyber-Security
140707_Cyber-SecurityTara Gravel
 
F5 Hero Asset - Inside the head of a Hacker Final
F5 Hero Asset - Inside the head of a Hacker FinalF5 Hero Asset - Inside the head of a Hacker Final
F5 Hero Asset - Inside the head of a Hacker FinalShallu Behar-Sheehan FCIM
 

Was ist angesagt? (20)

Technologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible CyberspaceTechnologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible Cyberspace
 
Online Trust Alliance Recommendations
Online Trust Alliance RecommendationsOnline Trust Alliance Recommendations
Online Trust Alliance Recommendations
 
Fall2015SecurityShow
Fall2015SecurityShowFall2015SecurityShow
Fall2015SecurityShow
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2
 
Policy Guide for Legislators
Policy Guide for LegislatorsPolicy Guide for Legislators
Policy Guide for Legislators
 
You Are the Target
You Are the TargetYou Are the Target
You Are the Target
 
Volume2 chapter1 security
Volume2 chapter1 securityVolume2 chapter1 security
Volume2 chapter1 security
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutions
 
SucessfulInsiderThreat
SucessfulInsiderThreatSucessfulInsiderThreat
SucessfulInsiderThreat
 
Cybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future AttacksCybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future Attacks
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the new
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceCyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
 
BLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyBLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity Literacy
 
Securing Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay RobertsonSecuring Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay Robertson
 
2012 Data Breach Investigations Report
2012 Data Breach Investigations Report 2012 Data Breach Investigations Report
2012 Data Breach Investigations Report
 
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
 
140707_Cyber-Security
140707_Cyber-Security140707_Cyber-Security
140707_Cyber-Security
 
F5 Hero Asset - Inside the head of a Hacker Final
F5 Hero Asset - Inside the head of a Hacker FinalF5 Hero Asset - Inside the head of a Hacker Final
F5 Hero Asset - Inside the head of a Hacker Final
 

Andere mochten auch

3. nguyen phuong hoa
3. nguyen phuong hoa3. nguyen phuong hoa
3. nguyen phuong hoatagctn
 
8. ly tieu an ly
8. ly tieu an ly8. ly tieu an ly
8. ly tieu an lytagctn
 
1. nguyen thi thuy trang
1. nguyen thi thuy trang1. nguyen thi thuy trang
1. nguyen thi thuy trangtagctn
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challengemsdee3362
 
What’s new in Java SE, EE, ME, Embedded world & new Strategy
What’s new in Java SE, EE, ME, Embedded world & new StrategyWhat’s new in Java SE, EE, ME, Embedded world & new Strategy
What’s new in Java SE, EE, ME, Embedded world & new StrategyMohamed Taman
 
Operating systems essentials & Android OS concepts
Operating systems essentials & Android OS conceptsOperating systems essentials & Android OS concepts
Operating systems essentials & Android OS conceptsMohamed Taman
 

Andere mochten auch (14)

3. nguyen phuong hoa
3. nguyen phuong hoa3. nguyen phuong hoa
3. nguyen phuong hoa
 
8. ly tieu an ly
8. ly tieu an ly8. ly tieu an ly
8. ly tieu an ly
 
1. nguyen thi thuy trang
1. nguyen thi thuy trang1. nguyen thi thuy trang
1. nguyen thi thuy trang
 
Siemens
SiemensSiemens
Siemens
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challenge
 
What’s new in Java SE, EE, ME, Embedded world & new Strategy
What’s new in Java SE, EE, ME, Embedded world & new StrategyWhat’s new in Java SE, EE, ME, Embedded world & new Strategy
What’s new in Java SE, EE, ME, Embedded world & new Strategy
 
Operating systems essentials & Android OS concepts
Operating systems essentials & Android OS conceptsOperating systems essentials & Android OS concepts
Operating systems essentials & Android OS concepts
 
Jo Caris - De preek
Jo Caris - De preekJo Caris - De preek
Jo Caris - De preek
 
Reflections
ReflectionsReflections
Reflections
 
La honestidad
La honestidadLa honestidad
La honestidad
 
La honestidad
La honestidadLa honestidad
La honestidad
 
La honestidad
La honestidadLa honestidad
La honestidad
 
La honestidad
La honestidadLa honestidad
La honestidad
 
Apócopes
ApócopesApócopes
Apócopes
 

Ähnlich wie Public-Private Cybersecurity Collaboration

American Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsAmerican Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsDavid Sweigert
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
 
WCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to knowNathan Desfontaines
 
HBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
HBR - Zurich - FERMAZ - PRIMO Cyber Risks ReportHBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
HBR - Zurich - FERMAZ - PRIMO Cyber Risks ReportFERMA
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRBill Besse
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecuritySpark Security
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020Jessica Graf
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-dataNumaan Huq
 
Advanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionAdvanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionUlf Mattsson
 
Target Data Security Breach Case Study
Target Data Security Breach Case StudyTarget Data Security Breach Case Study
Target Data Security Breach Case StudyAngilina Jones
 
2016 HPESR Cyber Risk Report
2016 HPESR Cyber Risk Report2016 HPESR Cyber Risk Report
2016 HPESR Cyber Risk ReportAngela Gunn
 
HPE Cyber Risk Report 2016
HPE Cyber Risk Report 2016HPE Cyber Risk Report 2016
HPE Cyber Risk Report 2016Tim Grieveson
 
B susser researchpaper (3)
B susser researchpaper (3)B susser researchpaper (3)
B susser researchpaper (3)Bradley Susser
 
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...Ted Myerson
 

Ähnlich wie Public-Private Cybersecurity Collaboration (20)

American Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsAmerican Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standards
 
Get Prepared
Get PreparedGet Prepared
Get Prepared
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
 
WCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global Context
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to know
 
HBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
HBR - Zurich - FERMAZ - PRIMO Cyber Risks ReportHBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
HBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LR
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for Cybersecurity
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-data
 
Advanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionAdvanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protection
 
Target Data Security Breach Case Study
Target Data Security Breach Case StudyTarget Data Security Breach Case Study
Target Data Security Breach Case Study
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
 
2016 HPESR Cyber Risk Report
2016 HPESR Cyber Risk Report2016 HPESR Cyber Risk Report
2016 HPESR Cyber Risk Report
 
HPE Security Report 2016
HPE Security Report 2016HPE Security Report 2016
HPE Security Report 2016
 
HPE Cyber Risk Report 2016
HPE Cyber Risk Report 2016HPE Cyber Risk Report 2016
HPE Cyber Risk Report 2016
 
Hpe security research cyber risk report 2016
Hpe security research cyber risk report 2016Hpe security research cyber risk report 2016
Hpe security research cyber risk report 2016
 
B susser researchpaper (3)
B susser researchpaper (3)B susser researchpaper (3)
B susser researchpaper (3)
 
2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final
 
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
 

Public-Private Cybersecurity Collaboration

  • 1. Running head: PUBLIC-PRIVATE INFORMATION SHARING 1 Cybersecurity Challenge: Public-Private Sectors - Information Sharing Deloris Bryant CRJ-475Z – Senior Project Dr. Shanna Van Slyke May 12, 2015
  • 2. PUBLIC-PRIVATE INFORMATION SHARING 2 Abstract Even though there is fear among the private sector regarding information sharing when it comes to cybersecurity, there should be information sharing between the public-private sectors because collaboration is the key to unite in the fight against cybercrimes. Cybersecurity is a shared responsibility and collaboration is the key to unite in the fight against cybercrimes and to promote awareness, educate each other and share information that is not only timely and significant but also actionable. The greater the trust that is developed, the effectiveness of the communication and information sharing will become more comfortable and the flow of information will happen. This research paper will bring to the forefront the need and importance of information sharing; analyze the concerns raised by many companies and how sharing information can be done effectively. Keywords: cybersecurity, cyberattacks, information sharing, public-private sectors
  • 3. PUBLIC-PRIVATE INFORMATION SHARING 3 Cybersecurity is a critical issue that faces the entire spectrum of society. Incidents of cyberattacks and threats are real and the need for more collaboration is unyielding. The complexity, sophistication and ever-evolving threat environment that exists puts cybersecurity out of reach of any single entity. Cybersecurity is not something that can be ignored by the government, individuals or corporations. The expanding problem with cyberattacks has brought up the need for companies to work with various agencies of the government that are involved with cybersecurity investigations, mitigation efforts or regulating cybersecurity standards. Government involvement means that companies will be working with agencies that may have a totally different agenda when it involves cyberattacks. It is important that both the public and the private sector navigate through the cyber process together. Navigating together would mean that there is a need to share information on cyber threats, but many continue to be untrusting for fear of regulatory laws and liability concerns. Even though there is fear among the private sector regarding information sharing when it comes to cybersecurity, there should be information sharing between the public and private sector because collaboration is the key to unite in the fight against cybercrimes and to promote awareness, educate each other and share information that is not only timely and significant but also actionable. The greater the trust that is developed, the effectiveness of the communication and information sharing between the public-private sectors will become more comfortable and the flow of information will happen. This research paper will bring to the forefront the need and importance of information sharing; analyze the concerns raised by many companies, and how sharing information can be done effectively.
  • 4. PUBLIC-PRIVATE INFORMATION SHARING 4 Importance of Information Sharing General Keith Alexander chief of the US Cyber Command spoke before congress to advise them that seventy-five percent of the country’s computers have been exploi ted by criminals (Hearing before the Committee on Armed Services, House of Representatives, 12th Congress, March 16, 2011). Are we doing enough to protect ourselves against cybercrimes? You turn on the news or surf the web and more than not you will hear or read of another incident of cyber theft. The Center for Strategic and International Studies estimates a loss of $100 billion in intellectual property alone in the U.S. This estimate is about 0.6% of the U.S. economy and this number does not even include other types of cybercrimes (Nakashima & Peterson, 2014). So what exactly are cyber incidents? The National Institute of Standards and Technology (NIST) Special Publication 800-61 (rev. 2) defines security incidents as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices” (Cichonski, Millar, Grance, & Scarfone, 2012). Additional related terms are also defined by NIST as “an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies” (Kissel, R, 2013). Now that we have a clear understanding of what cyber incidents are, the sharing of information as it relates to cyber incidents is to pull together the strengths of the public-private sectors in order to respond to cyber threats, attacks, and vulnerabilities. A joint effort is needed if we are to prevent and mitigate cyber incidents in this every changing cyber world. A defensive and innovative approach will be required if we are to overcome the next wave of attacks.
  • 5. PUBLIC-PRIVATE INFORMATION SHARING 5 A survey conducted by the Ponemon Institute sponsored by Hewlett-Packard involved 257 separate companies that agreed to participate and allowed the Ponemon Institute to perform an analysis of all costs incurred by their organization as a result of a cyber-incident. The survey found that the sophistication and number of breaches has increased 176 percent in the last 4 years. This survey also found that the average time to detect an attack was 170 days and although “some attacks take longer to resolve” the average time to resolve an attack once it was detected was 45 days (Ponemon Institute LLC, 2014). Figure 1: Time to resolve an attack (Ponemon Institute LLC, 2014) The financial losses incurred during this time could be in the millions to say nothing of the possibility of proprietary information or other private data being stolen. Another survey conducted by the Ponemon Institute, this time sponsored by IBM, involved 61 separate companies that experienced some kind of data breach. In 2014, unfortunately, many companies especially in the retail sector became front page news when a data breach occurred with their company. This survey looked into the consequences of data
  • 6. PUBLIC-PRIVATE INFORMATION SHARING 6 breaches. What they found was that $5.9 million was the cost incurred by companies due to getting hit by data breaches, on average. This figure is up from the $5.4 million the previous year. Loss of business cost went from $3.03 million to $3.2 million. These costs include but are not limited to reputation loss, loss of customers, and activities involved in try to acquire new customers. This survey also found that cyberattacks with the highest data breach costs were either criminal or malicious attack. With an average of $246 for every record that was compromised resulting from these two types of attacks makes for a very costly breach for any company to endure. This is followed by cyberattacks at the hands of employee’s mistakes or system glitches which has a much lower cost of $160 and $171, respectively (Ponemon Institute LLC, 2014). Although the studies above put dollars to incidents, it is really difficult to a put a solid figure for the cost of data breaches or any other type of cybercrimes. To say the least, improvements in information sharing between the public-private sectors regarding cyber threats would be cost-effective. Even though the public-private sectors try to protect themselves against any losses, private entities are looking at profit earnings and the bottom line where as the public sector is more concerned with not divulging intelligence as it relates to national security. Also the public sector focuses on who is responsible for the attacks whereas the private sector does not really care who is responsible they just want it to stop. Both sectors have different agendas but yet have the same issue. Early detection, termination or prevention of cyberattacks is a major benefit of information sharing. This sharing of information brings together parties that can and will complement each other in their abilities to unite in order to solve problems that they themselves cannot address individually. Technical data is at the top of the list of information that needs to
  • 7. PUBLIC-PRIVATE INFORMATION SHARING 7 be shared; additional information that should be included but not limited to risk assessment procedures and best practices. All participants require that only authorized parties view secure private and privileged information. Trust between all parties is needed for this flow of information to stream down the appropriate channels seamlessly. This would not only be a financial savings but also savings in manpower. The speed in which information is shared should be a priority for both sectors. The frequency of cyberattacks has increased to the point that some organizations fall behind in preventive measures that they fall victim to an attack. Delaying sharing information until all the ‘I’s are dotted and ‘T’s crossed make the information outdated and not actionable in this fast paced cyber domain. Any delay in getting critical information to the public-private sector can diminish its effectiveness to fend off a cyberattacks. Some organizations worry about sending information too early. This can be remedied by investigating all reliable information as soon as possible and then send the information with a disclaimer attached indicating that the information being sent is preliminary and that further investigation will be needed. Some recipients may already be aware of the situation and may already have an insight to a solution that worked for them. This is what information sharing is all about; forwarding and sharing timely information that is technical in nature to aid in the fight against cyberattacks. Developing Trust between the Public-Private Sectors Former NSA Director Keith Alexander stated at a cybersecurity panel hosted by PwC, “We need real-time or near real-time situational awareness, and we have got to have cyber legislation that allows us to go between industry and government to do that”. (Norton, 2014) The value of information is important as not to waste time, money and manpower on irrelevant information. Benefits of timely information sharing can be measured by the quality of
  • 8. PUBLIC-PRIVATE INFORMATION SHARING 8 information, cost savings, and relevance of the information that is shared. Trust is not a farfetched idea that we expect between the public-private sectors. You will never have 100 percent trust between these two sectors but when needed to prevent a crisis situation, temporary trust is needed in order to collaborate and pass along much needed information is desired. It can be said that “the partner you don’t trust today may be your best friend tomorrow” (Diego Fernandez Vazquez, Oscar Pastor Acosta, Brown, Reid, & Spirito, 2012). One needs to remember that trust is a two-way street. If low quality or generic information is passed along by the public sector; then the private sector will reciprocate by providing low quality or generic information. Remembering that an overwhelming number of infrastructures, hardware and software in use was developed and is managed by the private sector there are many instances where you will find that the public sector seeks out the private sector for help to respond to and prevent a cyber-incident. For the private sector, where a majority of the innovators are, they expect a quick turn around when communicating with the public sector and this is rarely the case when it comes to information sharing. The private sector is in the business of doing business and as such expects the value of information to be top notch. The trust between these two sectors diminishes due to the fact that the private sector truly believes that the public sector filters its communication. If we are truly going to be partners in crime to fight the fight in the cyber domain, then the challenge here is to commit to one another that information sharing will be done in a significant way (Givens & Busch, 2013, 6(1), 39-50). Neither sector can operate under the assumption that just because they are painting a pretty picture to make it look like they are committed to working together, that this is really the case. To really get a handle on cybersecurity, adding fluff to an
  • 9. PUBLIC-PRIVATE INFORMATION SHARING 9 already volatile situation does no one any good if that fluff is only filled with generic information. This is not the ideal way to develop trust between partners. Risk Management Trust and collaboration is vital to information sharing and protection when it comes to identifying vulnerabilities and threats. There are always risks that will arise out of the public- private sector collaboration and risk management is vital for this type of partnership. However, this collaboration can intensify the distrust that exists between the public-private sectors. Retaining control over activities and decision making can make for a difficult partnership but the trade-off is that you will have a comprehensive group that brings with them the expertise needed to manage risks. As they say, “two heads are better than one”. In this case, a positive to this relationship would be that the greater number of partners translates to diversified information that can prevent and manage risks of cyber threats. (Navare & Gemikonakli, 2010) Symantec did a study that showed the “most significant risk at 42%” (Navare et al.) is cyberattacks. In addition Symantec created a report based on data collected through the last couple of years to show the increasing number of attacks and how intensive and damaging these cyberattacks can be to an organization. They show that there was a 23 percent increase in breaches between 2013 and 2014. The sector where the most identities were exposed was in the retail sector at 59 percent. (Symantec, 2015)
  • 10. PUBLIC-PRIVATE INFORMATION SHARING 10 Figure 2: Symantec Data Breach Report for 2013-2014 (Symantec, 2015) This holds true with the recent breaches with retail giants like Target, The Home Depot and Neman Marcus. These numbers may seem staggering but the key to risk management is real- time, actionable and timely information. There are various ways to manage risks and depending on the type of organization, threats will be calculated and assessed internally and this is where the collaboration of public-private sectors comes into play. In order for collaboration to be effective, there needs to be a solid understanding, mutually agreed, as to the appropriate risk information that needs to be passed along to the decision makers. It is up to these decision makers to make sure that threat information is passed on with the appropriate mitigation plans or at the very least a “heads up” message so that others can collaborate to come up with a mitigation plan. Early, timely mitigation of threats is significant to risk management and the cooperation of the public-private sectors is needed to accomplish this endeavor.
  • 11. PUBLIC-PRIVATE INFORMATION SHARING 11 While progress may be slow and steady, the main object here is to improving risk management to ensure that key concepts are understood by everyone. Cybersecurity specialist and experts in the public-private sectors need to coordinate, connect and join forces to define risk strategies at all levels. The main purpose for risk management is not only to help decision makers make better decisions in the cyber domain but also to prepare and expect the worst. There is no reason to reinvent the wheel here. The public-private sectors all have some kind of risk management process currently in place. The task here is to incorporate organizational wide cyber risks into the already existing risk management plan. There is no way to predict when the next cyberattacks will happen but with the proper plan in place, mitigating the attacks will be resolved more quickly. Regular communication is a vital part of information sharing. Improving awareness not only within your organization but also with your counterparts in other organizations of current situations affecting the organization impacts the effectiveness in responding to an attack or potential attack. Setting standards for detection and protecting systems will enable early, timely mitigation efforts. These standards should be tested regularly and improvements should be made as needed. Finally, risk strategies fall at all levels but oversight falls on the executives and board of directors of an organization. They control budgets and oversee the entire risk management plan. They are also the ones that are called on the red carpet if a breach happens to their organization. It would be appropriate for them to make sure everyone is held accountable for their actions as it relates to the cyber risks within their organization. There is not a single organization out there that is 100 percent protected from a cyberattacks. As mentioned previously, communication is vital toward mitigating efforts but the public-private sectors are still hesitant to share information. One way to further the cooperation
  • 12. PUBLIC-PRIVATE INFORMATION SHARING 12 of the public-private sectors is to provide incentives with the intent to remove obstacles that could prevent information sharing between parties. Incentives Can Go a Long Way Mr. John M. McConnell, director of national intelligence under presidents George W. Bush and Barack Obama and NSA director under Presidents George H.W. Bush and Bill Clinton believes that information sharing is “the backbone of security”. (Rosenbush, 2014) Mr. McConnell thinks that an effective and quick response to breaches could happen if behaviors with the public and private sectors changed so that there would be incentives for information sharing. One incentive would be legal protection should an entity share information regarding any breaches, threats or vulnerabilities. In addition, if we are to expand the idea of information sharing then there needs to be liability protection put in place and to make sure that there are no repercussions from any regulatory bodies with which information is shared. Without this guarantee, the private sector will limit the amount of information they share which could be detrimental to others who may need that information. Everyone knows that the public sector is pretty slow to respond and share information. The need here is for the public sector to share intelligence and security information in a timely manner, which it currently does not. Any hoops that one needs to get through needs to be eliminated so information can flow to the private sector. Without this timely flow of information, the private sector will never feel that the government is truly a partner in crime to fight any cyber threats that are present. (Bucci, 2014) We need to work together proactively in dealing with cyber risks. The ability to limit the damage of cyberattacks diminishes without timely information. The biggest concern as it relates to limiting the damages of cyberattacks is, of course, the availability of timely information. Generally, system administrators have control and the ability
  • 13. PUBLIC-PRIVATE INFORMATION SHARING 13 to detect activities within their systems. Given the apparent need for timely response to cyberattacks, who has the ultimate control to employ defensive measures and to transfer information related to an incident? Today no one administrator has control over any one system which can limit the visibility of potential cyberattacks. In addition, technological restrictions to identify and assess an attack along with policy concerns enhance the restriction of timely information. There is a need to minimize damages with a proactive method of sharing timely information that will allow the public-private sectors to better predict and anticipate events which in turn will enable them to respond in a precise timely manner. The public sector does not see what the private sector sees; does not see the footprints left behind in an attack. Cooperation from the private sector is needed so that the public sector can see what they see and get a better understanding of the attack so that future attacks can be prevented. Effective communication and understanding is needed in crucial areas to include (Denning & Denning, 2010, pg. 29-31):  The relationship between an attack and recovery time  Determining who initiated the attack so as to facilitate a timely and precise response  Being able to evaluate the direct and indirect effects and damages of an attack  Determine the requirements needed to receive warnings and indications of a potential cyber attack  A firm understanding of exactly how attacks work so that the response can be effective The speed of the notification process and notifying relevant personnel to handle and start mitigation process is essential. The quicker the notification process, the faster an assessment of a cyber-incident can happen and that information passed along leading to an improved success rate for mitigating the damages due to the attack. Benefits of information sharing can be difficult to
  • 14. PUBLIC-PRIVATE INFORMATION SHARING 14 distinguish while the cost and risks of sharing information is direct and calculable (Prieto, 2006). Due to the vast landscape and complexities of cyberattacks, speed of the incident and the massive breach of data that may be involved establishing an effective approach can be a huge challenge. There are steps that can be taken to ensure that information sharing is actionable and timely. The first major step is to recognize that there are many current public-private partnerships in existence and there is a need to leverage and build these partnerships into the cyber domain. A couple additional steps in the right direction would include: identify weaknesses on both sides and work to strengthen those weakness, and address concerns regarding liability and privacy protection for the private sector. Private Sector Concerns “Cybersecurity is a shared responsibility.” (US-CERT, n.d.) Computer Emergency Readiness Team (US-CERT) is an organization that is part of the Department of Homeland Security whose main goal is to improve communication regarding cybersecurity. They provide alerts about current exploits, vulnerability, breaches or any other security issues in a timely fashion. Partnership with the private sector is one goal they strive towards to better secure the cyber domain. Although US-CERT believes that responsibility should be shared, there is fear among the private sector regarding information sharing when it comes to cybersecurity. Private sector remains suspicious of government efforts to increase cybersecurity collaboration and these concerns have been thrown in the forefront due to the recent increase in identity theft and data breaches. The private sector is worried that any information shared will be used by other regulatory agencies against them. In addition, organizations tend to be reluctant to releasing information on cyber threats or attacks because this poses not only competitive concerns but also concerns regarding antitrust and privacy laws. (SIFMA, 2014) Many in the private sector will
  • 15. PUBLIC-PRIVATE INFORMATION SHARING 15 only work with the government when they are in crisis mode instead of working with the government in an ongoing proactive manner. This is an area that needs attention and this barrier that is stopping the flow of information needs to be brought down. It is understandable that the level of sensitivity does play a role in what information is shared and how quickly that information is shared. Giving up Control The exchange of information between the public-private sectors is vital. During investigations (C-Span, 2014) it is too late. Instead there needs to be a step taken before the exchange of information and that is collaboration. Although this would be the ideal solution, companies are still hesitant to share information or collaborate with other entities which can lead to other companies becoming vulnerable to the same type of attacks. (Information Technology Industry Council) The fear here is that companies do not want to give up control of their processes and risk allowing other entities to explore privileged information which can be discoverable through a Freedom of Information Act (FOIA) request (United States Department of Justice, n.d.). Many companies feel they are better equipped to handle a breach better than the government so why reach out and set off alarms when it is unnecessary. Handling it in-house without government interference allows them to keep control of the situation and have no worries about the government intruding into their systems. Every company has their own strategy in place to handle breaches or any security issues and the fear is that the government will come in and change the strategy that is in place or mandate that they change their strategy because the government feels that it is inadequate.
  • 16. PUBLIC-PRIVATE INFORMATION SHARING 16 Timing Another issue with government involvement is timing. Everyone knows when dealing with the government it is always a “hurry up and wait” scenario. Most of the problems lie with all the constraints and bureaucratic hoops some agencies have to jump through to get something done. If a company has to wait for the government’s involvement, the time to quickly implement a solution could be lost. Companies are independent and given the government’s reputation for information leaks, they are understandably concerned about private/privileged information leaking and don’t need the “negative perception that this company has partnered “too closely” with the government” (Germano, 2014). There is also the issue of not knowing what agency, department or appropriate individual to contact in a breach situation. There needs to be some kind of clarity so that the private sector knows who to contact and what type of information to share and the appropriate time to share it. The public sector needs to do the same but there is always some kind of constraint. The National security obligation which may involve clearance issues that may restrict the government from releasing some of the information to the private sector seems to be the major constraint. This is where balancing national security and other related restrictions may prevent the proper public-private sector information sharing to happen more smoothly. Negative Exposure and Liability Many companies have a fear of negative exposure due to a security breach. If the public sector gets involved then the fear is that they may be included in a press release that the government may feel is necessary to information the general public. This will have a negative impact on the company before the company has a chance to thoroughly investigate the problem. What type of information is disclosed, when it is disclosed and whether the company is put in a
  • 17. PUBLIC-PRIVATE INFORMATION SHARING 17 bad light due to the breach is their concern. If concerns from public disclosures, data breaches and vulnerabilities in their systems are not enough, corporate executives are also facing legal liabilities for inadequate protection of their business. That is exactly what happened with Target when the government questioned the company’s best practices. The Target data breach during the holiday season in 2013 is a good example of why the private sector has a fear of information sharing. Target was a victim of a sophisticated cyberattack that “resulted in the theft of 40 million credit card numbers, 70 million addresses, phone numbers, and other personal information” (Carton, 2014) and yet the government’s first reaction was to question the company’s best practices as it related to data privacy. (Committee On Energy and Commerce, 2014) Target responded by stating that “their security measures were “among the best-in-class” (Carton, 2014) and that they were “certified as meeting the standard for the payment card industry in September 2013” (John, 2014). Target paid the ultimate price for this breach which resulted in a profit loss of 46 percent and reportedly spent $61 million to try and rectify the situation. (Riley, Elgin, Lawrence, & Matlack, 2014) Yes, the company made mistakes but this “blame the victim mindset” (C-Span, 2014) needs to end so that the government and private sector can work together to prevent incidents like this from happening in the future. Trust and Risk The trust factor plays a very large and important role in sharing information between the public-private sectors when speed of the shared information increases risks of any unauthorized parties getting to information can be reduced. The reluctance of some in the private sector to provide information to the public sector is that they need to obtain assurance that any and all proprietary information, whether that is computer systems or their in-house strategy in dealing
  • 18. PUBLIC-PRIVATE INFORMATION SHARING 18 with incidents, not be divulged. Liability concerns are obviously not only about customer’s private information or the breach itself but also about how well the company responded and how quickly the issue was resolved. Concerns of a breach leak have to do with claims of inadequacy on the company’s part. Disclosure of such information may trigger complaints of negligence, inadequate security protection or that the company misrepresented the severity of the situation. Despite the rising incidents of identity theft and data security breaches, many organizations deem the costs of adding security measures to be higher than the losses from cyber theft. As a result organizations have absorbed any losses incurred by data security breaches rather than reveal a weakness in their cybersecurity procedures, all to save face and protect the reputation of the organization and values that shareholders continue to expect. Other liability concerns that a company has is when it involves the content and timing of the disclosure and notification of a breach. The Target breach was one instance where many of the complaints were about why the company did not notify the public sooner. Company’s reluctances to release any information could be due to regulatory issues. There are many government agencies that could reach out and grab a company for security or regulatory violations. These agencies all have their own agendas and a different idea on how to approach a security breach which is disclosed by a company. Some may encourage disclosure while others bring down the hands of the law, blaming companies for lack of security and holding companies liable for breaches which in turn could lead to civil and criminal charges against anyone involved at the company. Regulatory Issues Some breaches goes way beyond the when and how bad the breach is and what agencies will get involved. The fear is not only about their own customers, clients and shareholders but
  • 19. PUBLIC-PRIVATE INFORMATION SHARING 19 from agencies like the SEC, FTC, FCC, CFPB and others alike. All have different agendas, regulations and standards on how they approach a cyber-breach situation. The major fear for the private sector is regulatory laws. What if they are not following federal regulatory requirements? This is a risk that some companies are not willing to take to share information about a threat they may have found. The agencies feared the most is the FTC and the SEC. Federal Trade Commission (FTC) is a government agency that was initially “established to play a critical role in combating anticompetitive conduct and mergers” (Brill, 2014). Entering into the new age of technology, another area of consumer protection the FTC begun enforcing is data security. They have litigated and settled with many companies for their failure to protect consumer data. The latest suit against Wyndham Worldwide Corporation (Federal Trade Commission), a global hospitality company, and three of their subsidiaries charging them with failures in their data security procedures which led to three data breaches in a matter of two years. The FTC claims that the company misrepresented their security measures to protect consumer information. After the first breach occurred, Wyndham failed to put additional security measures in place to not only detect access that was not authorized but also to fix security vulnerability. This failure is what leads to their data security being breached twice more in less than two years. The FTC is not the only agency that has issued some kind of guidelines for organizations to follow when it involves data security. The latest data breaches involving retail giants like Target and Neman Marcus, the Payment Card Industry Council issued security guidelines that are stricter and are meant for any retailers, banks or credit card companies that process credit card transactions. Noncompliance of the security guidelines could result in fines. Many agencies have increased their oversight for security measures that companies are expected to
  • 20. PUBLIC-PRIVATE INFORMATION SHARING 20 follow and maintain. In 2011 the Security and Exchange Commission (SEC) released guidance for public traded companies regarding their obligation to release and disclose incidents of cyberattacks (Clarke & Olcott, 2014). The Chairman of the Commerce, Science and Transportation Committee teamed up with four United States Senators to write a letter to the Chairman of the U.S. Securities and Exchange Commission asking for clarification of disclosure requirements and reiterating the importance of information sharing by telling her that: Securing cyberspace is one of the most important and urgent challenges of our time. In light of the growing threat and the national security and economic ramifications of successful attacks against American businesses, it is essential that corporate leaders know their responsibility for managing and disclosing information security risk. (Rockefeller, Menendez, Whitehouse, Warner, & Blumenthal, 2011) Cybersecurity issues are not something just for the IT department to decipher and manage. Board of directors and executives of companies need to educate themselves regarding data security within their respective organizations because they are now being held accountable for failure to secure data. Accountability goes all the way up the ladder and the added responsibility of prioritizing and overseeing risk management is an added responsibility they must endure. After all, a business in in the business of making money and the financial and economic impact of a data breach could result in lawsuits, operational and reputational damage along with the loss of their competitive advantage. There are no laws that mandate notifications; notifications are all voluntary. Since it is a voluntary system, it is uncertain what information to release and to whom to release it to. Some kind of a balance is needed for liability protection against the private sector from the public
  • 21. PUBLIC-PRIVATE INFORMATION SHARING 21 sector if security breach information is released. Some might say that partnering up with the government might hinder some situations that can cause further harm. There are proactive measures that a company can take but how far can they legally go without the assistance of the government. The challenge here is to have some kind of protection against breaches so that there will be open communication between the public-private sector in order to solve and prevent cyber issues. There is insurance that is available to organizations, that is similar the identity theft protection insurance for individuals, which will protect them by absorbing some of the costs related to data breaches. But without timely information, the ability to limit the damage of cyberattacks diminishes and more companies may fall victim to the same attack. An important step in uniting against cybercrimes is awareness of various situations as they are happening. No one sector can fight the fight alone. The need for an environment where information sharing and collaboration is done in a timely and relevant manner is essential if we are to mitigate cyber risks. Unite in the Fight against Cybercrimes Organizations are always weighing the pros and cons of information sharing. Does the risk of sharing versus not sharing impact the organization in a negative way? Misinterpreted information or late information can be detrimental to any organization public or private. The turnaround in the mindset of the public-private sectors is the result of the many recent data breaches such as the Target, which rocked and ruined many consumers 2013 holiday season. Other recent data breaches include Neiman Marcus, White Lodging, Michaels, 11 casinos spanning across 4 states (Nevada, Colorado, Iowa and Missouri), and The Home Depot just to name a few. The responsibility of a failed attempt to secure the information highway falls on the public-private sectors. Neither can protect against cyber risks alone. Both sectors know that it
  • 22. PUBLIC-PRIVATE INFORMATION SHARING 22 will be impossible to attain 100 percent security of their systems so there is a need to change behaviors in a positive way in order to reduce cyber risks. Senator Tom Carper (D-Del), Ranking Member of the Homeland Security and Governmental Affairs Committee stated this challenge the best: Given the threats we face today in cyber space, it’s imperative that Congress, the Administration, and stakeholders work together on legislation to bolster our nation’s cyber defenses, and do so with a sense of urgency. (Committee, 2015) The public sector is stepping up their efforts in this war against cybercrimes by working to pass bills, working on amendments and passing resolutions. Democrats and republicans alike are joining forces to sponsor bills and legislations that work towards protecting our great nation against cybercrimes. Anyone interested in see the progress the public sector is making towards this fight can look at Congress.gov which will show the progress that both the house and senate is making toward cybersecurity. You will not find one legislation or bill that will cover all aspects that concern both the public and private sector. As a result you will find that the public sector is constantly working to introduce new bills with information not covered previously or amend bills to cover concerns of both parties. Public Sector Contribution President Obama is stepping up to the plate and pushing cybersecurity efforts by announcing new proposals and urging congress to pass any legislative efforts that are presented. It is the President’s goal to protect the nation’s cyber world against cyberattacks that affect both the public and private sectors. He is urging Congress to put bipartisan aside and work together to advance proposals to resolve the challenges of information sharing between the public and private sectors. The latest action by the White House shows that the government is clearly aware
  • 23. PUBLIC-PRIVATE INFORMATION SHARING 23 of the need for information sharing between the public and private sector. They are also aware that mandating specific information sharing would place an undue burden on the private sector. To address these concerns, any proposed legislation or bill provides voluntary standards for information sharing. In January 2015, new legislation was announced by President Obama that addresses privacy concerns along with concerns regarding private sector liability. This specific bill includes wording to include that the voluntary information sharing is to include only indicators specifically related to the technical aspect of the threat. Information related to any person(s) private information is to be removed before the threat information is shared. In addition, privacy concerns and liability protection is also specifically address in this new legislation to protect the private sector when sharing cyber threat information with the public sector. No new bill or legislation is every going to be perfect and please all sectors all the time but this legislation does show that the public sector is making a good faith effort to address the privacy and liability concerns that many in the private sector has that prevents them from sharing information with the public sector. Although each bill and legislation seems to blur together at times, each does address, revises or modifies specific concerns raised by both the public and private sectors. Other recent announcements of advancements in the fight against cybersecurity area include: Protecting Cyber Networks Act (sponsor: Rep. Nunes, Devin (R-CA-22) which has passed the house and was received in the senate aims to help the private sector share cyber threat information by removing some legal obstacles. Some might say that the far-reaching interpretation of this bill could be abused by some public agencies, this bill is meant to state stern requirements on how the public agencies can use information they obtain. (Congress, 2015)
  • 24. PUBLIC-PRIVATE INFORMATION SHARING 24 The Cybersecurity Information Sharing Act of 2015 (CISA) (U.S. Senate Committee, 2015) was approved by the Senate Select Committee on Intelligence. This bill allows for the sharing of information between the government and the private sector with liability protection so as to facilitate the sharing of data relating to cybersecurity threats. This bill, like others that are up for consideration, reiterate that information sharing is voluntary, that the private sectors needs only to share information as it relates directly to the cybersecurity threat, and that the information is to be used for cybersecurity resolutions only. Vice Chairman Dianne Feinstein (D-Calif.) made it very clear that the main objective of this bill is to have the public-private sectors “share information about cybersecurity threats – NOT personal information – in order to better defend against attacks” (Committee, 2015). Cyber Intelligence Sharing and Protection Act (CISPA) is introduced to address the “real- time sharing of actionable, situational cyber threat information” (Congress, 2015) between the public-private sectors. National Cybersecurity Protection Advancement Act of 2015 has passed the House and is an amendment to the Homeland Security Act of 2002 that improves the sharing of information in addition to clarifying privacy protection as it relates to cybersecurity risk. This measure won with an overwhelming House vote of 355 to 63 in favor of the bill. The next step for this legislation is the pass the Senate and head for the President’s desk for signature. (Congress, 2015) The key to any policy, strategy or initiative is “real-time” information sharing and “actionable intelligence” (U.S., 2014) which many of the above bills reiterate. Legislations that reinforce the capability that all entities can work together to develop a more effective agenda to react to cyber threats is what the President is striving for. Trust starts with communication and
  • 25. PUBLIC-PRIVATE INFORMATION SHARING 25 the public sector is making great strides towards building a professional relationship with the private sector by listening to their concerns and adopting those concerns in recently presented bills. The greater the trust that is developed, the effectiveness of the communication and information sharing between the public and private sector will become more comfortable and the flow of information will happen. (Givens & Busch, 2013) No one entity can ward off cyber threats alone. There needs to be a solid collaboration between the public-private sectors to promote awareness, educate and share information that is not only “relevant, timely, but actionable” (C-Span, 2014). The government is making every effort to address concerns that the private sector raises regarding information sharing that will better protect themselves and their customers. President Obama is pushing the government to come up with ways to better communicate cyber threats and so he “directed the Director of National Intelligence (DNI) to establish the Cyber Threat Intelligence Integration Center (CTIIC)” (The White House, n.d.). This center was created to coordinate efforts to better assess cyber threats, share information rapidly with other existing government cyber groups about current threats and those individuals that are involved. President Obama’s commitment to fight cybercrimes is backed up with $14 billion added to the new budget to protect networks, governments and others, in addition to critical infrastructures. Lisa Monaco, who is the assistant to the president for homeland security and counterterrorism, stated that the private sector can and should expect the public sector to respond quickly when they share cyber information. She specified that the public sector will: (Pellerin, 2015) -- Provide as much information as it can about the threat to help companies protect their networks and critical information;
  • 26. PUBLIC-PRIVATE INFORMATION SHARING 26 -- Coordinate a quick and unified response from government experts, including those at the Department of Homeland Security and the FBI; -- Look to determine who the actors are and hold them to account; and -- Bring to bear, as government experts respond to attacks, all the available tools and draw on the full range of government resources to disrupt threats. An excellent example of collaboration to fight cybercrimes is the Sony Pictures Entertainment attack. Within hours of the intrusion, Sony contacted the FBI and they were able to join forces during the investigation of the cyber incident. (Federal Bureau of Investigation, 2014) By Sony’s rapid reporting of the attack, the FBI was able to use their resources to identify who was behind the attacks. The public sector is committed to working with the private sector and will continue to do so in a way that will protect the civil and privacy rights of all involved. Another example of the effort the government is making to improve information sharing is an “online collaboration called Project Interoperability” (Paul, 2014). This is a platform that will enable both the government and the private sector to not only share information but to work together to develop techniques and standards to fight cybercrime. The project’s website states that “information interoperability is the ability to transfer and use information in a consistent, efficient way across multiple organizations and IT systems” (United States Government, n.d.). This web-based tool is meant to develop a system of communication between the public-private sectors so that no matter what level or role in the organization you have, you will be able to utilize this website. The ability to share information with individuals who speak the same language and have the same understanding of the struggles about safeguarding a system is exactly the type of collaboration that is needed.
  • 27. PUBLIC-PRIVATE INFORMATION SHARING 27 Public-Private Sectors Collaboration For public-private collaboration to work, they need to be on the same page and speak the same language when sharing information. Structured Threat Information Expression (STIX), Cyber Observables eXpression (CybOX), and Trusted Automated eXchange of Indicator Information (TAXII) are three tools that will aid both the public and private sector to focus on the collection and distribution of cyber threats between the two sectors. These tools are constantly evolving as more members join to exchange cyber threat information. No tool is perfect at its initial roll out and these three tools are no different. They will continue to improve as both public and private sectors communicate and better define protocols, concepts and specifics that are needed to combat cyber threats. STIX uses a standardized XML programming language to send data regarding cyber threats. The MITRE Corp. and The Department of Homeland Security collaborated in developing this tool to address issues like interoperability, threat indicators and mitigation efforts. The main objective of this language was to make it flexible, automatable, extensible and easy-to-read by everyone. Information that can be shared using this platform includes: (Barnum, 2014)  Cyber observables  Indicators  Incidents  Adversary Tactics, Techniques, and Procedures  Exploit Targets  Courses of Action  Cyber Attack Campaigns  Cyber Threat Actors
  • 28. PUBLIC-PRIVATE INFORMATION SHARING 28 Figure 2: A high level representation of how STIX works (Connolly, Davidson, Richard, & Skorupka, 2012) STIX is the language to communicate information and cyber observables are represented in the Cyber Observable eXchange (CybOX) language. CybOX provides a tool for “addressing cyber observables across and among this full range of use cases improving consistency, efficiency, interoperability, and overall situational awareness” (Corporation, 2015). Trusted Automated eXchange of Indicator Information (TAXII) is the means by which both STIX and CybOX information is transported. Establishing a mechanism for which all parties can share information is ineffective if there is not a secure way to transport that information. Without a secure means of transporting data, organizations will limit the type of information shared. TAXII is an exchange that allows the transportation of cyber threat information. The exchange of detection, prevention and mitigation efforts all can be sent in a secure way. With the ability to encrypt, authenticate, alert and query between systems, TAXII enables organizations to not only leverage agreed standards
  • 29. PUBLIC-PRIVATE INFORMATION SHARING 29 to “enable the sharing of actionable indicators” (Connolly, Davison, Richard, & Skorupka, 2012) but also enables timely and secure sharing of threat information. Figure 3: A high level vision of how TAXXII works (Connolly et al., 2012) The ability for humans to manually digest data in large volumes in a timely manner and act on it is near impossible. When it comes to minimizing damages and recovery time from cyberattacks, time sensitive actions is necessary. Timely transfer of information can also reduce confusion to allow the public-private sectors to better predict and anticipate future events. These tools allow for proper communication and actionable information to be shared in a timely manner. Private Sector Contribution The importance of information sharing between the public and private sectors is important enough that there are both individuals and companies collaborating to produce methods to share data securely. They believe in their method so much so that they have applied for and are waiting or have been granted United States patent protection. In November 2014, the United States Patent and Trademark Office (USPTO) held an information session to discuss the efforts of both the public and private sector to combat cybercrimes. TC2400 is the
  • 30. PUBLIC-PRIVATE INFORMATION SHARING 30 technology center where patent applications in the field of information security are examined. Subject matters related to data and user protection, security policies, access control, monitoring, and countermeasures are the area of concentration for TC2400. The USPTO is enthusiastic about examining cybersecurity patents and is aware that their examiners, currently numbering 200 examiners who are dedicated to this technology, need further training in order to better understand the specific nature of best standards and emerging technology. Currently the average time from initial filing to first action by an examiner is about 16 months, granting patent protection could take about three years. With the speed that technology changes and cyber threats increase, there is a need for the USPTO to somehow accelerate the process. There are organizations that are taking the initiative to develop methods and standards to better protect themselves. The top 5 companies filing patent applications in the field of information security are: IBM (173 patents), Symantec (103 patents), Google (71 patents), Microsoft (67 patents) and Samsung (64 patents) (United States Patent and Trademark Office, 2014). Large corporations are not the only organizations that are developing improved responses to cyber threats. Swan Island Networks, Inc., a company based out of Portland, OR, who provides business intelligence solutions. They started out as a software engineering lab working with the U.S. government and in 2009, took their R&D to the private sector. The Trusted Information Exchange Service (TIES) was launched and currently “help protect more than 250 large enterprises and 20% of Fortune 100 companies every day”. (Swan Island Networks, 2015) Being the innovators that they are, they filed a patent application in April 2013 for “Human- Authorized Trust Service”, patent application number 20130312115 (Jennings & Jones). The claims of this patent application define methods that allow trusted access to data between two
  • 31. PUBLIC-PRIVATE INFORMATION SHARING 31 parties. This application is currently in the review process and has not yet been granted exclusive rights and protection. Another private sector company, Norse Corporation, a leader in live attack intelligence based out of Mateo, CA has also filed a patent application (patent application number: 61508493) in July 2012. Their patent claims defines systems and methods for “ gathering, classifying, and evaluating real time security intelligence data concerning security threats presented by an IP address, and reporting in real time the degree and character of such security threats” (USPTO, 2012). Their application is currently in the review process and has not yet been granted exclusive rights and protection. The USPTO embraces the role the private sector is playing in cybersecurity. Their goal is to work diligently to approve innovative product and services as quickly and efficiently as possible. Conclusion With the ever growing and real threats cybersecurity poses, the need to mitigate cyber risks is crucial. There is no easy solution to the cybersecurity challenge of information sharing. There is no foolproof protection against cyberattacks and navigating through best practices and standards starts with information sharing. President Obama, early in his first term, made cybersecurity a priority. The President is constantly making noise about cybersecurity and how the public-private sector must work together to come up with a mutually agreed upon method for information sharing. The public sector is working to improve by introducing new legislation and updating previous ones to address concerns from both sectors. They are committed to pull together all their resources to coordinate responses to breaches in a united timely manner. In addition, they will work to break through the barrier that is preventing timely, actionable
  • 32. PUBLIC-PRIVATE INFORMATION SHARING 32 information sharing by providing quantifiable information regarding a cyber-threat or cyberattack that will help the private sector to better protect their systems and other critical information. The threats in the cyber domain can get complicated but through coordinated efforts from both the public and private sector, preemptive measures can be taken to mitigate cyberattacks remembering that this is a two-way street. If the public sector is willing to share information then the private sector must reciprocate in kind with the same quantifiable information. The private sector needs to remember that information on cyber threats covers limited technical type of information and should not let the fear prevent them from open communication with the many government agencies. The challenge here is to have some kind of protection against breaches, the sharing of privileged information and liability concerns so that there will be open communication between the public-private sector in order to solve and prevent cyber issues. The private sector made their concerns known and the public sector has responded by approving legislation such as The Cybersecurity Information Sharing Act of 2013 (CISA). President Obama’s executive directive has made it very clear that his administration is putting cybersecurity at the top of their priority list. The private sector needs to do the same and learn from the lack of communication that caused the many data breaches of 2014. The consequences of not making cybersecurity a top priority within the organization will lead not only to data theft but also the reputation loss, and loss of customers not to mention the cost involved due to a cyberattacks. Given the sophisticated nature of some of the cyberattacks, a disaster is in the making if cybersecurity is not made a priority. Cultural changes will need to be made within the private sector because although cybersecurity is technical in nature, the way cybersecurity is
  • 33. PUBLIC-PRIVATE INFORMATION SHARING 33 managed is human. Changing the mindset of the private sector starts at the executive level of an organization to effective combat cyber-threats in a timely fashion. As President Obama’s presidential term is coming to an end, his cybersecurity initiative needs to continue with the next administration. It should not matter whether the next president is Democratic or Republican because cyberattacks do not care what party you represent. We need to do more to strengthen security in the cyber domain so that we can create a better world for our children. There is always going to be a need to reiterate that open communication and information sharing between the public-private sectors will be an ongoing challenge. Collaboration is the key to unite in the fight against cybercrimes and the public-private sector must jump in with both feet to educate each other so that every action to mitigate a cyber-threat will be timely, significant and actionable.
  • 34. PUBLIC-PRIVATE INFORMATION SHARING 34 References Barnum, S. (2014, February 20). Standardizing cyber threat intelligence information with the Structured Threat Information eXpression (STIX). MITRE Corporation, v1.1, Rev. 1. Retrieved from http://stix.mitre.org/about/documents/STIX_Whitepaper_v1.1.pdf Brill, J. (2014, November 6). What's past is prologue: FTC's competition and consumer protection priorities. Presenter at the ABA Fall Forum Keynote Address. Retrieved from https://www.ftc.gov/es/system/files/documents/public_statements/597211/141106abafallf orum-2.pdf C-Span. (2014, August 22). Cybersecurity challenges. Retrieved from http://www.c- span.org/video/?321116-7/discussion-cybersecurity-threats Carton, B. (2014, May 29). ISS recommends ouster of seven Target directors for data breach failures. Retrieved from http://https://www.complianceweek.com/blogs/enforcement- action/iss-recommends-ouster-of-seven-target-directors-for-data-breach- failures#.VUBi_iFVhBc Cichonski, Millar, Grance, & Scarfone. (2012, August). National Institute of Standards and Technology (U.S.), Special Publication 800-61 (SP 800-61, rev. 2). Computer security incident handling guide: Recommendations of the National Institute of Standards and Technology. Gaithersburg, MD: U.S. Dept. of Commerce, National Institute of Standards and Technology. Clarke, R., & Olcott, J. (2014, March). The board's role in cybersecurity. Retrieved from http://www.kispertgroup.com/wp- content/uploads/2014/06/Good_Harbor_Directors_Note_Cyber.pdf
  • 35. PUBLIC-PRIVATE INFORMATION SHARING 35 Committee, I. (2015, March 18). Senate Intelligence Committee introduces cybersecurity bill, addresses privacy concerns. Retrieved from http://www.intelligence.senate.gov/press/record.cfm?id=358715 Committee, U. S. (2015, March 12). Sen. Carper statement on the cybersecurity information sharing act (CISA). Retrieved from http://www.hsgac.senate.gov/media/minority- media/sen-carper-statement-on-the-cybersecurity-information-sharing-act-cisa Congress, 1. (2015, February 2). H.R.234 - Cyber Intelligence Sharing and Protection Act. Retrieved from http://https://www.congress.gov/bill/114th-congress/house- bill/234?q=%7B%22search%22%3A%5B%22cyber+intelligence%22%5D%7D Congress, 1. (2015, April 22). H.R.1560 - Protecting cyber networks act. Retrieved from http://https://www.congress.gov/bill/114th-congress/house- bill/1560?q=%7B%22search%22%3A%5B%22The+Protecting+Cyber+Networks+Act% 22%5D%7D Congress, 1. (2015, April 23). H.R.1731 - National cybersecurity protection advancement act of 2015. Retrieved from http://https://www.congress.gov/bill/114th-congress/house- bill/1731?q=%7B%22search%22%3A%5B%22cybersecurity%22%5D%7D Connolly, J., Davidson, M., Richard, M., & Skorupka, C. (2012, November 8). The trusted automated eXchange of indicator information (TAXII). Retrieved from http://taxii.mitre.org/about/documents/Introduction_to_TAXII_White_Paper_November_ 2012.pdf Corporation, MITRE. (2015, April 14). CybOX, v2.1. Retrieved from http://cybox.mitre.org/ Denning, P. J., & Denning, D. E. (2010). Discussing cyber attack. Communications of the ACM, 53(9), 29-31.
  • 36. PUBLIC-PRIVATE INFORMATION SHARING 36 Federal Bureau of Investigation. (2014, December 29). Update on Sony Investigation. Retrieved from http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation Federal Trade Commission. (2012, June 26). FTC files complaint against Wyndham hotels for failure to protect consumers' personal information. Retrieved from http://https://www.ftc.gov/news-events/press-releases/2012/06/ftc-files-complaint- against-wyndham-hotels-failure-protect Fernandez Vazquez, D., Pastor Acosta, O., Brown, S., Reid, E., & Spirito, C. (2012, June). Conceptual framework for cyber defense information sharing within trust relationships. In Cyber Conflict (CYCON), 2012 4th International Conference on (pp. 1-17). IEEE. Germano, J. H. (2014, October). Cybersecurity partnerships: A new era of public-private collaboration. Retrieved from http://www.lawandsecurity.org/Portals/0/Documents/Cybersecurity.Partnerships.pdf Givens, A. D., & Busch, N. E. (2013). Information sharing and public-private partnerships: The impact on homeland security. Retrieved from http://www.austengivens.com/wp- content/uploads/2013/05/Givens-and-Busch_Information-Sharing-and-Public-Private- Partnerships.pdf Givens, A. D., & Busch, N. E. (2013). Realizing the promise of public-private partnerships in US critical infrastructure protection. Internaional Journal of Critical Infrastructure Protection, 6(1), 39-50. Hearing before the Committee on Armed Services, House of Representatives, 12th Congress (March 16, 2011). National defense authorization act for fiscal year 2012: (H.A.S.C. No. 112-26). (statement of General Keith B. Alexander, US Cyber Command). Retrieved from http://fas.org/irp/congress/2011_hr/cybercom.pdf
  • 37. PUBLIC-PRIVATE INFORMATION SHARING 37 Jennings, C., & Jones, D. M. (2013, November 21). Publication 20130312115 - Human- authorized trust service. Retrieved from http://www.ptodirect.com/Results/Publications?p=1&r=34&query=%40PD%3E%3D201 31119%3C%3D20131125 John, P. (2014, March 18). Target breach lesson: PCI compliance isn't enough. Retrieved from http://www.technewsworld.com/story/80160.html Kissel, R. (2013, May). National Institute of Standards and Technology (U.S.) (NISTIR 7298, rev. 2). Glossary of key information security terms. Nakashima, E., & Peterson, A. (2014, June 9). Report: Cybercrime and espionage costs $445 billion annually. Retrieved from http://www.washingtonpost.com/world/national- security/report-cybercrime-and-espionage-costs-445-billion- annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.html National Institute of Standards and Technology. (2014, February 12). Framework for improving critical infrastructure cybersecurity. Retrieved from http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf Navare, J., & Gemikonakli, O. (2010, September). Governance and risk management of network and information security: the role of public private partnerships in managing the existing and emerging risks. Paper presented at the Global Security, Safety, and Sustainability – 6th International Conference, ICGS3, Braga, Portugal. Retrieved from https://www.researchgate.net/publication/221193068_Governance_and_Risk_Manageme nt_of_Network_and_Information_Security_The_Role_of_Public_Private_Partnerships_i n_Managing_the_Existing_and_Emerging_Risks
  • 38. PUBLIC-PRIVATE INFORMATION SHARING 38 Norton, S. (2014, September 30). Former NSA director: Better information sharing needed on cybersecurity. Retrieved from http://blogs.wsj.com/cio/2014/09/30/former-nsa-director- better-information-sharing-needed-on-cybersecurity/ Pager, T. (2015, March 19). Private sector remains wary of government efforts to increase cybersecurity collaboration. Retrieved from http://nationalsecurityzone.org/site/private- sector-remains-wary-of-government-efforts-to-increase-cybersecurity-collaboration/ Paul, K. (2014, March 24). Fork it, grab it, use it: Announcing project interoperability. Retrieved from http://www.ise.gov/blog/kshemendra-paul/fork-it-grab-it-use-it- announcing-project-interoperability Pellerin, C. (2015, February 11). New threat center to integrate cyber intelligence. Retrieved from http://www.defense.gov/news/newsarticle.aspx?id=128164 Ponemon Institute LLC. (2014, May). 2014 cost of data breach study: United States. Retrieved from http://www-01.ibm.com/common/ssi/cgi- bin/ssialias?subtype=WH&infotype=SA&appname=GTSE_SE_SE_USEN&htmlfid=SE L03017USEN&attachment=SEL03017USEN.PDF#loaded Ponemon Institute LLC. (2014, October). 2014 Global report on the cost of cyber crime. Retrieved from http://https://ssl.www8.hp.com/ww/en/secure/pdf/4aa5-5207enw.pdf Prieto, D. (2006). Information sharing with the private sector. Seeds of disaster, roots of response: how private action can reduce public vulnerability. https://scholar.google.com/citations?view_op=view_citation&continue=/scholar%3Fq%3 Dprieto%26hl%3Den%26as_sdt%3D0,16%26scilib%3D1&citilm=1&citation_for_view= ZLNwTTgAAAAJ:2osOgNQ5qMEC&hl=en&oi=p Riley, M., Elgin, B., Lawrence, D., & Matlack, C. (2014, March 13). Missed alarms and 40 million stolen credit card numbers: How target blew it. Retrieved from
  • 39. PUBLIC-PRIVATE INFORMATION SHARING 39 http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epic-hack- of-credit-card-data Rockefeller, J. D., Menendez, R., Whitehouse, S., Warner, M., & Blumenthal, R. (2011, May 11). Letter to Ms. Mary Schapiro, Chairman U.S. Security and Exchange Commission. Retrieved from http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=4ceb6c11-b613-4e21- 92c7-a8e1dd5a707e Rosenbush, S. (2014, June 20). Former NSA Chief Mike McConnell says culture, not tech, is key to cyber defense. Retrieved from http://blogs.wsj.com/cio/2014/06/20/former-nsa- chief-mike-mcconnell-says-culture-not-tech-is-key-to-cyber-defense/ SIFMA. (2014, October 20). Principles for effective cybersecurity regulatory guidance. Retrieved from http://www.sifma.org/issues/item.aspx?id=8589951691 Swan Island Networks. (2015). About Swan Island Networks, Inc. doi:swanisland.net/company Symantec. (2015, April). Internet security threat report. V20. Retrieved from http://https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet- security-threat-report-volume-20-2015-social_v2.pdf U.S. (2014, November 3). Partners in cybercrime prevention. Retrieved from http://www.nationaljournal.com/library/198396 United States Department of Justice. (n.d.). What is FOIA? Retrieved from http://www.foia.gov/index.html United States Government. (n.d.). Project Interoperability. project-interoperability.github.io/ United States Patent and Trademark Office. (2014, November 14). Cybersecurity partnership. Retrieved from http://www.uspto.gov/about/contacts/phone_directory/pat_tech/nov2014- cybersecurity-partnership-presentation.pdf
  • 40. PUBLIC-PRIVATE INFORMATION SHARING 40 United States Senate Committee. (2015, March 12). Sen. Carper statement on the cybersecurity information sharing act (CISA). Retrieved from http://www.hsgac.senate.gov/media/minority-media/sen-carper-statement-on-the- cybersecurity-information-sharing-act-cisa USPTO. (2012, July 16). Norse Corporation Patent Appl. No.: 13/550,354. Retrieved from http://patft.uspto.gov/netacgi/nph- Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch- bool.html&r=3&f=G&l=50&co1=AND&d=PTXT&s1=cybersecurity&s2=google&OS=c ybersecurity+AND+google&RS=cybersecurity+AND+google White House. (n.d.). The comprehensive national cybersecurity initiative. Retrieved from http://www.whitehouse.gov/issues/foreign-policy/cybersecurity/national-initiative The White House. (2015, February 25). Fact sheet: Cyber threat intelligence integration center. Retrieved from http://https://www.whitehouse.gov/the-press-office/2015/02/25/fact- sheet-cyber-threat-intelligence-integration-center