The Cybersecurity Information Sharing Act of 2015 (CISA) was intended to incentivize private entities to share threat intelligence information with the federal government (specifically the Department of Homeland Security), allowing all parties to react more quickly and efficiently to cyber threats. The vision was that thousands of companies would sign on, creating a powerful network that could form a joint defense in real time against emerging cyber threats. The dream is not going well. At last count, there were six non-federal entities signed up with DHS. The reasons for this failure are both technical (DHS has allegedly done a terrible job of contextualizing threat data to make it actionable) and non-technical (privacy is increasingly a business consideration, and working with the government creates bad optics).
One would like to believe this is just the market in a free society playing itself out. CISA was aspirational, but few companies appear to want to share their data with the government, even if they receive benefits in return. They don’t want to pay the hard costs to set up the systems or achieve compliance, nor do they want to risk paying soft costs associated with partners/customers discovering that they are voluntarily sharing data with the government. Ultimately, the government tried to get this going, but they failed, so end of story, right?
Wrong! Lawmakers are trumpeting CISA’s failure as evidence that a voluntary threat sharing program is never going to work,and that the government should instead mandate that private companies share their threat intelligence data. It is impossible to predict how such a legislative mandate would play out. How would it be enforced? Will the government be checking on Google and Microsoft and others to ensure compliance? Who knows! For once, it may be in the best interest of the public to root for lobbyists working on behalf of Big Tech, because if they can’t talk lawmakers down from this cliff, then the jump into mandating public-private partnerships is going to be messy for everyone.