In addition to enabling information sharing, the government also needs to take the lead in developing new collaborative threat-based risk management and mitigation strategies, the Business Roundtable said in its report.
The association's report called on the government to take the lead in identifying the most severe risks and consequences of a cyberattack in specific sectors. Based on the threat information provided by the government. Companies will then work to identify high-risk assets and collaborate with the government on ways to address those risks. As part of that effort, roundtable-affiliated companies will make any technology and process changes that may be needed to bolster cybersecurity, the report noted.
"The private sector should collaborate by sector, and potentially across sectors to deploy mitigation strategies based on the outcome of threat-informed risk assessments," the Bassociation said in its report. Both the private sector and the government should invest in advanced and collaborative risk management and mitigation capabilities to keep pace with evolving threats.
As part of its proposals, the roundtable called on Congress and the administration to create a consortium of senior leaders such as the National Security Telecommunications Advisory Committee to oversee and report on the collaborative risk mitigation efforts between the private sector and government.
"We are very supportive of the CISPA bill," said Liz Gasster, vice president of Business Roundtable, and one of those who spearheaded the report. But for true information sharing to happen within the private sector and with the government, Congress has to remove current legal barriers, she said.
Companies need to be sure that they will not face liability and anti-trust issues when sharing threat information with each other and the government, Gasster said. "We think it is very important for companies to be encouraged to share threat information that may be useful, for instance, with competitors," she said. But currently, any time that happens it raises potential anti-trust issues, Gasster said. "Companies need to be sure they are not running afoul of antitrust rules or exposed to potential liability risks in sharing information."
Gasster downplayed the concerns raised by opponents of the CISPA bill, noting that most of the issues that were raised by rights advocates had been addressed in the version that was finally passed by the House. Any privacy issues than come up in future can be addressed through legislation, she noted.