Global Payments' Patriotic Duty to ShareCreating a Mechanism to Share Threat Information
The best defenders against cyberattacks should include those that had been successfully breached. After all, we all should learn from our mistakes.
See Also: Gartner Magic Quadrant for APM
As Global Payment learns what went wrong last month when hackers pilfered information from some 1.5 million accounts on its computers [see Is Global Payments the Only Breach?], the payment processor should share those findings with others, including competitors.
The story Global Payments shares obviously shouldn't be a tell-all; it has the right to protect proprietary information and other privileged tidbits. And, of course, it shouldn't provide a map to would-be hackers and fraudsters on how to circumvent new security measures to prevent another breach.
But there is much Global Payments should reveal that would help other institutions to protect themselves from digital thieves.
I'm not sure if the government would classify Global Payments' payment processing service a critical IT infrastructure, but it is a key cog in how the mechanics of our economy functions. And alerting others how to prevent what happened to them is Global Payments' patriotic duty.
Legislation before Congress such as the Cybersecurity Act of 2012 would make Global Payments' responsibility to share what they learn easier through mechanisms known as cybersecurity exchanges, where companies would share information about cyberthreats and vulnerabilities.
The legislation is designed to allow companies to keep trade and other secrets from competitors, but provides a forum to furnish threat information that they would not normally share. It's also incumbent that any law Congress enacts assures the privacy protection of information on individuals contained in corporate databases.
The threat climate is rapidly changing where improved information sharing is vital to combat cybercrime and espionage. The government and private sector collect valuable threat information, so the establishment of a responsible framework to share information is critical
In establishing any information sharing system, those involved must ensure appropriate steps and oversight to safeguard privacy and preserve civil liberties.
Whether the Cybersecurity Act of 2012 or some other bill becomes law this year is far from certain. Congress is bogged down in a partisan battle on whether or not government should regulate the mostly private owners of the critical IT infrastructure, including how much information on cyberthreats should be shared between government and business.
This political bickering harms the country. As the threat to vital IT systems grow, Congress must enact legislation to provide information sharing between government and business and business and business. That, too, is the patriotic thing to do.