Cybersecurity and Information Sharing
Updated April 29, 2015
Cybersecurity and Information Sharing
This In Focus summarizes the issues related to sharing
flaws. The result is that those responsible for cybersecurity
information about cybersecurity breaches (the theft of
breaches rarely pay the full cost of those breaches.
information from computer networks) to prevent similar
incidents in the future. Legislation has been introduced in
Use of Shared Information. Sharing information about
the 113th and 114th Congresses to remove what some
cyber breaches could help other organizations to implement
perceive to be legal obstacles to information sharing.
lessons learned from the breaches. This does not always
occur. Recently data breaches have used similar techniques
Overview
that were disclosed in the media. For example, memory
What Is Information Sharing? The discussion of
skimming was used in the Target data breach to capture
cybersecurity data breach information sharing usually
information in the chain’s point of sale terminals. Target
refers to sharing information within an industry or between
was not the first company to suffer from this attack method;
industry and government about a cyberattack. Sharing data
other companies that have been victimized by the same
breach information with consumers is usually discussed
malware are reported to include Home Depot and three
separately and called data breach notification.
parking services.
What Is Stolen in a Data Breach? Confidential
information is usually copied in a data breach and sold or
The biggest question is whether this information
used in ways that adversely impact the rightful owners of
sharing proposal will contribute to the stated purpose,
the information. This can include credit and debit card
namely “to better protect information systems and
information, medical records, personally identifiable
more effectively respond to cybersecurity incidents.”
information, or an organization’s proprietary information.
—Richard Bejtlich, Chief Security Strategist at FireEye
Historically, credit card information has been the most
stolen information.
More generally point of sale terminals have reportedly been
compromised in various ways at the Mandarin Oriental
How Do Data Breaches Occur? In 2014, according to the
Hotel Group, Natural Grocers, gas station pumps, White
Identity Theft Resource Center, hacking was involved in
Lodging Services (twice), ATMs, Chick-fil-A, Staples,
29% of 783 data breaches analyzed. Other causes were
Bebe, Michaels, and Kmart to list a few.
subcontractors and third parties (15%), physical theft
(13%), accidental exposure (12%), employee negligence
Efficiency Considerations. A lack of information sharing
(11%), insider theft (10%), and data moving over a network
can lead organizations to duplicate each others’ work.
(8%).
Sharing information could, in theory, lead to more security
at less cost.
Figure 1. Techniques Used in Data Breaches
Perceived Legal Barriers. Firms and industry groups have
cited concerns over violating privacy and antitrust laws as a
reason that they are reluctant to share information. In an
attempt to assuage such fears, the Department of Justice and
the Federal Trade Commission have issued a joint statement
that “properly designed sharing [is] not likely to raise
antitrust concerns.”
Some firms might be concerned about liability for sharing
information that includes innocent third parties.
Technical Barriers. One issue in sharing information is the
technical abilities of those receiving the information to use
Source: Identity Theft Resource Center, ITRC Breach Statistics
it. For example, the suggestion to “update and run an
2005-2014, http://www.idtheftcenter.org/images/breach/
antivirus program” is unlikely to present much of a
MultiYearStatistics.pdf.
technical challenge, but “check all servers to verify that the
Costs and Who Bears Them? Merchants that honor stolen
default administrator account has been deleted and that each
credit cards can have charges reversed (a chargeback) and
server has a unique password” requires more technical
end up without the merchandise or the payment. Credit card
skills and probably more effort.
issuers say they are not fully reimbursed when they have to
replace a compromised credit card. Companies that produce
Sectors Affected. In 2014, according to the Identity Theft
software with security flaws may not bear the cost of the
Resource Center,
https://crsreports.congress.gov
Cybersecurity and Information Sharing
43% of all known data breaches occurred in medical and identical. This suggests that industry-based information
healthcare facilities;
sharing groups could form a logical organizational
structure. Nevertheless, companies in different industries
33% occurred in business computer systems, including
may share similar network configurations. For example,
retailers, hotels, professionals, and payment processors;
information about an attack on a point-of-sale terminal
12% occurred in government (any level) or military
could be of interest to financial services, hotels, car rental
facilities, including Veterans’ Affairs hospitals;
companies, restaurants, and more. Supervisory control and
data acquisition (SCADA) systems are used by all types of
7% occurred in education organizations from preschool
utilities, and also control elevators, heating, ventilation, and
through college; and
air conditioning in large buildings.
5% occurred in banking, credit, and financial
institutions, such as banks, credit unions, credit card
Cyberinsurance. Insurance is a way to share risks so that
companies, and pension funds.
when an unlikely event occurs the insured entity receives a
payment to compensate for the losses. Commercial
Figure 2. Industry Share of Data Breaches
underwriting practices for property and casualty insurance
include assessing the risk mitigation precautions that an
insured company has taken and evaluating the remaining
risk. This evaluation is used to determine insurance
premiums.
Prior data breach claims help a cyberinsurance company to
estimate the probability of a breach and the likely covered
losses. A cyberinsurance company might use this
experience to recommend cybersecurity improvements.
Thus, cyberinsurance companies can gather detailed,
Source: Source: Identity Theft Resource Center, ITRC Breach
technical information on breaches and use this knowledge
Statistics 2005-2014, http://www.idtheftcenter.org/images/breach/
to prevent future breaches at other clients.
MultiYearStatistics.pdf.
How Can Organizations Share Information? Currently,
Selected Legislation in the 114th Congress
firms share information directly on an ad hoc basis and
through private-sector, nonprofit organizations, such as
H.R. 1560, Protecting Cyber Networks Act
Information Sharing and Analysis Centers (ISACs), that can
analyze and disseminate information. These ISACs were
H.R. 1731, National Cybersecurity Protection Advancement
authorized in 1998 by Presidential Decision Directive 63,
Act of 2015
on critical infrastructure protection. The federal government
oversees ISACs for critical infrastructure through sector-
S. 754, Cybersecurity Information Sharing Act of 2015
specific agencies, such as Treasury for the Financial
Services ISAC and the Department of Homeland Security
Additional Resources
for the Chemical Sector ISAC.
CRS Report R43831, Cybersecurity Issues and Challenges:
ISACs charge for some levels of membership. For example,
In Brief, by Eric A. Fischer.
the Financial Services ISAC provides “limited critical
notifications” to members who pay no annual fees, and
CRS Report R43821, Legislation to Facilitate
more detailed information to members who pay fees that
Cybersecurity Information Sharing: Economic Analysis, by
range from $250 to $49,940 per year.
N. Eric Weiss.
In addition to these critical infrastructure ISACs, other
CRS Report R43317, Cybersecurity: Legislation, Hearings,
sectors have created ISACs. More generally, Information
and Executive Branch Documents, by Rita Tehan.
Sharing and Analysis Organizations are an expansion of the
ISAC concept. In addition, there are private, fee-based, for
CRS Report R42409, Cybersecurity: Selected Legal Issues,
profit information sharing groups.
by Edward C. Liu et al.
When an organization calls in outside experts to help after a
CRS Report R43996, Cybersecurity and Information
data breach, these consultants use their accumulated
Sharing: Comparison of H.R. 1560 and H.R. 1731, by Eric
knowledge to investigate, document, and remediate the
A. Fischer.
breach. Any lessons learned remediating a current breach
are likely to be applied to future breaches.
N. Eric Weiss, Specialist in Financial Economics
Sharing Networks. Shared information can be used most
IF10163
easily when the network environments are similar or
https://crsreports.congress.gov
Cybersecurity and Information Sharing
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF10163 · VERSION 3 · UPDATED