U.S.: Companies should share security data
WASHINGTON — The Justice Department is issuing new legal guidance encouraging companies to share cyber-security information with each other and the government, while protecting the privacy of their customers.
U.S. authorities are concerned about the sharp rise of computer-based crime, which siphons billions of dollars from companies and individuals, and could pose major national security and economic harm.
Credit card and other private data belonging to hundreds of millions of consumers was compromised in a series of major retailer breaches in 2013, according to Verizon, which compiles an authoritative survey of cyber-security threats around the world.
At the same time, the U.S. government’s effort to try to improve cyber-security is hampered by fears of the kind of widespread government surveillance revealed in leaks by former National Security Agency contractor Edward Snowden.
James Cole, deputy attorney general, said Friday that the new guidance was issued because company executives have told him “they would like to work more with the government but want to do so without compromising consumer privacy.”
“We at the Justice Department share that concern and developed this guidance to help clarify that companies can and should share aggregated information with the government, so we can work in partnership to protect consumers from malicious cyber threats,” he added.
The legal guidance — in the form of a so-called white paper — tells companies that they won’t violate federal communications law if they share aggregate data, which doesn’t divulge specific information on customers, when a cyber breach occurs.
“Many of the characteristics of cyber threats can be shared, if they do not pertain to any specific customers or subscribers,” the white paper says. “Similarly, characteristics of a computer virus or malicious cyber tool that do not divulge subscriber or customer-specific information (e.g., the associated file size, protocol, or port) could be shared.”
In one example, the paper says a communications provider could tell a governmental entity about unusual surges or drops in certain types of Internet traffic “which could be harbingers of a serious cyber incident.”