April 29, 2015
Cybersecurity and Information Sharing
This In Focus summarizes the issues related to sharing
information about cybersecurity breaches (the theft of
information from computer networks) to prevent similar
incidents in the future. Legislation has been introduced in
the 113th and 114th Congresses to remove what some
perceive to be legal obstacles to information sharing.
What Is Information Sharing? The discussion of
cybersecurity data breach information sharing usually
refers to sharing information within an industry or between
industry and government about a cyberattack. Sharing data
breach information with consumers is usually discussed
separately and called data breach notification.
What Is Stolen in a Data Breach? Confidential
information is usually copied in a data breach and sold or
used in ways that adversely impact the rightful owners of
the information. This can include credit and debit card
information, medical records, personally identifiable
information, or an organization’s proprietary information.
Historically, credit card information has been the most
How Do Data Breaches Occur? In 2014, according to the
Identity Theft Resource Center, hacking was involved in
29% of 783 data breaches analyzed. Other causes were
subcontractors and third parties (15%), physical theft
(13%), accidental exposure (12%), employee negligence
(11%), insider theft (10%), and data moving over a network
Figure 1. Techniques Used in Data Breaches
replace a compromised credit card. Companies that produce
software with security flaws may not bear the cost of the
flaws. The result is that those responsible for cybersecurity
breaches rarely pay the full cost of those breaches.
Use of Shared Information. Sharing information about
cyber breaches could help other organizations to implement
lessons learned from the breaches. This does not always
occur. Recently data breaches have used similar techniques
that were disclosed in the media. For example, memory
skimming was used in the Target data breach to capture
information in the chain’s point of sale terminals. Target
was not the first company to suffer from this attack method;
other companies that have been victimized by the same
malware are reported to include Home Depot and three
The biggest question is whether this information
sharing proposal will contribute to the stated purpose,
namely “to better protect information systems and
more effectively respond to cybersecurity incidents.”
—Richard Bejtlich, Chief Security Strategist at FireEye
More generally point of sale terminals have reportedly been
compromised in various ways at the Mandarin Oriental
Hotel Group, Natural Grocers, gas station pumps, White
Lodging Services (twice), ATMs, Chick-fil-A, Staples,
Bebe, Michaels, and Kmart to list a few.
Efficiency Considerations. A lack of information sharing
can lead organizations to duplicate each others’ work.
Sharing information could, in theory, lead to more security
at less cost.
Perceived Legal Barriers. Firms and industry groups have
cited concerns over violating privacy and antitrust laws as a
reason that they are reluctant to share information. In an
attempt to assuage such fears, the Department of Justice and
the Federal Trade Commission have issued a joint statement
that “properly designed sharing [is] not likely to raise
Some firms might be concerned about liability for sharing
information that includes innocent third parties.
Source: Identity Theft Resource Center, ITRC Breach Statistics
Costs and Who Bears Them? Merchants that honor stolen
credit cards can have charges reversed (a chargeback) and
end up without the merchandise or the payment. Credit card
issuers say they are not fully reimbursed when they have to
Technical Barriers. One issue in sharing information is the
technical abilities of those receiving the information to use
it. For example, the suggestion to “update and run an
antivirus program” is unlikely to present much of a
technical challenge, but “check all servers to verify that the
default administrator account has been deleted and that each
server has a unique password” requires more technical
skills and probably more effort.
www.crs.gov | 7-5700
Cybersecurity and Information Sharing
Sectors Affected. In 2014, according to the Identity Theft
• 43% of all known data breaches occurred in medical and
• 33% occurred in business computer systems, including
retailers, hotels, professionals, and payment processors;
• 12% occurred in government (any level) or military
facilities, including Veterans’ Affairs hospitals;
• 7% occurred in education organizations from preschool
through college; and
• 5% occurred in banking, credit, and financial
institutions, such as banks, credit unions, credit card
companies, and pension funds.
Figure 2. Industry Share of Data Breaches
Source: Source: Identity Theft Resource Center, ITRC Breach
Statistics 2005-2014, http://www.idtheftcenter.org/images/breach/
How Can Organizations Share Information? Currently,
firms share information directly on an ad hoc basis and
through private-sector, nonprofit organizations, such as
Information Sharing and Analysis Centers (ISACs), that can
analyze and disseminate information. These ISACs were
authorized in 1998 by Presidential Decision Directive 63,
on critical infrastructure protection. The federal government
oversees ISACs for critical infrastructure through sectorspecific agencies, such as Treasury for the Financial
Services ISAC and the Department of Homeland Security
for the Chemical Sector ISAC.
Sharing Networks. Shared information can be used most
easily when the network environments are similar or
identical. This suggests that industry-based information
sharing groups could form a logical organizational
structure. Nevertheless, companies in different industries
may share similar network configurations. For example,
information about an attack on a point-of-sale terminal
could be of interest to financial services, hotels, car rental
companies, restaurants, and more. Supervisory control and
data acquisition (SCADA) systems are used by all types of
utilities, and also control elevators, heating, ventilation, and
air conditioning in large buildings.
Cyberinsurance. Insurance is a way to share risks so that
when an unlikely event occurs the insured entity receives a
payment to compensate for the losses. Commercial
underwriting practices for property and casualty insurance
include assessing the risk mitigation precautions that an
insured company has taken and evaluating the remaining
risk. This evaluation is used to determine insurance
Prior data breach claims help a cyberinsurance company to
estimate the probability of a breach and the likely covered
losses. A cyberinsurance company might use this
experience to recommend cybersecurity improvements.
Thus, cyberinsurance companies can gather detailed,
technical information on breaches and use this knowledge
to prevent future breaches at other clients.
Selected Legislation in the 114th Congress
H.R. 1560, Protecting Cyber Networks Act
H.R. 1731, National Cybersecurity Protection Advancement
Act of 2015
S. 754, Cybersecurity Information Sharing Act of 2015
CRS Report R43831, Cybersecurity Issues and Challenges:
In Brief, by Eric A. Fischer.
ISACs charge for some levels of membership. For example,
the Financial Services ISAC provides “limited critical
notifications” to members who pay no annual fees, and
more detailed information to members who pay fees that
range from $250 to $49,940 per year.
CRS Report R43821, Legislation to Facilitate
Cybersecurity Information Sharing: Economic Analysis, by
N. Eric Weiss.
In addition to these critical infrastructure ISACs, other
sectors have created ISACs. More generally, Information
Sharing and Analysis Organizations are an expansion of the
ISAC concept. In addition, there are private, fee-based, for
profit information sharing groups.
CRS Report R42409, Cybersecurity: Selected Legal Issues,
by Edward C. Liu et al.
When an organization calls in outside experts to help after a
data breach, these consultants use their accumulated
knowledge to investigate, document, and remediate the
breach. Any lessons learned remediating a current breach
are likely to be applied to future breaches.
CRS Report R43317, Cybersecurity: Legislation, Hearings,
and Executive Branch Documents, by Rita Tehan.
CRS Report R43996, Cybersecurity and Information
Sharing: Comparison of H.R. 1560 and H.R. 1731, by Eric
N. Eric Weiss, email@example.com, 7-6209
www.crs.gov | 7-5700