Legislation to Facilitate Cybersecurity
Information Sharing: Economic Analysis
N. Eric Weiss
Specialist in Financial Economics
February 23, 2015
Congressional Research Service
7-5700
www.crs.gov
R43821
Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis
Summary
Data breaches, such as those at Target, Home Depot, Neiman Marcus, JPMorgan Chase, and
Anthem, have affected financial records of tens of millions of households and seem to occur
regularly. Companies typically respond by trying to increase their cybersecurity, hiring
consultants, and purchasing new hardware and software. Policy analysts have suggested that
sharing information about these breaches could be an effective and inexpensive part of improving
cybersecurity. Firms share information directly on an ad hoc basis and through private-sector,
nonprofit organizations such as Information Sharing and Analysis Centers (ISACs) that can
analyze and disseminate information.
Firms sometimes do not share information because of perceived legal risks, such as violating
privacy or antitrust laws, and economic incentives, such as giving information that will benefit
their competitors. A firm that has been attacked might prefer to keep such information private out
of a worry that its sales or stock price will fall. Further, there are no existing mechanisms to
reward firms for sharing information. Their competitors can take advantage of the information,
but not contribute in turn. This lack of reciprocity, called “free riding” by economists, may
discourage firms from sharing. Information that is shared may not be applicable to those
receiving it, or it might be difficult to apply.
Because firms are reluctant to share information, other firms suffer from vulnerabilities that could
be corrected. Further, by not sharing information about effective cybersecurity products and
techniques, the size and quality of the market for cybersecurity products suffer.
Some industry leaders call for mandatory sharing of information concerning attacks. Other
experts advocate a strictly voluntary approach, because they believe it could impose fewer
regulatory costs on businesses and cost less for taxpayers.
Several bills introduced in the 113th Congress would have encouraged information sharing. H.R.
624, the Cyber Intelligence Sharing and Protection Act (CISPA), and S. 2588, the Cybersecurity
Information Sharing Act (CISA) of 2014, sought to increase information sharing by directing the
Department of Homeland Security and the Department of Justice to develop procedures for
receiving and sharing information and by providing liability protection for private entities acting
in good faith for a cybersecurity purpose. H.R. 624 passed the House, and S. 2588 was reported
out of the Senate Select Committee on Intelligence.
Supporters of these two bills argued that they would make cyberspace more secure by increasing
the amount and impact of information shared without significantly increasing costs to businesses
or taxpayers. The bills would have resolved certain legal issues pertaining to sharing information
but did not address the question of why a company would find it in their interest to help a
competitor. Opponents of the bills argued that they would have made it legal for companies to
retaliate against cyberattacks—which could hurt innocent third parties—and raised privacy
concerns by allowing firms to share personally identifiable information with government agencies
and other companies.
H.R. 624 and S. 2588 might have increased the likelihood of informal information sharing
networks developing. Although informal networks might lack the technical capabilities of an
ISAC, they could be more flexible and discourage free-riding by cutting “takers” out of the
network, which would alter the competitive incentives in favor of more information sharing. A
Congressional Research Service
Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis
third bill, S. 2727, the Cyber Information Sharing Tax Credit Act, might have increased
information sharing by providing a 100% tax credit for the costs of joining ISACs. No hearings
were held on S. 2727.
This report analyzes the incentives for companies to share information about cybersecurity
breaches with other companies and the federal government.
Congressional Research Service
Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis
Contents
Introduction ...................................................................................................................................... 1
A Cybersecurity Problem: Misaligned Incentives ........................................................................... 2
The Problem of Underused Information .......................................................................................... 2
Perceived Legal Barriers to Information Sharing ............................................................................ 4
Economic Incentives to Not Share Information ........................................................................ 5
Analysis of Firms’ Incentives to Share ...................................................................................... 6
New Threats ........................................................................................................................ 6
Developing and Sharing Countermeasures ......................................................................... 6
So Why Do Some Firms Share Information? ...................................................................... 7
Role of Consultants and Insurance Companies in Information Sharing ............................. 7
How Can Organizations Share Information? ................................................................................... 7
Categories of Information .......................................................................................................... 7
Methods of Information Sharing ............................................................................................... 7
Public and Private Sector Information Sharing ......................................................................... 8
ISACs .................................................................................................................................. 8
Mandatory, Voluntary, and Incentivized Sharing ..................................................................... 11
Consequences of Inadequate Information Sharing ........................................................................ 11
Direct Effects on Security ........................................................................................................ 11
Indirect Security Effects through the Market for Cybersecurity Products .............................. 12
Effects of Greater Information Sharing ......................................................................................... 12
Selected Legislation in the 113th Congress to Encourage Information Sharing ............................. 13
H.R. 624: The Cyber Intelligence Sharing and Protection Act ................................................ 13
Analysis ............................................................................................................................. 14
S. 2588: The Cybersecurity Information Sharing Act ............................................................. 15
Analysis ............................................................................................................................. 15
S. 2717: The Cyber Information Sharing Tax Credit Act ........................................................ 15
Analysis ............................................................................................................................. 15
Other Legislation ..................................................................................................................... 16
Conclusion: How Might Incentives Change? ................................................................................ 16
Figures
Figure 1. Financial Services ISAC Membership Tiers .................................................................. 10
Figure 2.Financial Services ISAC Membership Tiers (Continued) ............................................... 10
Contacts
Author Contact Information........................................................................................................... 17
Acknowledgments ......................................................................................................................... 17
Congressional Research Service
Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis
Introduction
Cybercrime continues to increase. The media reports data breaches exposing tens of millions of
personal financial records at retailers such as Target, Home Depot, and TJ Maxx. The Ponemon
Institute, an independent research institute, estimates that in 2013 the number of attacks on 59
companies based in the United States increased over that of 2012 and the average cost per attack
also increased.1 The Ponemon study found the average cost of a cybercrime incident in FY2014
was $12.7 million compared with $11.6 million in FY2013.
The Center for Strategic and International Studies estimates that cybercrime costs the global
economy about $445 billion in a typical year.2 The risks to critical infrastructure and national
security from cyberattacks are harder to quantify, but the Bipartisan Policy Center recently
concluded that the United States has a “September 10th ability to guard against cyberattacks.”3
President Obama and some Members of Congress have identified increasing cybersecurity as a
priority.4
It would seem that companies could increase their cybersecurity at relatively little cost by sharing
information about cyberattacks. The costs of a data breach can include detection, containment,
repair, incident response, investigation, fraud losses, and lost sales. The cost of sharing
information, including joining a specialized sharing organization, is likely to be less than
$100,000.5
One obstacle to reducing cybercrime is misaligned incentives, which reduce information sharing
about cyberattacks. In the aftermath of a cyberattack, at least four groups could be notified: law
enforcement, other companies, customers, and (for public companies) stockholders. In addition,
certain regulated companies, such as banks and electrical utilities, could be required to notify
their regulators of cyberattacks.
If companies notify law enforcement—typically either the Federal Bureau of Investigation (FBI)
or the Secret Service—they do so in the hope that those responsible will be brought to justice and
that some sort of recovery can be made. They notify other companies in the hope that greater
information sharing will improve security. Customers are notified so that they can monitor their
financial information to prevent financial fraud. The Securities and Exchange Commission (SEC)
1 Ponemon Institute, 2014 Cost of Cyber Crime Study: United States, October 2014, https://ssl.www8.hp.com/ww/en/
secure/pdf/4aa5-5208enw.pdf. The Ponemon report looks at the average cost of cybercrime per incident for 59
companies, not the total cost in the United States.
2 McAfee and the Center for Strategic and International Studies, Net Losses: Estimating the Global Cost of Cybercrime,
June 2014, http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf.
3 Bipartisan Policy Center, Reflections on the Tenth Anniversary of the 9/11 Commission Report, Washington, DC, July
2014, p. 7, http://bipartisanpolicy.org/sites/default/files/files/%20BPC%209-11%20Commission.pdf. The reference to
September 10th is a comparison to the relative lack of airplane security that existed prior to the September 11, 2001
attacks on the World Trade Centers and the Pentagon.
4 See, for example, U.S. Senate Committee on Homeland Security and Governmental Affairs, “Senator Carper
Introduces Bill to Increase Sharing of Cyber Threat Data,” press release, February 11, 2015,
http://www.hsgac.senate.gov/media/minority-media/senator-carper-introduces-bill-to-increase-sharing-of-cyber-threat-
data.
5 Financial Services ISAC, Membership Benefits, https://www.fsisac.com/join.
Congressional Research Service
1
Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis
requires publicly traded companies to announce information that could affect investors’ decisions
to invest in a company.
This report analyzes information sharing by government with private companies, by private
companies with the government, and among private companies. Sharing information with
consumers is mentioned but is not the central focus of this report.
A Cybersecurity Problem: Misaligned Incentives
Understanding the economic incentives involved in cybersecurity and information sharing can
improve the analysis of cybersecurity.
Companies that suffer a cybersecurity breach such as the theft of credit card information do not
pay the full cost of the breach. Retailers honoring stolen credit cards have charges reversed (so-
called chargebacks) and end up without merchandise or payment. Credit card issuers say that they
are not fully compensated for replacing stolen cards.6 Consumers must monitor their financial
accounts and update automated bill payment accounts to guard against cyberattacks.7
Meanwhile, software companies frequently weigh the benefits of delays to improve security
against the costs of late releases.8 According to some industry observers, software developers can
be under pressure to “ship early, ship often” and fix security and other bugs in a later iteration.9
Similarly, companies may act in ways that they believe will preserve or increase their market
share or profitability even at the expense of cybersecurity.
The Problem of Underused Information
Many in the cybersecurity field have suggested increasing cybersecurity information sharing
between individuals, companies, non-governmental organizations, and governments as a way to
increase security.
Many kinds of information can be shared to improve cybersecurity. This can include sharing ways
to detect specific attacks and more general information about hardware, software, and procedures.
It can include specific and general information about recovering from a data breach. The cost of
sharing is relatively small, but the benefits can be large. Michael Daniel, the White House
cybersecurity coordinator, described information sharing as “critical to effective cybersecurity,”
and legislation was introduced in 112th and 113th Congresses to promote information sharing.10
6 Nicholas Ballasy, “Home Depot Breach Costs CUs $60 M,” Credit Union Times, October 30, 2014,
http://www.cutimes.com/2014/10/30/home-depot-breach-costs-cus-60m.
7 Tyler Moore and Ross Anderson, Economics and Internet Security: a Survey of Recent Analytical, Empirical, and
Behavioral Research, Computer Science Group, Harvard University, 2011, p. 1,
ftp://ftp.deas.harvard.edu/techreports/tr-03-11.pdf.
8 Ross Anderson, “Why Information Security Is Hard—An Economic Perspective,” 17th Annual Computer Security
Applications Conference, December 10, 2001, http://www.cl.cam.ac.uk/~rja14/Papers/econ.pdf.
9 Andrew Leonard, “Triumph of the Free-Software Will,” Salon, October 31, 2000, http://www.salon.com/2000/10/31/
software_passion/.
10 For details, see CRS Report R42114, Federal Laws Relating to Cybersecurity: Overview of Major Issues, Current
(continued...)
Congressional Research Service
2
Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis
One kind of information sharing occurs when organizations learn from third parties (such as law
enforcement) that information has been compromised.11 For example, the Secret Service
reportedly notified Target12 and Home Depot13 that their data systems had been breached.
Information sharing can also flow in the other direction: According to media reports, JPMorgan
discovered that it had cybersecurity problems and asked the FBI for assistance.14
Sharing information has benefits. If a firm reports a cyberattack, law enforcement can begin
searching for those responsible and possibly alert other organizations, which can review their
cybersecurity arrangements to prevent similar attacks.
In some cases, broader sharing of information would benefit the attacked firm; if it does not have
the resources for defense or other countermeasures, sharing information might allow another
entity, such as a security consultant or the software developer, to develop a countermeasure. But
sharing cybersecurity information with a competitor can give away security lessons that were
learned at great expense. Moreover, some may fear that publicly revealing a cyber breach can
scare customers away to competitors leading to reduced revenue and possibly stock price
declines. In other words, the hacked company’s competitors might benefit from the information
or its revenue or stock price might decline.15
In 47 states and the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, companies
can be required to notify consumers if personally identifiable information (PII) is breached.16
(...continued)
Laws, and Proposed Legislation, by Eric A. Fischer.
11 Ellen Nakashima, “U.S. Notified 3,000 Companies in 2013 about Cyberattacks,” Washington Post, March 24, 2014,
http://www.washingtonpost.com/world/national-security/2014/03/24/74aff686-aed9-11e3-96dc-
d6ea14c099f9_story.html.
12 Matt Townsend, Lindsey Rupp, and Lauren Coleman-Lochner, “U.S. Secret Service Probes Card Security Breach at
Target,” Bloomberg, December 19, 2013, http://www.bloomberg.com/news/2013-12-19/u-s-secret-service-
investigating-card-security-breach-at-target.html.
13 Mark Hosenball and Nandita Bose, “UPDATE 3: Home Depot in Contact with Secret Service over Alleged Breach—
Source,” September 4, 2014, http://www.reuters.com/article/2014/09/04/usa-homedepot-dataprotection-
idUSL1N0R517720140904.
14 Michael Corkery, Jessica Silver-Greenberg, and David E. Sanger, “Obama Had Security Fears on JPMorgan Data
Breach,” New York Times, October 8, 2014, http://dealbook.nytimes.com/2014/10/08/cyberattack-on-jpmorgan-raises-
alarms-at-white-house-and-on-wall-street/.
15 Academic research suggests that cybersecurity breaches depress stock prices. See, for example, Griselda Sinanaj and
Jan Muntermann, “Assessing Corporate Reputational Damage of Data Breaches: An Empirical Analysis,” 26th Bled e
Conference, Bled, Slovenia, June 2013, https://domino.fov.uni-mb.si/proceedings.nsf/Proceedings/
820BFAD242085887C1257B8A002F0B02/$File/07_Sinanaj.pdf; and Edward A. Morse, Vasant Raval, and John R.
Wingender Jr., “Market Price Effects of Data Security Breaches,” Information Security Journal: A Global Perspective,
vol. 20, no. 6 (November 11, 2011), pp. 263-273. For a contrary view by reporters, see Sarah Halzack, “Home Depot
and JPMorgan Are Doing Fine. Is It a Sign We're Numb to Data Breaches?” Washington Post, October 6, 2012,
http://www.washingtonpost.com/news/get-there/wp/2014/10/06/home-depot-and-jpmorgan-are-doing-fine-is-it-a-sign-
were-numb-to-data-breaches/.
16 The definition of PII and the thresholds for consumer notification vary by state. For more information on state laws,
see CRS Report R42475, Data Security Breach Notification Laws, by Gina Stevens. PII is any information about an
individual maintained by an agency, including (1) any information that can be used to distinguish or trace an
individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, or
biometric records; and (2) any other information that is linked or linkable to an individual, such as medical,
educational, financial, and employment information. For more on PII, see Erika McCallister, Tim Grance, and Karen
Scarfone, “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII): Recommendations of
(continued...)
Congressional Research Service
3
Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis
Typically, consumers are notified of the breach, advised to monitor financial accounts closely, and
sometimes offered free credit monitoring or other assistance.17 Some, including the chief
information officer of the retailer Urban Outfitters, have argued that public disclosure can tip off
attackers or waste time if information is breached but not stolen.18
Industry participants and outside observers appear to generally agree that there is less than
optimal information sharing about attacks.19 Although the amount of harm caused by inadequate
information sharing is hard to measure, and increasing information sharing can be difficult, it has
at times increased security. By contrast, while the broad outline of the Target credit card hack20
had been widely discussed, Home Depot was the victim of a similar attack through a vendor
whose security had been compromised.21
Information sharing would appear to be a relatively inexpensive way for a group of companies to
improve their cybersecurity, but a review of recent data breaches shows that most of the details
about breaches are released by third party experts, not the firms involved. The next section
analyzes some of the reasons for this apparent reticence by firms.
Perceived Legal Barriers to Information Sharing
Firms and industry groups have expressed reluctance to share information in part because doing
so might violate privacy or antitrust laws.22 Another concern is exposing proprietary business
information.23
To help assuage these fears, the Department of Justice (DOJ) has provided guidance that it will
not consider generally accepted cybersecurity information sharing to be anticompetitive
behavior.24 Some cybersecurity experts, industry participants, and several Members of Congress
(...continued)
the National Institute of Standards and Technology,” U.S. Department of Commerce, National Institute of Standards
and Technology, April 2010, p. 2-1, http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf. See, also,
National Council of State Legislatures, “Security Breach Notification Laws,” September 3, 2014, http://
http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx.
17 For example, see Home Depot’s recent data breach announcement. Home Depot, “The Home Depot Completes
Malware Elimination and Enhanced Encryption of Payment Data in All U.S. Stores: Provides Further Investigation
Details, Updates Outlook,” press release, September 18, 2014, https://corporate.homedepot.com/MediaCenter/
Documents/Press%20Release.pdf.
18 Danny Yadron, “Executives Rethink Merits of Going Public with Data Breaches,” Wall Street Journal, August 4,
2013, http://online.wsj.com/articles/a-contrarian-view-on-data-breaches-1407194237?mod=mktw.
19 Ray Suarez, “Examining Cyber Security with Homeland Security Secretary Janet Napolitano,” PBS NewsHour,
February 15, 2013, http://www.pbs.org/newshour/bb/science-jan-june13-cybersecurity_02-15/.
20 For more information about the Target data breach, see CRS Report R43496, The Target and Other Financial Data
Breaches: Frequently Asked Questions, by N. Eric Weiss and Rena S. Miller.
21 Jeffrey Roman, “Home Depot, Target: Same Breach Script,” Bank Info Security, November 10, 2014,
http://www.bankinfosecurity.com/home-depot-target-same-breach-script-a-7544/op-1.
22 Securities Industry and Financial Markets Association, “Principles for Effective Cybersecurity Regulatory
Guidance,” press release, October 20, 2014, http://www.sifma.org/issues/item.aspx?id=8589951691.
23 For more information, see CRS Legal Sidebar WSLG483, Obstacles to Private Sector Cyber Threat Information
Sharing, by Edward C. Liu.
24 Department of Justice, “Department of Justice, Federal Trade Commission Issue Antitrust Policy Statement on
Sharing Cybersecurity Information,” press release, April 10, 2014, http://www.justice.gov/opa/pr/justice-department-
(continued...)
Congressional Research Service
4
Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis
remain concerned that firms are holding back information that could make cyberspace more
secure.25
Economic Incentives to Not Share Information
In theory, sharing information about cybersecurity attacks and defenses has many benefits:
• Everyone would appear to benefit from eliminating duplication of costs and
efforts.
• Sharing efforts could detect breaches faster and reduce damage caused by
breaches.
• Sharing breach information and joint research efforts could lead to new ways to
protect information.
In practice, there are also other considerations:
• Some argue that, despite official pronouncements, there are unresolved legal
questions concerning privacy and antitrust issues surrounding sharing
cybersecurity information.
• Some organizations may be reluctant to help competitors and, in extreme cases,
might listen to what others share but offer nothing in return (free-riding in
economic terms).
• If the shared information itself is breached by hackers, the organizations could be
worse off than if they had not shared the information.
• Public disclosure of a breach may cost an organization customers and sales and
affect its stock price.
Although there is some evidence that such fears have been exaggerated, evidence also suggests
that they may be the primary factors preventing firms from sharing cybersecurity information.26
Comparing Target’s stock price to those of three competitors—Walmart, Best Buy, and Costco—
from the day before Target’s data breach was first revealed on December 18, 2013, to three
months afterwards, its stock price increased 19%. In the same time period, Costco’s stock price
increased 9%, while Walmart’s declined 3% and Best Buy’s declined 22%.
The Information Sharing and Analysis Center (ISAC) Council emphasized to the Government
Accountability Office (GAO) that “the benefits of sharing information are often difficult to
(...continued)
federal-trade-commission-issue-antitrust-policy-statement-sharing.
25 Office of Management and Budget, “Statement of Administration Policy, H.R. 624—Cyber Intelligence Sharing and
Protection Act,” April 16, 2013, http://www.whitehouse.gov/sites/default/files/omb/legislative/sap/113/
saphr624r_20130416.pdf.
26 See Alessandro Acquisti, Allan Friedman, and Rahul Telang, “Is There a Cost to Privacy Breaches? An Event
Study,” presented at the Workshop on the Economics of Information Security 2006, http://www.heinz.cmu.edu/
~acquisti/papers/acquisti-friedman-telang-privacy-breaches.pdf; and Ali Alper Yayla and Qing Hu, “The Impact of
Information Security Events on the Stock Value of Firms: The Effect of Contingency Factors,” Journal of Information
Technology, vol. 26, no. 1 (May 4, 2010), http://www.palgrave-journals.com/jit/journal/v26/n1/abs/jit20104a.html.
Congressional Research Service
5
Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis
discern, while the risks and costs of sharing are direct and foreseeable.”27 A survey of information
technology executives found that their chief worry about data breaches was the loss in consumer
confidence and resultant decline in revenue, not the losses directly caused by the breach.28
Analysis of Firms’ Incentives to Share
To understand why companies may not share cybersecurity information, some theoretical
scenarios applying basic game theory are examined.
New Threats
Consider a firm that recognizes a new threat or a new (to it, at least) instance of a known threat,
one to which its competitors are also potentially vulnerable. There are several possible outcomes
depending on the characteristics of the threat and the firms.
If the threat to its profits is small, the firm may or may not choose to develop a countermeasure or
share information about the threat, depending on its evaluation of potential reputational benefits
for altruistically sharing the information. Some cyberattacks can be viewed as a cost of doing
business, much like shoplifting is.
If the threat is significant, the firm may try to develop a custom countermeasure (for instance,
hiring a security consultant to create a defense involving new procedures, software, or hardware).
If the firm is unable to obtain a countermeasure, it may or may not have financial incentives to
share information about the threat, depending on the possibility of another organization
developing a countermeasure. Even if the firm believes that developing a countermeasure is
unlikely or impossible, there might not be sufficient incentives to share the information compared
with the advantages of not sharing with competitors.
Industries making similar products and using similar technologies can benefit more from
information sharing, but as they are also more likely to be competitive, they may be less likely to
share information.29 Stronger industry associations could arguably counteract this effect.
Developing and Sharing Countermeasures
If the threat is more general, a firm that develops a countermeasure must decide whether it is
better off with the competitive advantage that it now has against selling or giving away the
countermeasure. Some firms, such as many in the defense industrial base, also sell cybersecurity
services and could decide to sell it, while others, such as those in water treatment, might not be in
a position to.
27 U.S. Government Accountability Office, “Critical Infrastructure Protection: Improving Information Sharing with
Infrastructure Sectors,” July 2004, pp. 9-10, http://www.gao.gov/products/GAO-04-780.
28 Esther Gal-Or and Anindya Ghose, “The Economic Incentives for Sharing Security Information,” Information
Systems Research, vol. 16, no. 2 (June 2005), p. 187, http://pages.stern.nyu.edu/~aghose/ISR.pdf.
29 For more on the effects of product similarity, see Esther Gal-Or and Anindya Ghose, “The Economic Incentives for
Sharing Security Information,” Information Systems Research, vol. 16, no. 2 (June 2005), p. 187,
http://pages.stern.nyu.edu/~aghose/ISR.pdf.
Congressional Research Service
6
Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis
So Why Do Some Firms Share Information?
In most of the scenarios above, organizations might decide not to share information lest they
diminish their competitive advantage. So why do organizations sometimes choose to share
information?
One reason, as discussed above, may be that the threat is small and the firm wants to cultivate a
reputation as a good corporate citizen. The legal requirement to maximize shareholder value does
not translate into employing any means necessary to increase the stock price. Cybersecurity is
arguably integral to national security and economic growth, and people may choose to share
information even when it goes against the balance of their near-term economic incentive to foster
a more secure nation and a more productive economy.
Role of Consultants and Insurance Companies in Information Sharing
When an organization calls in outside experts to help after a data breach, these consultants use
their accumulated knowledge to investigate, document, and remediate the breach. The contract
terms are negotiated between the two parties and generally not disclosed to the public. Following
general practices, it is likely that the outside experts agree not to disclose proprietary information.
Nevertheless, the consultants leave with knowledge about the data breach, and this information
can be used in consulting with other companies.
Following existing practices for property and casualty insurance, companies writing
cyberinsurance are likely to assess the cybersecurity practices of a (potential) client. Following a
data breach claim, a cyberinsurance company would be likely to conduct or monitor a third-party
investigation of the breach. Thus, cyberinsurance companies could gather detailed, technical
information on breaches and use this knowledge to prevent future breaches at other clients.
How Can Organizations Share Information?
This section analyzes how organizations share information and legislation that was introduced in
the 113th Congress to encourage information sharing.
Categories of Information
Organizations primarily share information about new types of threats, new instances of known
threats, and best practices. Information about the effects of an attack can also be shared, even if
the method of attack is unknown—for example, by notifying other firms that information has
been stolen or that a resource is not operational.
Methods of Information Sharing
Certain types of information can be shared automatically to maximize its value. For instance,
when some antivirus software detects malware, it automatically notifies the software vendor,
which can analyze the information and update the antivirus software.
Congressional Research Service
7
Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis
Prior to Target’s 2013 data breach, which led to the theft of more than 40 million payment card
details, Target had recently installed a security system to isolate new malware before it could
damage the real system. This software reportedly includes the option to delete malware
automatically, but according to a media investigation, “Target’s security team turned that function
off.”30 The report quoted a chief information security officer of another company who described
the choice as normal, because “typically, as a security team, you want to have that last decision
point of ‘what do I do.’”
Machine autonomy has its issues. Machines generally are not as skilled as individuals in
identifying proprietary or PII that should not be shared. Attackers could subvert autonomous
information sharing software to further spread their reach or put their attacks on a list of approved
programs (a “whitelist”). For effective machine-to-machine sharing to occur, firms need to have
high levels of trust with each other and share technical expertise.
Public and Private Sector Information Sharing
Information can be shared within the private sector, within the public sector, and between the two.
Government contractors may be subject to more stringent information sharing and disclosure
requirements depending on the nature of the work and what department they are working with:
the Department of Defense (DOD), for example, requires contractors to report potential
exfiltration of classified information.31 A subset of the private sector, the critical infrastructure
industries, operates slightly differently than the rest by relying heavily on Information Sharing
and Analysis Centers (ISACs).
ISACs
In 1998, Presidential Decision Directive 63, on critical infrastructure protection, authorized the
creation of ISACs and critical infrastructure sector coordinators to assist in their creation.32
ISACs are private-sector, nonprofit entities that collect, analyze, and share information on
cybersecurity threats and best practices.33 Some, such as the Defense Industrial Base ISAC and
the Oil and Natural Gas ISAC, have mechanisms to share information anonymously between
members and with the government. The government also uses ISACs as a tool to communicate
with sectors rapidly, particularly in emergency situations. The government also runs some ISAC-
like entities, such as the Financial Sector Cyber Intelligence Group.34
30 Michael Riley et al., “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It,” Bloomberg
Businessweek, March 13, 2014, http://www.businessweek.com/printer/articles/189573-missed-alarms-and-40-million-
stolen-credit-card-numbers-how-target-blew-it.
31 Jon W. Burd, “Cybersecurity Developments: Does the NIST “Voluntary” Framework Portend New Requirements for
Contractors,” Wiley Rein LLP, 2013, http://www.wileyrein.com/publications.cfm?sp=articles&newsletter=3&id=9264.
32 The critical sectors are chemicals, communications, commercial facilities, critical manufacturing, dams, defense
industrial base, emergency services, energy, financial services, food and agriculture, government, healthcare and public
health, information technology, nuclear, transportation, and water and waste water. For more information, see National
Telecommunications and Information Administration, “Presidential Decision Directive 63 on Critical Infrastructure
Protection,” 63 Federal Register 41804-41806, August 5, 1998.
33 ISAC Council, “Government–Private Sector Relations,” January 31, 2004, http://www.isaccouncil.org/images/
Government_Private_Sector_Relations_013104.pdf.
34 Zachary Goldfarb and Ellen Nakashima, “Lew Says Financial Industry Could Do More to Prevent Cyberattacks,”
(continued...)
Congressional Research Service
8
Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis
Sectors outside of critical infrastructure have also created ISACs, such as the Retail ISAC.
Additionally, the Food ISAC, though classified as a critical infrastructure sector by the DHS,
ceased operating due to a lack of information sharing.35
The Multi-State ISAC includes all 50 states, four U.S. territories, the District of Columbia, and
many local governments. The electricity sector ISAC, run by the North American Electric
Reliability Corporation, counts virtually all registered electricity providers as members.
Although the ISACs are sector specific, the multifaceted nature of modern corporations means
that these boundaries are not always clear. For example, because the retailer Target owns a bank,
the company became the first retailer to join the Financial Services ISAC (FS-ISAC).36
Membership in ISACs is voluntary, and levels of participation in ISACs vary. As shown in Figure
1 and Figure 2, the FS-ISAC offers membership tiers ranging from free (with limited benefits) to
platinum (with full benefits) and costing $49,950 annually.
This has not equalized the participation rates among firms with varying levels of resources. New
York State found that 60% of large banking organizations and 25% of small organizations were
members of the FS-ISAC.37 Nonetheless, the FS-ISAC has helped its members combat
cybersecurity issues such as denial-of-service attacks.38
Although cybersecurity is important to the information technology industry, the IT-ISAC has 33
members. Many large cybersecurity vendors—such as Symantec, FireEye, and DocuSign—are
members but many of the biggest companies in IT, including Google, Mozilla, Adobe, Apple, and
Facebook, are not.39 However, IT-ISAC shares information with other organizations, such as the
IT Sector Coordinating Council, which has a broader membership to include, through other
alliances, companies such as Google and Facebook.40
Generally, ISACs cannot prevent free-riding. If a company joins, there is usually no mechanism
preventing it from receiving information even if it does not contribute information of its own.
Free-riding has the potential to discourage information sharing. If a sharer consistently
contributes without receiving information in return, it may decide that it is helping its competitors
more than it is benefitting from sharing.
(...continued)
Washington Post, July 16, 2014, http://www.washingtonpost.com/business/economy/lew-says-financial-industry-could-
do-more-to-prevent-cyberattacks/2014/07/16/6909e970-0d22-11e4-8341-b8072b1e7348_story.html.
35 Joseph Straw, “Food Sector Abandons Its ISAC,” Security Management, http://www.securitymanagement.com/
article/food-sector-abandons-its-isac-004590.
36 CRS Report R43496, The Target and Other Financial Data Breaches: Frequently Asked Questions, by N. Eric Weiss
and Rena S. Miller.
37 New York State Department of Financial Services, Report on Cyber Security in the Banking Sector, May 2014, p. 4,
http://www.dfs.ny.gov/about/press2014/pr140505_cyber_security.pdf.
38 The White House, “Getting Serious about Information Sharing for Cybersecurity,” April 10, 2014,
http://www.whitehouse.gov/blog/2014/04/10/getting-serious-about-information-sharing-cybersecurity.
39 IT-ISAC, Members, August 7 2014, http://www.it-isac.org/#!members/c1tsl.
40 Letter from Brian Willis, president, IT-ISAC, to Dr. Melissa Hathaway, acting senior director for cyberspace, NSC,
February 27, 2009, http://www.whitehouse.gov/files/documents/cyber/Willis%20Brian%20-
%20IT%20ISAC%20Final%20Letter%20to%20Dr%20Hathaway.pdf.
Congressional Research Service
9
Figure 1. Financial Services ISAC Membership Tiers
Figure 2.Financial Services ISAC Membership Tiers
(Continued)
Source: Financial Services ISAC, Membership Benefits, https://www.fsisac.com/
Source: Financial Services ISAC, Membership Benefits, https://www.fsisac.com/
join.
join.
CRS-10
Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis
Mandatory, Voluntary, and Incentivized Sharing
The SEC requires publicly traded companies to disclose “material information,” including with
regard to cybersecurity risks and cyber incidents. The Supreme Court has ruled that information
is material if there is “a substantial likelihood that the disclosure of the omitted fact would have
been viewed by the reasonable investor as having significantly altered the ‘total mix’ of
information made available.”41 One open issue is how quickly information must be announced.
Cybersecurity breaches can require weeks or months of investigation and remediation. Law
enforcement may be concerned that a public announcement will alert those responsible and allow
them to take countermeasures.
As discussed above, DOD is reported to require that its contractors share information on potential
security breaches.42
Some, such as Dan Geer, chief information security officer of In-Q-Tel (a nonprofit venture
capital firm that serves the U.S. intelligence community) have called for mandatory sharing of
some information. He has noted that multiple sources have estimated that third parties discover
75% of data breaches. Geer bases his proposed model on the systems used by the aviation
industry, which voluntarily reports incidents that had a significant chance of causing damage, and
the Center for Disease Control, which mandates reporting incidents above a certain threshold of
harm.43 Other experts advocate a strictly voluntary approach, because they believe it could
impose fewer regulatory costs on businesses and cost less for taxpayers.44
Consequences of Inadequate Information Sharing
Direct Effects on Security
Inadequate cybersecurity information sharing is thought to result in suboptimal security. By not
sharing, organizations might duplicate the same work. If the information is shared—with or
without cost—the savings could, in theory, be applied to increasing cybersecurity or some other
purpose.
41 TSC Industries, Inc. v. Northway, Inc., 426 U.S. 438 (1976). For a discussion of recent controversies involving
disclosure (or nondisclosure) of “material information,” see Steven Davidoff Solomon, “In Corporate Disclosure, a
Murky Definition of Material,” New York Times, April 5, 2011, http://dealbook.nytimes.com/2011/04/05/in-corporate-
disclosure-a-murky-definition-of-material/?_php=true&_type=blogs&_r=0.
42 Jon W. Burd, “Cybersecurity Developments: Does the NIST ‘Voluntary’ Framework Portend New Requirements for
Contractors?” Wiley Rein LLP, 2013, http://www.wileyrein.com/publications.cfm?sp=articles&newsletter=3&id=
9264.
43 Dan Geer, “Cybersecurity as Realpolitik,” keynote address at Black Hat USA 2014, Las Vegas, NV, August 6, 2014,
http://geer.tinho.net/geer.blackhat.6viii14.txt.
44 David Inserra and Paul Rosenzweig, “Cybersecurity Information Sharing: One Step towards U.S. Security,
Prosperity, and Freedom in Cyberspace,” Heritage Foundation, April 1, 2014, http://www.heritage.org/research/reports/
2014/04/cybersecurity-information-sharing-one-step-toward-us-security-prosperity-and-freedom-in-cyberspace.
Congressional Research Service
11
Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis
Indirect Security Effects through the Market for Cybersecurity
Products
Information differences between buyers and sellers of cybersecurity products could lower the size
and quality of the market for cybersecurity products. Cybersecurity can be thought of as an
example of a “market for lemons,” a concept developed by George Akerlof, which he applied to
the used car market.45
In a “lemon market,” buyers cannot accurately assess a product’s value before purchasing it, and
sellers cannot credibly disclose the product’s value because they have incentives to overstate the
quality of their products. If the buyer cannot determine whether the product is better or worse
than average, the buyer will be unwilling to pay more than the average price of all the products in
the market. This means sellers of better than average quality products have difficulty selling their
products for what they are worth, so they underinvest in product development, driving down the
overall quality and size of the market.
Security products in general are prone to this problem. It is difficult or impossible to know
whether a security product is working because it is good or because the attacks have been weak or
few in number. The overall effect is that there are fewer products and relatively fewer good
products to choose from, and buyers cannot be confident that they are getting a good value. One
result could be less cybersecurity investment than would be optimal.
Effects of Greater Information Sharing
Sharing more information could reduce the information asymmetries and increase the size and
quality of the market for cybersecurity products and make cyberspace more secure, allowing
firms to better estimate the probability and costs of data breaches, for example. Sharing more
information could also reduce duplication of effort, making dollars spent on cybersecurity more
effective. Clear metrics of effectiveness and objective, trusted, third-party evaluation services do
not appear to currently exist in the cybersecurity market.46
The advantages of information sharing are likely to be greatest when organizations are using
similar technologies. For example, learning about a weakness in an operating system or
application software has the most value to an organization using that operating system or
application. It might provide a lesson to those using other software, but it is less likely to be
directly applicable.
Another concern is that erroneous information could lead to new security holes. The reputation of
those providing information can provide assurance that experts have reviewed and passed on the
information.
45 George Akerlof, “The Market for ‘Lemons’: Quality Uncertainty and the Market Mechanism,” Quarterly Journal of
Economics, vol. 84, no. 3 (August 1970), pp. 488-500.
46 In addition, an organization’s cybersecurity depends on all the defensive measures that it has taken. A perfect anti-
virus program does not exist, but even if it did it would not protect against other types of attack.
Congressional Research Service
12
Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis
Currently, a main enforcement mechanism for cybersecurity is the Federal Trade Commission’s
(FTC’s) authority to sue companies for deceptive practices—for example, claiming that their
products are “secure” when they do not employ common security practices.47 Thus, a de facto
standard exists for what constitutes acceptable cybersecurity, but it is based on a series of actions
taken by organizations that do not need to publicize their security practices. Greater information
sharing could make it easier for companies to implement uniform security practices.
Greater information sharing may, in some instances, effectively weaken cybersecurity by creating
an overwhelming amount of information, eliminating the capacity to pay attention to truly
important alerts. ISACs can help to mitigate this problem by analyzing information and sorting
out what information is relevant to subsets of their members.
Some have argued that greater information sharing could encourage the growth of the $1.3 billion
cyberinsurance market by allowing for more accurate assessment of risk and security products’
effectiveness.48 A more mature cyberinsurance market would itself make cyberspace more secure:
Insurers promote practices that make the insured safer, which would decrease insurers’ payouts.
Insurers verify and inspect the systems they are insuring. However, some analysts believe that
cyberinsurance will have limited utility as many of the losses, such as damage to one’s reputation,
are intangible and difficult to put a value on.49
Selected Legislation in the 113th Congress to
Encourage Information Sharing
This section provides brief summaries of three bills that were introduced in the 113th Congress.
For more details, see CRS Report R42114, Federal Laws Relating to Cybersecurity: Overview of
Major Issues, Current Laws, and Proposed Legislation, by Eric A. Fischer and CRS Report
R43317, Cybersecurity: Legislation, Hearings, and Executive Branch Documents, by Rita Tehan.
H.R. 624: The Cyber Intelligence Sharing and Protection Act
The House passed H.R. 624, the Cyber Intelligence Sharing and Protection Act (CISPA), on April
18, 2013.50 CISPA would have directed the President to designate entities within DHS and DOJ to
receive cybersecurity and cybercrime information, respectively, and to develop procedures to
ensure real-time sharing with appropriate agencies, cybersecurity providers, and self-protected
entities. The bill also would have required the Director of National Intelligence to establish
procedures for information sharing with entities and persons with appropriate security clearances.
47 Federal Trade Commission v. Wyndham Worldwide Corporation, et al., Civil Action No. 13-1887 (ES) (U.S. District
Court of New Jersey 2014). For CRS legal analyses of these issues see, for example, CRS Legal Sidebar WSLG947,
FTC v. Wyndham Worldwide Corp.: NJ Federal District Court Upholds the FTC’s Authority to Regulate Data Security
as an Unfair Trade Practice, by Gina Stevens
48 Nicole Perlroth and Elizabeth A. Harris, “Cyberattack Insurance a Challenge for Business,” New York Times, June 8,
2014, http://www.nytimes.com/2014/06/09/business/cyberattack-insurance-a-challenge-for-business.html?_r=0.
49 Ibid.
50 In the 112th Congress, a similar bill, H.R. 3523, the Cyber Intelligence Sharing and Protection Act, also passed the
House.
Congressional Research Service
13
Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis
CISPA would have authorized the government to use shared information for cybersecurity
purposes but not for regulatory purposes, and it would have prohibited the use of certain
personally identifiable information (PII). CISPA would have exempted information shared with
the federal government from public disclosure. The bill specified that it should not be construed
to preclude the federal government from requiring an entity to report significant cyber incidents
under another provision of law.
CISPA would have authorized cybersecurity providers and self-protected entities to perform
cybersecurity activities and share information for a cybersecurity purpose. The bill would have
prohibited private entities from using such information to gain a competitive advantage, would
have required that they anonymize information to the greatest extent possible, and would have
prohibited private entities from using such information for any non-cybersecurity purpose. CISPA
also would have provided liability protection from civil or criminal causes of action against
private entities acting in good faith for a cybersecurity purpose.
Analysis
CISPA could have increased information sharing. Firms that want to share information but have
been advised that it is legally risky would have been more likely to share information. (Although
the bill did not address antitrust issues except to say that shared information cannot be used to
gain a competitive advantage, the DOJ guidance discussed above addresses this issue.)51 In
particular, CISPA would have aided sharing by firms that were not members of ISACs—smaller
firms and firms not in critical infrastructure sectors—because ISACs already perform many of the
functions that the government would have performed under CISPA, such as anonymization,
sharing, and analysis.
CISPA would not have altered the fundamental economic incentives that cause many companies
to choose not to share information, but it had the potential to indirectly allow incentives to
change. Firms that perceive information sharing as a potentially profit-diminishing action could
still be reluctant to share information. However, by giving companies greater legal protection to
share outside of ISACs, informal sharing networks could develop in which companies could
exclude free-riders. This would create positive norms of reciprocal sharing and receiving.
However, the bill does not guarantee this outcome.
Civil liberties and privacy advocates raised concerns with the bill. Their concerns centered on the
fact that H.R. 624 did not specify privacy protections but would have directed DHS, DOJ, the
director of National Intelligence, and DOD to promulgate and review procedures to protect
privacy and civil liberties rather than specifying those protections in the bill itself.52
The Office of Management and Budget (OMB) issued a statement of administration policy
expressing President Obama’s intent to veto the bill largely due to these privacy concerns.53
51 Letter from Joel I. Klein, assistant attorney general, to Barbara Greenspan, Esq., associate general counsel, Electric
Power Research Institute, October 2, 2000, http://www.justice.gov/atr/public/busreview/6614.pdf.
52 For more information, see CRS Report WSLG480, Privacy and Civil Liberties Issues Raised by CISPA, by Andrew
Nolan.
53 Office of Management and Budget, “Statement of Administration Policy, H.R. 624 - Cyber Intelligence Sharing and
Protection Act,” April 16, 2013, http://www.whitehouse.gov/sites/default/files/omb/legislative/sap/113/
saphr624r_20130416.pdf.
Congressional Research Service
14
Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis
S. 2588: The Cybersecurity Information Sharing Act
S. 2588, the Cybersecurity Information Sharing Act (CISA), was introduced by Senator Dianne
Feinstein and passed by the Senate Select Committee on Intelligence on July 10, 2014. CISA was,
in many ways, similar to the House’s CISPA. In the 112th Congress, legislation similar to CISA
and CISPA was introduced. CISA would have directed the federal government to promulgate
information sharing and receiving procedures and policies to protect privacy and civil liberties.
CISA also would have limited the federal government’s authority to use the information to
cybersecurity and cybercrime purposes.
CISA would have provided liability protection for private entities fulfilling cybersecurity
purposes in good faith. Additionally, CISA specifically would have exempted good faith sharing
of cybersecurity information for cybersecurity purposes from antitrust causes of action—with
exceptions to the exemption for certain explicitly anticompetitive behavior.
Unlike CISPA, CISA would have prohibited requiring an entity to provide information to the
federal government.
Analysis
Like CISPA, CISA itself would not have fundamentally changed the financial incentives for
companies to share information. However, by explicitly providing antitrust protection, the bill
would have likely had a greater chance than CISPA of encouraging the development of informal
networks with norms of reciprocal sharing. Yet by prohibiting the federal government from
requiring the sharing of information, S. 2588 would have deprived the government of a powerful
tool that might increase the sharing of cybersecurity information among private-sector
participants.
S. 2717: The Cyber Information Sharing Tax Credit Act
S. 2717, the Cyber Information Sharing Tax Credit Act (CISTCA) was introduced in the Senate
on July 31, 2013, by Senator Kirsten Gillibrand. The bill would have provided refundable tax
credits for all expenses, except travel costs, associated with joining an ISAC.54
Analysis
S. 2717 was unusual in providing a 100% tax credit for the action it promotes. More common is
for a credit to cover only some of the cost of the action.55 Under the bill, it would have been in
more companies’ best interests to join their respective ISACs, because they would have been
54 Senator Kirsten Gillibrand, “Gillibrand Introduces New Cyber-Security Legislation,” press release, July 31, 2014,
http://www.gillibrand.senate.gov/newsroom/press/release/gillibrand-introduces-new-cyber-security-legislation-after-
new-9/11-commission-report-released-last-week-concluded-a-9/10-ability-to-protect-against-cyber-attacks.
55 For more information on tax credits, see CRS Report R42726, The Corporate Income Tax System: Overview and
Options for Reform, by Mark P. Keightley and Molly F. Sherlock and CRS Report RL32808, Overview of the Federal
Tax System, by Molly F. Sherlock and Donald J. Marples.
Congressional Research Service
15
Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis
refunded nearly all of their expenses for joining and participating in their ISACs. 56 Under S.
2717, there would have been little after-tax cost to joining an ISAC.
For many ISACs, the bill would have had little or no impact, as their membership is already at or
near 100% of their sectors. However, for other ISACs, such as the retail or IT ISACs, the bill
might have increased membership. The costs associated with joining an ISAC can be daunting for
smaller firms, as evidenced by their lower rates of participation in the FS-ISAC.57
The competitive incentives to not share information would have remained intact. Still, the bill
could have increased the amount and spread of information shared.
Other Legislation
In the 112th Congress, S. 3414, the Cybersecurity Act of 2012, would have required critical
infrastructure entities to share “significant cyber incidents.” S. 3414 would also have provided
tangible incentives to share, such as prioritized technical assistance, threat alerts, public
recognition, expedited security clearances, and liability protection.58
Conclusion: How Might Incentives Change?
Each of these three bills introduced in the 113th Congress aimed to make cyberspace more secure
by increasing the amount and impact of information shared while not significantly increasing
costs to businesses or taxpayers. They did not address the competitive incentives to not share
information.
However, CISPA and CISA would have increased the likelihood of informal information sharing
networks developing. Although informal networks might lack the technical capabilities of an
ISAC, they can arguably discourage free-riding by cutting “takers” out of the network, which
would alter incentives in favor of more information sharing. This arguably requires a serious
commitment to prioritizing the good of the sector over the good of the individual firm during the
initial phase of informal sharing. CISPA and CISA also could have the likelihood that the markets
for cybersecurity products and cyberinsurance will grow in size and quality.
There are other ways that behavior could change: more mandatory information sharing, for
example. In 47 states and the District of Columbia, Guam, Puerto Rico, and the Virgin Islands,
companies must disclose when PII has been breached. Several bills were introduced that would
harmonize this “quilt” of state laws with a federal law.59 General Motors’ recent failure to
announce safety information either to the public or senior management arguably warns that
disclosure requirements are not always followed.
56 A company that has no tax liability in a year would not benefit from the tax credit.
57 New York State Department of Financial Services, “Report on Cyber Security in the Banking Sector,” May 2014, p.
4, http://www.dfs.ny.gov/about/press2014/pr140505_cyber_security.pdf.
58 For information on other legislation, including bills passed in previous Congresses, see CRS Report R42114, Federal
Laws Relating to Cybersecurity: Overview of Major Issues, Current Laws, and Proposed Legislation, by Eric A.
Fischer.
59 For more information, see CRS Report R42475, Data Security Breach Notification Laws, by Gina Stevens and CRS
Report R42474, Selected Federal Data Security Breach Legislation, by Kathleen Ann Ruane.
Congressional Research Service
16
Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis
Author Contact Information
N. Eric Weiss
Specialist in Financial Economics
eweiss@crs.loc.gov, 7-6209
Acknowledgments
Ben Bleiberg, a CRS intern from Pomona College in the summer of 2014, helped greatly in this report by
conducting research and writing the first drafts.
Congressional Research Service
17