Group of professionals discuss finance

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Banking and Finance Law Daily, January 28, 2015

Senate Homeland Security Committee tackles information sharing on cyber threats

By Mark S. Nelson, J.D.

The Senate Committee on Homeland Security and Governmental Affairs heard from cybersecurity experts today on the possibility of fostering better sharing of threat information among private entities and the government. The hearing came just a day after Ranking Member Thomas R. Carper (D-Del.) and two other Democratic senators sent a letter to Senate Majority Leader Mitch McConnell (R-Ky.), calling on Republicans to pass a "clean" bill funding the Department of Homeland Security.

First Cyber hearing. Committee Chair Ron Johnson (R-Wis.) said Congress’s "mission" is to "enhance [the] economic and national security of America." He also said Congress should focus on both promoting information sharing with liability limits and drafting a policy for data breach notification. Sen. Johnson noted a remark two years ago by General Keith Alexander, then-director of the National Security Agency, that cyber theft can be viewed as one of the biggest wealth transfers ever.

Today’s hearing was the first for the reformulated homeland security committee after last fall’s elections, which tipped Senate power in favor of Republicans. "The purpose of this hearing is to take that first step and develop an understanding of the reality of the cybersecurity threat — the frequency and complexity of the cyber-attacks U.S. businesses endure every day, what businesses can do to better defend themselves, and what businesses need from the federal government," said Sen. Johnson.

In an opening statement, Sen. Carper characterized the recent cyberattack on Sony Pictures, allegedly by North Korea, as a "turning point" and "a game changer" for government, businesses, and individuals. "We have heard about these types of destructive attacks in other countries, but never one of this magnitude here on U.S. soil. This devastating attack did not stop in cyberspace. It was coupled with threats of violence against American moviegoers and an assault on the values we cherish," said Sen. Carper.

Legislation and risks. Marc D. Gordon, executive vice president and chief information officer at American Express, urged legislators to move ahead with legislative proposals that would promote information sharing. He said the proposals are the "single highest impact/lowest cost/fastest to implement" solution to cybersecurity risks.

Microsoft Corporation’s vice president of Trustworthy Computing, Scott Charney, described the types of threats businesses face. According to Charney, threats are either opportunistic (he likened these threats to burglars trying doorknobs until one door opens), or "advanced persistent threats" (APTs). He said in the first scenario, any victim will do, while APTs tend to come from actors focused on a specific victim. But even ATPs are often more about persistence than sophistication, Charney said.

FireEye’s chief security strategist, Richard Bejtlich, cited some of the many threats he believes come from state actors, such as Russia, China, Iran, and North Korea. He said commercial and geopolitical goals drive most Russian and Chinese hackers. By contrast, he said Iranian and North Korean hackers have these goals too, but they also have a penchant for attacks focused on "disruption" and "sabotage."

Bejtlich reiterated FireEye’s worries about the vulnerabilities in U.S. markets. Last November, FireEye posted a report on its company blog that said it had identified a shadowy group it dubbed FIN4, whose goal it believes is to hack into nonpublic systems to get market-moving information before targeted companies can make public announcements, such as for mergers and acquisitions.

But legislation to deal with these risks also comes with a potential civil liberties price tag. Gregory T. Nojeim, senior counsel and director of the Freedom, Security and Technology Project at The Center for Democracy and Technology, said two options can avoid these concerns. One is to encourage private-to-private sharing of cyber threats because private entities own and control most key infrastructure. He said antitrust worries about this option have waned since the Department of Justice and the Federal Trade Commission issued related guidance.

Nojeim also said threat data could safely flow from government to private entities if the government declassifies data that might help private entities avoid cyberattacks.

But Nojeim said he is still worried about several proposals in Congress and the Obama Administration’s plan too. "Quite simply, the American public should not – and need not – be forced to choose between being hacked by cyber criminals and being snooped on by the government."

Cyber insurance. Another topic that has drawn much interest in the past year is the availability of cyber insurance. Directors and managements at both public and private companies have mulled whether to buy these insurance policies and how best to use them to protect their businesses from potentially crippling cyberattacks.

Peter J. Besahr, executive vice president and general counsel, Marsh & McLennan Companies, told committee members that cyber insurance has "a lot of relevance" and it "can drive behavior change." According to Besahr, the simplest coverage may compensate a business for its out-of-pocket costs for its post-breach response. The next higher level of coverage deals with business interruptions and may let a business recover its actual harm from a computer network shut down. The strongest protections to date are contained in third-party policies that cover harm to an insured business’s customers.

Beshar also talked about the likely behavioral changes in a company’s outlook about cyberattacks once it decides to buy an insurance policy. For one, Beshar said the application process alone forces a company to conduct a gap analysis, a common risk management tool. Moreover, once a policy is in place, the insurance company is motivated to help an insured business to avoid and mitigate cyberattacks.

Companies: Sony Pictures; American Express; Microsoft Corporation; FireEye; Marsh & McLennan Companies

MainStory: TopStory Privacy DirectorsOfficersEmployers IdentityTheft

Banking and Finance Law Daily

Introducing Wolters Kluwer Banking and Finance Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.

A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.