- To effectively act on threat information provided by the government, private-sector companies will have to work across their respective enterprises. As a result, the government must not only increase the number and level of security clearances within the private sector but also strive to share information that is classified at the lowest possible level to ensure that companies are able to share threat information with corporate stakeholders responsible for taking appropriate action.
- Processes for real-time collaboration on the technical level between government and industry should also be established to address "serious risks."
"The companies are highly motivated to address this," says Liz Gasster, vice president at the Washington, D.C.-based Business Roundtable, about what she says is an unprecedented step by the CEOs of the Business Roundtable to publicly put forth a proposal to address cyberthreats.
The report and the proposal originated with the Business Roundtable's information and technology committee headed up by MasterCard CEO and President Ajay Banga, and the report out today was approved by all 210 CEOs at a meeting in December.
Basically, the Business Roundtable executives are saying they want to be able to more freely exchange real-time information on security threats across company boundaries and with the U.S. government, especially the Department of Homeland Security, if assurances about confidentiality can be made and legal qualms resolved.
That could mean some proposed changes need to be supported legislatively by Congress and the Administration. But in the context of it all, the Business Roundtable executives are also raising objections to the prospect of any legislation that would establish the type of risk-compliance regulatory structure of federal mandates, such as was envisioned in the Cybersecurity Act of 2012 that failed to pass through Congress last year.
The Business Roundtable explicitly views its information-sharing proposal of today as a "second approach" that they favor, and they say they see more of their ideas represented in the House of Representatives bill H.R. 3523, the Cyber Intelligence Sharing and Protection Act which amends the National Security Act of 1947 to enable national intelligence agencies to share strategic threat assessments and other information.
Gasster says currently there's only known to be a pilot project with the Defense Department and some defense-oriented companies to share critical threat information. There has also been for decades a forum where telcos have shared security-related information with government.