The nine most terrifying words in the English language are: “’I’m from the government and I’m here to help.'”
President Ronald Reagan
One of the many shopworn bromides President Reagan was fond of uttering was the classic put down that captured the essence of concern about the intrusiveness and effectiveness of big government—“I’m from the government and I’m here to help.” Pause, Ba Dum CH. The line played off a longstanding joke about the government, and it worked because, like most good stories, it was rooted in a commonly shared belief about government. In fact, the United States was founded on the premise that the federal government must be subservient to the people. The founders had a shared experience with tyranny, and wanted to be sure the Constitution they wrote limited the federal government’s ability to recreate that experience. Notably, Patrick Henry warned: “The Constitution is not an instrument for the government to restrain the people, it is an instrument for the people to restrain the government…” Now that premise is being tested in the cybersecurity arena.
An article in the Wall Street Journal teed up the issue by posing the question: “Should Companies Be Required to Share Information About Cyberattacks?” Those who favor making disclosure mandatory argue that sharing information about cyber attacks will help protect others from being attacked. But it can also complicate the process of trying to keep systems secure, and injure the companies’ reputations in the meantime. Conversely, allowing breached companies to work on solutions in secret may fix problems quickly and prevent reputational harm. But keeping attacks secret may also increase the danger for others. At the moment there exists a hodgepodge of state requirements for disclosure, and a murky federal approach that includes SEC requirements for disclosure of material risks and intrusions to investors, as well as encouragement of voluntary sharing of cyber attack information.
Denise Zheng, deputy director and senior fellow in the Strategic Technologies Program at the Center for Strategic and International Studies is a proponent of mandatory sharing. She argues that “the benefits to society by requiring reporting would outweigh the costs to the individual companies. Requiring not only cyber incidents to be reported but the tactics and techniques used by hackers would create greater transparency, allowing businesses, policy makers and consumers to make more informed decisions about how to manage cyberrisk. It would enable decision makers in companies and government to assess risk as well as progress.”
Taking the opposing view, Andrea Castillo, program manager in the Technology Policy Program at George Mason University’s Mercatus Center, says, “There is much that can be done to improve U.S. cybersecurity without requiring companies to report cyberattacks. The government should first focus on correcting policy missteps from the past. It should promote the use of strong encryption and reform counterproductive laws like the Computer Fraud and Abuse Act that chill security research. Requiring organizations to share information with hack-prone federal agencies under threat of penalty will only add to the current contradictory mess of policies.”
It seems clear to me that disclosure of attacks of some magnitude has to be encouraged and even required. The data clearly has value, and we really are collectively locked into a struggle whose broad implications transcend the concerns of individual companies and impose consequences for the economy, public safety, and national security. The trick is to ensure that we find a way to do so while ensuring the government is both necessarily aided and legitimately constrained.
By Tom Davis, SDI Cyber Risk Practice
May 24, 2016