Coalition for Open Security brings new voice to info-sharing debate

The Coalition for Open Security, a nascent industry-led group advocating greater sharing of cyber-threat information, was borne out of a terrifying presentation given by a federal chief information officer last October.

The presentation featured “data upon data upon data of bad actors, the impact they’ve had, and what we can anticipate in the future,” and it “scared everybody to death,” recalled Madeline Weiss, a private consultant and one of the coalition’s organizers.

The presenter was David Bray, the Federal Communications Commission’s CIO, and the forum was the Society for Information Management’s Advanced Practices Council, a group of senior IT executives representing 33 private and public organizations. Bray was not there in an official capacity, but his message sure resonated, according to Weiss. “APC members were totally fired up” after the presentation and walked away inspired to form the coalition, she said.

The group is driven by a belief that business executives and technology vendors are inherently distrustful of information-sharing initiatives led by government, and even by corporate giants. “Technology vendors such as Facebook and Google are beginning initiatives, but organizations remain wary of their motives and incentives,” says a background document prepared by the coalition.

Weiss, who is APC’s program director, lamented a corporate culture whose instinct, she said, is to conceal cyber vulnerabilities. “Today, companies, when they have a breach, they bury it as quickly as they can,” Weiss said. “Instead of sharing, the first thing they want to do is make sure it’s way below the radar.”

Even the Financial Services Information Sharing and Analysis Center, the financial sector’s information-sharing hub that is often touted as a success, is hamstrung by liability concerns, according to Weiss.

The new coalition has three initial objectives: create a forum for organizations to identify the best tools for information-sharing and cyber resiliency; create an anonymous database of cyberattack and breach information; and support federal legislation that offers liability protections for firms that share threat information. These goals are supported by all APC members, which include private-sector heavyweights such as Pfizer and BP, along with NASA’s Goddard Space Flight Center and DHS’s Federal Emergency Management Agency on the federal side.

The coalition will first focus on supporting information-sharing legislation that, in one form or another, has died in Congress in recent years. Backers of such a bill hope this is the year it will finally become law. The steady stream of high-profile breaches of large firms and federal agencies might help that cause, but privacy and civil liberties groups that say the bill amounts to expanded government surveillance are still putting up a fight.

On June 9, North Carolina Republican Richard Burr, chairman of the Senate Intelligence Committee, said he would try to attach the Cybersecurity Information Sharing Act as an amendment to the annual defense authorization bill. But Senate Democrats on June 11 blocked the cybersecurity measure, raising the possibility that it could be considered separately from the defense bill.

The coalition intends to infuse the debate over information-sharing legislation with a sense of urgency. Weiss said the group is preparing an email campaign that will urge lawmakers to pass an information-sharing bill, though she said the note will not refer to CISA in particular.

The coalition’s other objectives – creating a threat database and promoting tools for information sharing and resilience– will come easier once a bill is passed, Weiss said. But if recent history is anything to go by, getting an information-sharing bill done is far from a given.