How Security Laws Inhibit Information Sharing
-
How Security Laws Inhibit Information Sharing
Although international companies would like to cooperate with information sharing, many are hampered by conflicting laws in the regions where they are located. -
Data Privacy Laws
Large, multinational corporations receive sizable amounts of threat data, but the mosaic of data and privacy protection laws within and across regions they operate in impede threat intelligence sharing -- even internally -- in a timely fashion. -
The European Union
European Union members have stringent data privacy laws, but there is no consistency. Each has its own laws that sometimes slow, if not prevent, information flow. They can even hinder cyber-security. -
South America
In contrast to the European Union, South America's data privacy laws are quickly gaining ground. Chile has perhaps the most rigorous laws affecting information sharing. -
Challenges Impede Compliance With ISAOs
The challenges posed by inconsistent data privacy laws within the European Union dog even experienced leaders working across national lines and create compliance and operational obstacles to ISAOs. -
National Security Laws
Countries sometimes limit connectivity protocols so that their security services have easier access to information. These limitations would certainly deter information-sharing into, out of and within countries that have them. -
Russia and China
The number of attacks originating from Russia and China and the nature of their security services indicate that they impose connectivity protocol limitations. -
Aftermath of Terrorist Attacks
After the November 2015 terrorist attacks in Paris, there have been calls to limit encryption in the United States and other Western nations. -
Call for Vigilance of ISAO Members
"In the end, ISAOs desiring multinational members or information-sharing will need to be vigilant in determining whether the applicable encryption and protocol laws allow for sufficiently protected information flow," says the report. -
Potential Solutions
Multinationals could develop internal compliance programs, but that seems unlikely in the long run because compliance costs are high and there is a great need for expertise. -
Compliance Services
Third-party vendors could provide compliance services to companies and ISAOs, a likely market solution given that they already have expertise and can spread the cost among many clients. -
Aggregators
Aggregators could establish their own in-house compliance programs and distribute information to individual or ISAO subscribers. -
International ISAOs
Organizations could form international ISAOs. Given the compliance costs, market efficiencies would likely keep the number of these small and memberships large. Governments are collaborating through Computer Emergency Readiness Teams (CERFs), governments are collaborating, but they are not sufficient
A new report finds that although there is a need for actionable threat intelligence and information-sharing worldwide, significant obstacles exist because of data privacy and protection and national security laws. The result is a chilling effect on cross-border cooperation that must be addressed. In that spirit, the report, "Information Sharing and Analysis Organizations: Putting Theory into Practice," by Price Waterhouse Cooper, analyzes global legal hurdles to information-sharing and offers potential solutions. "Information-sharing will not achieve its potential if government agencies, companies and other stakeholders sit back and wait to see what happens," said PWC's David Burg, Global and U.S. Cyber Security Leader. That can happen if government agencies declassify as much cyber-threat information as possible and share it with the private sector, the private sector seeks ways to share its knowledge and commits the time and resources to do so, and if stakeholders help Sharing and Analysis Organizations (ISAOs) fulfill their mandate to offer the best ways to act on the Cyber Security Act of 2015. Here are highlights of the section of the report titled Sharing Threat Intelligence Across Borders.