Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis (CRS Report for Congress)
Premium Purchase PDF for $24.95 (19 pages)
add to cart or
subscribe for unlimited access
Pro Premium subscribers have free access to our full library of CRS reports.
Subscribe today, or
request a demo to learn more.
| Release Date |
Revised June 3, 2015 |
| Report Number |
R43821 |
| Report Type |
Report |
| Authors |
N. Eric Weiss, Specialist in Financial Economics |
| Source Agency |
Congressional Research Service |
| Older Revisions |
-
Premium Revised Feb. 23, 2015 (20 pages, $24.95)
add
-
Premium Dec. 11, 2014 (21 pages, $24.95)
add
|
Summary:
Data breaches, such as those at Target, Home Depot, Neiman Marcus, JPMorgan Chase, and Anthem, have affected financial records of tens of millions of households and seem to occur regularly. Companies typically respond by trying to increase their cybersecurity, hiring consultants, and purchasing new hardware and software. Policy analysts have suggested that sharing information about these breaches could be an effective and inexpensive part of improving cybersecurity. Firms share information directly on an ad hoc basis and through private-sector, nonprofit organizations, such as Information Sharing and Analysis Centers (ISACs) that can analyze and disseminate information.
Firms sometimes do not share information because of perceived legal risks, such as violating privacy or antitrust laws, and economic incentives, such as giving information that will benefit their competitors. A firm that has been attacked might prefer to keep such information private out of a worry that its sales or stock price will fall. Further, there are no existing mechanisms to reward firms for sharing information. Their competitors can take advantage of the information, but not contribute in turn. This lack of reciprocity, called "free riding" by economists, may discourage firms from sharing. Information that is shared may not be applicable to those receiving it, or it might be difficult to apply.
Because firms are reluctant to share information, other firms suffer from vulnerabilities that could be corrected. Further, by not sharing information about effective cybersecurity products and techniques, the size and quality of the market for cybersecurity products suffer.
Some industry leaders call for mandatory sharing of information concerning attacks. Other experts advocate a strictly voluntary approach, because they believe it could impose fewer regulatory costs on businesses and cost less for taxpayers.
A number of bills designed to encourage cybersecurity information sharing have been introduced in the 114th Congress, including H.R. 1560, Protecting Cyber Networks Act; H.R. 1731, National Cybersecurity Protection Advancement Act of 2015; and S. 754, Cybersecurity Information Sharing Act of 2015 (CISA). In April 2015, the House passed both H.R. 1560 and H.R. 1731, and it combined them into H.R. 1560 with the original H.R. 1560 as Title I and H.R. 1731 as Title II. On March 17, 2015, the Senate Select Committee on Intelligence reported out S. 754.
