Legislators and policy-makers do more to encourage companies to routinely share cyber threat information, and best-practice learning, with government agencies

Cybersecurity policy is a hot topic, regularly hitting headlines worldwide. The first two months of 2015 has been no exception in the US, as President Obama kick-started the year by warning of the need for action to address “the urgent and growing danger” of cyber threats, followed by news in early February that the second largest, US health insurer had suffered its largest medical data breach to date.

To address such challenges, legislators and policymakers have been busy as illustrated by the enactment of five new US cybersecurity-related Acts. The first three laws primarily affect the Department of Homeland Security, federal cybersecurity policies and personnel. These are the Federal Information Security Modernization Act of 2014, the Homeland Security Workforce Assessment Act and DHS Cybersecurity Workforce Recruitment and Retention Act of 2014 (found as a rider in the Border Patrol Agent Pay Reform Act), and the Cybersecurity Workforce Assessment Act of 2014.

The Cybersecurity Enhancement Act of 2014, by comparison, gives the US Department of Commerce’s National Institute of Standards and Technology (NIST) more powers to support the development of voluntary industry standards and best practices to reduce cyber-risks to critical infrastructure. Finally, the National Cybersecurity Protection Act of 2014 codifies the introduction of a National Cybersecurity and Communications Integration Center – designed to be “a situational-awareness, incident response, and management centre” – to act as a cybersecurity information-sharing hub between private and public sector actors (such as law enforcement, intelligence personnel, state and local governments, together with critical information systems owners and operators).

Also announced recently in the US is the creation of a new agency to counter cyber threats. In a speech by the Assistant to the President for Homeland Security and Counterterrorism, it was confirmed that the White House has approved the establishment of the Cyber Threat Intelligence Integration Center (CTIIC) to operate under the Director of National Intelligence. While CTIIC will not collect intelligence directly, it will be responsible for “connecting the dots” by analysing and integrating information already collected by other authorities and drawing on the expertise of the federal cyber centres across the US to better integrate governmental expertise and information to improve threat responses. In particular, CTIIC’s mandate will include the production of coordinated cyber threat assessments; supporting operators and policy makers with timely intelligence about the latest cyber threats and threat actors; and, ensuring that information is shared rapidly between centres, local enforcement and critical network operators.

Back in the UK, the Department for Business, Innovation and Skills (BIS) has published an updated version of its document, Cyber security guidance for business. GCHQ, BIS and the Centre for the Protection of National Infrastructure (the CPNI) published the original guidance jointly in 2012, as a non-exhaustive guide to potential cyber threats and mitigations. The updated guidance sets out the latest advice from security and intelligence government experts on how to prevent common cyber-attacks and best-manage their associated cyber risks. To this end, the guidance includes a document describing the types of cyber-attack stages and processes typically executed; a number of ’10 steps’ to cyber security documents; as well as a summary of the ten critical areas of board-level responsibility to address cyber risk within companies.

BIS recently also published a Tracker Report 2014 containing the results of a 2014 cyber-security survey carried out by the UK government charting governance behaviours across the FTSE 350 firms. This report states that the findings should enable companies to better understand and manage risks that have the potential to cause major damage to their business. BIS aims to carry out further benchmarking as cybersecurity threat and mitigatory best-practices develop within the UK.

Alison Knight