Imagine if there were a way for the government to share information about cybersecurity threats with private industry. It's an idea that makes sense and an idea that a California congressman would like to see happen.
Representative Dan Lungren proposed the creation of a National Information Sharing Organization (NISO), which would serve as a clearinghouse for cyber threat information that would be shared among federal, state and local governments, educational institutions and private businesses. The NISO would also provide funding for cybersecurity research. The goal is for the NISO to have a governing board consisting of representatives from federal agencies, companies that operate critical infrastructure, and civil liberties groups, among other organizations.
But because this is coming from Congress, not everybody is sold on Lungren's proposal. There are groups questioning the privacy of the information that would be shared. According to Bloomberg Businessweek, Gregory Nojeim, senior counsel at the nonprofit Center for Democracy and Technology, agreed that the proposal is a good first step to better national cybersecurity. However:
Nojeim said the bill must clarify the types of that data companies can share with the government and what federal agencies can do with the information. "It's important that information-sharing not devolve into governmental monitoring of private-to-private communications," he said. Proposals should define the data shared, limit the use and purpose of sharing and include audits to ensure that rules are followed.
Another thing this proposal would do is give some clarity as to whom is in charge of cybersecurity. Right now, it seems like government and industry are sputtering, not only trying to figure out who should be the definitive voice on cybersecurity, but also how, exactly, cybersecurity should be defined.
It was suggested that the Department of Homeland Security take over the role as the lead government agency on cybersecurity. Right now, that seems the most logical step. And if you were wondering, the bulk of the budget for the NISO would come from the private industry members, which leads to another set of complications: How much government input will there be and how much should there be? Is cybersecurity a job for government to solve, or is it better suited for industry?
I don't have answers to these questions, and right now, neither does anyone else. Of course, the NISO is just in the proposal stage, and at the rate Congress is moving, we might be addressing the results of the proposal sometime in 2014.