How Security Laws Inhibit Information Sharing
Although international companies would like to cooperate with information sharing, many are hampered by conflicting laws in the regions where they are located.
Large, multinational corporations receive sizable amounts of threat data, but the mosaic of data and privacy protection laws within and across regions they operate in impede threat intelligence sharing — even internally — in a timely fashion.
European Union members have stringent data privacy laws, but there is no consistency. Each has its own laws that sometimes slow, if not prevent, information flow. They can even hinder cyber-security.
In contrast to the European Union, South America’s data privacy laws are quickly gaining ground. Chile has perhaps the most rigorous laws affecting information sharing.
The challenges posed by inconsistent data privacy laws within the European Union dog even experienced leaders working across national lines and create compliance and operational obstacles to ISAOs.
Countries sometimes limit connectivity protocols so that their security services have easier access to information. These limitations would certainly deter information-sharing into, out of and within countries that have them.
The number of attacks originating from Russia and China and the nature of their security services indicate that they impose connectivity protocol limitations.
After the November 2015 terrorist attacks in Paris, there have been calls to limit encryption in the United States and other Western nations.
“In the end, ISAOs desiring multinational members or information-sharing will need to be vigilant in determining whether the applicable encryption and protocol laws allow for sufficiently protected information flow,” says the report.
Multinationals could develop internal compliance programs, but that seems unlikely in the long run because compliance costs are high and there is a great need for expertise.
Third-party vendors could provide compliance services to companies and ISAOs, a likely market solution given that they already have expertise and can spread the cost among many clients.
Aggregators could establish their own in-house compliance programs and distribute information to individual or ISAO subscribers.
Organizations could form international ISAOs. Given the compliance costs, market efficiencies would likely keep the number of these small and memberships large. Governments are collaborating through Computer Emergency Readiness Teams (CERFs), governments are collaborating, but they are not sufficient