Public Disclosure Poses Risks
By Thomas J. Donohue
There are bad ideas that everyone knows are bad, and then there are terrible ideas that may sound good. Widespread sharing of cybersecurity information falls into this second category, because of the law of unintended consequences. What could be wrong with publicizing cyberthreats and vulnerabilities? Plenty.
Setting off public alarms about cyberthreats — including those that cause no damage — will open the door for every opportunistic lawyer who wants to make a buck off a company trying to do the right thing. Hundreds, or thousands, of class-action lawsuits could strangle the Internet, without providing additional online safety or security. And negative publicity, particularly from exaggerated or non-existent threats, could drive customers away from good corporate citizens, affecting a company's ability to survive, much less thrive.
Mandating the public disclosure of information about cyberattacks, threats, and vulnerabilities may cause companies to be much more reluctant to share all information about these incidents because of the fear of lawsuits and adverse publicity. Businesses are currently voluntarily sharing information about cybersecurity and threats with the FBI, state and local governments and the Department of Homeland Security. More than 85% of all critical infrastructure is owned by the private sector, making continued public-private cooperation vital for our first line of defense.
A few years ago, the Environmental Protection Agency (EPA) wanted to publish the vulnerabilities of chemical plants on the Internet. However, it didn't occur to the EPA that this information could just as easily fall into the wrong hands, giving potential terrorists a blueprint on how to attack our critical infrastructure. Full public disclosure advertises vulnerabilities to potential cyberattackers, helping them learn what works and what doesn't.
What should be done? Let's promote information-sharing between those who have the information and those who can do something about it. Let's educate the general public about cybersafety tools and techniques, as the U.S. Chamber of Commerce and others have done with www.staysafeonline.info, and let's make it easy for the public and private sectors to cooperate with each other to reduce cyberthreats.
Thomas J. Donohue is President and CEO of the U.S. Chamber of Commerce.
Related Links
- Multi-Industry Letter Regarding Cybersecurity Legislative Priorities
- New Report by the Information Technology Industry Council, Partnership for a New American Economy, and U.S. Chamber of Commerce Confirms Labor Needs in Fields of Science, Technology, Engineering, and Mathematics
- Key Vote letter H.R. 3523, the "Cyber Intelligence Sharing and Protection Act"
- Tom Donohue announces U.S. Chamber of Commerce sponsorship of the 2005 World Expo in Aichi, Japan
- Computer Associates Global Forum - Address by Thomas J. Donohue
- The Global Potential of RFID - opening remarks by Thomas J. Donohue
- Senate Urged to Pass CAN SPAM and Criminal Spam Acts
- Letter on H.R. 4061, the "Cyber Security Enhancement Act of 2009"