DBryant-Cybersecurity Challenge

Running head: PUBLIC-PRIVATE INFORMATION SHARING 1

Cybersecurity Challenge: Public-Private Sectors - Information Sharing

Deloris Bryant

CRJ-475Z – Senior Project

Dr. Shanna Van Slyke

May 12, 2015

PUBLIC-PRIVATE INFORMATION SHARING 2

Abstract

Even though there is fear among the private sector regarding information sharing when it comes

to cybersecurity, there should be information sharing between the public-private sectors because

collaboration is the key to unite in the fight against cybercrimes. Cybersecurity is a shared

responsibility and collaboration is the key to unite in the fight against cybercrimes and to

promote awareness, educate each other and share information that is not only timely and

significant but also actionable. The greater the trust that is developed, the effectiveness of the

communication and information sharing will become more comfortable and the flow of

information will happen. This research paper will bring to the forefront the need and importance

of information sharing; analyze the concerns raised by many companies and how sharing

information can be done effectively.

Keywords: cybersecurity, cyberattacks, information sharing, public-private sectors


Cybersecurity is a critical issue that faces the entire spectrum of society. Incidents of

cyberattacks and threats are real and the need for more collaboration is unyielding. The

complexity, sophistication and ever-evolving threat environment that exists puts cybersecurity

out of reach of any single entity. Cybersecurity is not something that can be ignored by the

government, individuals or corporations. The expanding problem with cyberattacks has brought

up the need for companies to work with various agencies of the government that are involved

with cybersecurity investigations, mitigation efforts or regulating cybersecurity standards.

Government involvement means that companies will be working with agencies that may have a

totally different agenda when it involves cyberattacks. It is important that both the public and

the private sector navigate through the cyber process together.

Navigating together would mean that there is a need to share information on cyber

threats, but many continue to be untrusting for fear of regulatory laws and liability concerns.

Even though there is fear among the private sector regarding information sharing when it comes

to cybersecurity, there should be information sharing between the public and private sector

because collaboration is the key to unite in the fight against cybercrimes and to promote

awareness, educate each other and share information that is not only timely and significant but

also actionable. The greater the trust that is developed, the effectiveness of the communication

and information sharing between the public-private sectors will become more comfortable and

the flow of information will happen. This research paper will bring to the forefront the need and

importance of information sharing; analyze the concerns raised by many companies, and how

sharing information can be done effectively.


Importance of Information Sharing

General Keith Alexander chief of the US Cyber Command spoke before congress to

advise them that seventy-five percent of the country’s computers have been exploited by

criminals (Hearing before the Committee on Armed Services, House of Representatives, 12th

Congress, March 16, 2011). Are we doing enough to protect ourselves against cybercrimes?

You turn on the news or surf the web and more than not you will hear or read of another incident

of cyber theft. The Center for Strategic and International Studies estimates a loss of $100 billion

in intellectual property alone in the U.S. This estimate is about 0.6% of the U.S. economy and

this number does not even include other types of cybercrimes (Nakashima & Peterson, 2014).

So what exactly are cyber incidents? The National Institute of Standards and Technology

(NIST) Special Publication 800-61 (rev. 2) defines security incidents as “a violation or imminent

threat of violation of computer security policies, acceptable use policies, or standard security

practices” (Cichonski, Millar, Grance, & Scarfone, 2012). Additional related terms are also

defined by NIST as “an occurrence that actually or potentially jeopardizes the confidentiality,

integrity, or availability of an information system or the information the system processes, stores,

or transmits or that constitutes a violation or imminent threat of violation of security policies,

security procedures, or acceptable use policies” (Kissel, R, 2013).

Now that we have a clear understanding of what cyber incidents are, the sharing of

information as it relates to cyber incidents is to pull together the strengths of the public-private

sectors in order to respond to cyber threats, attacks, and vulnerabilities. A joint effort is needed

if we are to prevent and mitigate cyber incidents in this every changing cyber world. A

defensive and innovative approach will be required if we are to overcome the next wave of

attacks.


A survey conducted by the Ponemon Institute sponsored by Hewlett-Packard involved

257 separate companies that agreed to participate and allowed the Ponemon Institute to perform

an analysis of all costs incurred by their organization as a result of a cyber-incident. The survey

found that the sophistication and number of breaches has increased 176 percent in the last 4

years. This survey also found that the average time to detect an attack was 170 days and

although “some attacks take longer to resolve” the average time to resolve an attack once it was

detected was 45 days (Ponemon Institute LLC, 2014).

Figure 1: Time to resolve an attack (Ponemon Institute LLC, 2014)

The financial losses incurred during this time could be in the millions to say nothing of the

possibility of proprietary information or other private data being stolen.

Another survey conducted by the Ponemon Institute, this time sponsored by IBM,

involved 61 separate companies that experienced some kind of data breach. In 2014,

unfortunately, many companies especially in the retail sector became front page news when a

data breach occurred with their company. This survey looked into the consequences of data


breaches. What they found was that $5.9 million was the cost incurred by companies due to

getting hit by data breaches, on average. This figure is up from the $5.4 million the previous

year. Loss of business cost went from $3.03 million to $3.2 million. These costs include but are

not limited to reputation loss, loss of customers, and activities involved in try to acquire new

customers. This survey also found that cyberattacks with the highest data breach costs were

either criminal or malicious attack. With an average of $246 for every record that was

compromised resulting from these two types of attacks makes for a very costly breach for any

company to endure. This is followed by cyberattacks at the hands of employee’s mistakes or

system glitches which has a much lower cost of $160 and $171, respectively (Ponemon Institute

LLC, 2014).

Although the studies above put dollars to incidents, it is really difficult to a put a solid

figure for the cost of data breaches or any other type of cybercrimes. To say the least,

improvements in information sharing between the public-private sectors regarding cyber threats

would be cost-effective. Even though the public-private sectors try to protect themselves against

any losses, private entities are looking at profit earnings and the bottom line where as the public

sector is more concerned with not divulging intelligence as it relates to national security. Also

the public sector focuses on who is responsible for the attacks whereas the private sector does not

really care who is responsible they just want it to stop. Both sectors have different agendas but

yet have the same issue.

Early detection, termination or prevention of cyberattacks is a major benefit of

information sharing. This sharing of information brings together parties that can and will

complement each other in their abilities to unite in order to solve problems that they themselves

cannot address individually. Technical data is at the top of the list of information that needs to


be shared; additional information that should be included but not limited to risk assessment

procedures and best practices. All participants require that only authorized parties view secure

private and privileged information. Trust between all parties is needed for this flow of

information to stream down the appropriate channels seamlessly. This would not only be a

financial savings but also savings in manpower.

The speed in which information is shared should be a priority for both sectors. The

frequency of cyberattacks has increased to the point that some organizations fall behind in

preventive measures that they fall victim to an attack. Delaying sharing information until all the

‘I’s are dotted and ‘T’s crossed make the information outdated and not actionable in this fast

paced cyber domain. Any delay in getting critical information to the public-private sector can

diminish its effectiveness to fend off a cyberattacks. Some organizations worry about sending

information too early. This can be remedied by investigating all reliable information as soon as

possible and then send the information with a disclaimer attached indicating that the information

being sent is preliminary and that further investigation will be needed. Some recipients may

already be aware of the situation and may already have an insight to a solution that worked for

them. This is what information sharing is all about; forwarding and sharing timely information

that is technical in nature to aid in the fight against cyberattacks.

Developing Trust between the Public-Private Sectors

Former NSA Director Keith Alexander stated at a cybersecurity panel hosted by PwC,

“We need real-time or near real-time situational awareness, and we have got to have cyber

legislation that allows us to go between industry and government to do that”. (Norton, 2014)

The value of information is important as not to waste time, money and manpower on irrelevant

information. Benefits of timely information sharing can be measured by the quality of


information, cost savings, and relevance of the information that is shared. Trust is not a

farfetched idea that we expect between the public-private sectors. You will never have 100

percent trust between these two sectors but when needed to prevent a crisis situation, temporary

trust is needed in order to collaborate and pass along much needed information is desired. It can

be said that “the partner you don’t trust today may be your best friend tomorrow” (Diego

Fernandez Vazquez, Oscar Pastor Acosta, Brown, Reid, & Spirito, 2012). One needs to

remember that trust is a two-way street. If low quality or generic information is passed along by

the public sector; then the private sector will reciprocate by providing low quality or generic

information. Remembering that an overwhelming number of infrastructures, hardware and

software in use was developed and is managed by the private sector there are many instances

where you will find that the public sector seeks out the private sector for help to respond to and

prevent a cyber-incident.

For the private sector, where a majority of the innovators are, they expect a quick turn

around when communicating with the public sector and this is rarely the case when it comes to

information sharing. The private sector is in the business of doing business and as such expects

the value of information to be top notch. The trust between these two sectors diminishes due to

the fact that the private sector truly believes that the public sector filters its communication. If

we are truly going to be partners in crime to fight the fight in the cyber domain, then the

challenge here is to commit to one another that information sharing will be done in a significant

way (Givens & Busch, 2013, 6(1), 39-50). Neither sector can operate under the assumption that

just because they are painting a pretty picture to make it look like they are committed to working

together, that this is really the case. To really get a handle on cybersecurity, adding fluff to an


already volatile situation does no one any good if that fluff is only filled with generic

information. This is not the ideal way to develop trust between partners.

Risk Management

Trust and collaboration is vital to information sharing and protection when it comes to

identifying vulnerabilities and threats. There are always risks that will arise out of the public-

private sector collaboration and risk management is vital for this type of partnership. However,

this collaboration can intensify the distrust that exists between the public-private sectors.

Retaining control over activities and decision making can make for a difficult partnership but the

trade-off is that you will have a comprehensive group that brings with them the expertise needed

to manage risks. As they say, “two heads are better than one”. In this case, a positive to this

relationship would be that the greater number of partners translates to diversified information

that can prevent and manage risks of cyber threats. (Navare & Gemikonakli, 2010) Symantec

did a study that showed the “most significant risk at 42%” (Navare et al.) is cyberattacks. In

addition Symantec created a report based on data collected through the last couple of years to

show the increasing number of attacks and how intensive and damaging these cyberattacks can

be to an organization. They show that there was a 23 percent increase in breaches between 2013

and 2014. The sector where the most identities were exposed was in the retail sector at 59

percent. (Symantec, 2015)


Figure 2: Symantec Data Breach Report for 2013-2014 (Symantec, 2015)

This holds true with the recent breaches with retail giants like Target, The Home Depot and

Neman Marcus. These numbers may seem staggering but the key to risk management is real-

time, actionable and timely information. There are various ways to manage risks and depending

on the type of organization, threats will be calculated and assessed internally and this is where

the collaboration of public-private sectors comes into play. In order for collaboration to be

effective, there needs to be a solid understanding, mutually agreed, as to the appropriate risk

information that needs to be passed along to the decision makers. It is up to these decision

makers to make sure that threat information is passed on with the appropriate mitigation plans or

at the very least a “heads up” message so that others can collaborate to come up with a mitigation

plan. Early, timely mitigation of threats is significant to risk management and the cooperation of

the public-private sectors is needed to accomplish this endeavor.


While progress may be slow and steady, the main object here is to improving risk

management to ensure that key concepts are understood by everyone. Cybersecurity specialist

and experts in the public-private sectors need to coordinate, connect and join forces to define risk

strategies at all levels. The main purpose for risk management is not only to help decision

makers make better decisions in the cyber domain but also to prepare and expect the worst.

There is no reason to reinvent the wheel here. The public-private sectors all have some kind of

risk management process currently in place. The task here is to incorporate organizational wide

cyber risks into the already existing risk management plan. There is no way to predict when the

next cyberattacks will happen but with the proper plan in place, mitigating the attacks will be

resolved more quickly.

Regular communication is a vital part of information sharing. Improving awareness not

only within your organization but also with your counterparts in other organizations of current

situations affecting the organization impacts the effectiveness in responding to an attack or

potential attack. Setting standards for detection and protecting systems will enable early, timely

mitigation efforts. These standards should be tested regularly and improvements should be made

as needed. Finally, risk strategies fall at all levels but oversight falls on the executives and board

of directors of an organization. They control budgets and oversee the entire risk management

plan. They are also the ones that are called on the red carpet if a breach happens to their

organization. It would be appropriate for them to make sure everyone is held accountable for

their actions as it relates to the cyber risks within their organization.

There is not a single organization out there that is 100 percent protected from a

cyberattacks. As mentioned previously, communication is vital toward mitigating efforts but the

public-private sectors are still hesitant to share information. One way to further the cooperation


of the public-private sectors is to provide incentives with the intent to remove obstacles that

could prevent information sharing between parties.

Incentives Can Go a Long Way

Mr. John M. McConnell, director of national intelligence under presidents George W.

Bush and Barack Obama and NSA director under Presidents George H.W. Bush and Bill Clinton

believes that information sharing is “the backbone of security”. (Rosenbush, 2014) Mr.

McConnell thinks that an effective and quick response to breaches could happen if behaviors

with the public and private sectors changed so that there would be incentives for information

sharing. One incentive would be legal protection should an entity share information regarding

any breaches, threats or vulnerabilities. In addition, if we are to expand the idea of information

sharing then there needs to be liability protection put in place and to make sure that there are no

repercussions from any regulatory bodies with which information is shared. Without this

guarantee, the private sector will limit the amount of information they share which could be

detrimental to others who may need that information. Everyone knows that the public sector is

pretty slow to respond and share information. The need here is for the public sector to share

intelligence and security information in a timely manner, which it currently does not. Any hoops

that one needs to get through needs to be eliminated so information can flow to the private

sector. Without this timely flow of information, the private sector will never feel that the

government is truly a partner in crime to fight any cyber threats that are present. (Bucci, 2014)

We need to work together proactively in dealing with cyber risks.

The ability to limit the damage of cyberattacks diminishes without timely information.

The biggest concern as it relates to limiting the damages of cyberattacks is, of course, the

availability of timely information. Generally, system administrators have control and the ability


to detect activities within their systems. Given the apparent need for timely response to

cyberattacks, who has the ultimate control to employ defensive measures and to transfer

information related to an incident? Today no one administrator has control over any one

system which can limit the visibility of potential cyberattacks. In addition, technological

restrictions to identify and assess an attack along with policy concerns enhance the restriction of

timely information.

There is a need to minimize damages with a proactive method of sharing timely information

that will allow the public-private sectors to better predict and anticipate events which in turn will

enable them to respond in a precise timely manner. The public sector does not see what the

private sector sees; does not see the footprints left behind in an attack. Cooperation from the

private sector is needed so that the public sector can see what they see and get a better

understanding of the attack so that future attacks can be prevented. Effective communication

and understanding is needed in crucial areas to include (Denning & Denning, 2010, pg. 29-31):

The relationship between an attack and recovery time

Determining who initiated the attack so as to facilitate a timely and precise response

Being able to evaluate the direct and indirect effects and damages of an attack

Determine the requirements needed to receive warnings and indications of a potential

cyber attack

A firm understanding of exactly how attacks work so that the response can be effective

The speed of the notification process and notifying relevant personnel to handle and start

mitigation process is essential. The quicker the notification process, the faster an assessment of a

cyber-incident can happen and that information passed along leading to an improved success rate

for mitigating the damages due to the attack. Benefits of information sharing can be difficult to


distinguish while the cost and risks of sharing information is direct and calculable (Prieto, 2006).

Due to the vast landscape and complexities of cyberattacks, speed of the incident and the

massive breach of data that may be involved establishing an effective approach can be a huge

challenge. There are steps that can be taken to ensure that information sharing is actionable and

timely. The first major step is to recognize that there are many current public-private

partnerships in existence and there is a need to leverage and build these partnerships into the

cyber domain. A couple additional steps in the right direction would include: identify

weaknesses on both sides and work to strengthen those weakness, and address concerns

regarding liability and privacy protection for the private sector.

Private Sector Concerns

“Cybersecurity is a shared responsibility.” (US-CERT, n.d.) Computer Emergency

Readiness Team (US-CERT) is an organization that is part of the Department of Homeland

Security whose main goal is to improve communication regarding cybersecurity. They provide

alerts about current exploits, vulnerability, breaches or any other security issues in a timely

fashion. Partnership with the private sector is one goal they strive towards to better secure the

cyber domain. Although US-CERT believes that responsibility should be shared, there is fear

among the private sector regarding information sharing when it comes to cybersecurity. Private

sector remains suspicious of government efforts to increase cybersecurity collaboration and these

concerns have been thrown in the forefront due to the recent increase in identity theft and data

breaches. The private sector is worried that any information shared will be used by other

regulatory agencies against them. In addition, organizations tend to be reluctant to releasing

information on cyber threats or attacks because this poses not only competitive concerns but also

concerns regarding antitrust and privacy laws. (SIFMA, 2014) Many in the private sector will


only work with the government when they are in crisis mode instead of working with the

government in an ongoing proactive manner. This is an area that needs attention and this barrier

that is stopping the flow of information needs to be brought down. It is understandable that the

level of sensitivity does play a role in what information is shared and how quickly that

information is shared.

Giving up Control

The exchange of information between the public-private sectors is vital. During

investigations (C-Span, 2014) it is too late. Instead there needs to be a step taken before the

exchange of information and that is collaboration. Although this would be the ideal solution,

companies are still hesitant to share information or collaborate with other entities which can lead

to other companies becoming vulnerable to the same type of attacks. (Information Technology

Industry Council) The fear here is that companies do not want to give up control of their

processes and risk allowing other entities to explore privileged information which can be

discoverable through a Freedom of Information Act (FOIA) request (United States Department

of Justice, n.d.). Many companies feel they are better equipped to handle a breach better than the

government so why reach out and set off alarms when it is unnecessary. Handling it in-house

without government interference allows them to keep control of the situation and have no

worries about the government intruding into their systems. Every company has their own

strategy in place to handle breaches or any security issues and the fear is that the government

will come in and change the strategy that is in place or mandate that they change their strategy

because the government feels that it is inadequate.


Timing

Another issue with government involvement is timing. Everyone knows when dealing

with the government it is always a “hurry up and wait” scenario. Most of the problems lie with

all the constraints and bureaucratic hoops some agencies have to jump through to get something

done. If a company has to wait for the government’s involvement, the time to quickly implement

a solution could be lost. Companies are independent and given the government’s reputation for

information leaks, they are understandably concerned about private/privileged information

leaking and don’t need the “negative perception that this company has partnered “too closely”

with the government” (Germano, 2014). There is also the issue of not knowing what agency,

department or appropriate individual to contact in a breach situation. There needs to be some

kind of clarity so that the private sector knows who to contact and what type of information to

share and the appropriate time to share it. The public sector needs to do the same but there is

always some kind of constraint. The National security obligation which may involve clearance

issues that may restrict the government from releasing some of the information to the private

sector seems to be the major constraint. This is where balancing national security and other

related restrictions may prevent the proper public-private sector information sharing to happen

more smoothly.

Negative Exposure and Liability

Many companies have a fear of negative exposure due to a security breach. If the public

sector gets involved then the fear is that they may be included in a press release that the

government may feel is necessary to information the general public. This will have a negative

impact on the company before the company has a chance to thoroughly investigate the problem.

What type of information is disclosed, when it is disclosed and whether the company is put in a


bad light due to the breach is their concern. If concerns from public disclosures, data breaches

and vulnerabilities in their systems are not enough, corporate executives are also facing legal

liabilities for inadequate protection of their business.

That is exactly what happened with Target when the government questioned the

company’s best practices. The Target data breach during the holiday season in 2013 is a good

example of why the private sector has a fear of information sharing. Target was a victim of a

sophisticated cyberattack that “resulted in the theft of 40 million credit card numbers, 70 million

addresses, phone numbers, and other personal information” (Carton, 2014) and yet the

government’s first reaction was to question the company’s best practices as it related to data

privacy. (Committee On Energy and Commerce, 2014) Target responded by stating that “their

security measures were “among the best-in-class” (Carton, 2014) and that they were “certified as

meeting the standard for the payment card industry in September 2013” (John, 2014). Target

paid the ultimate price for this breach which resulted in a profit loss of 46 percent and reportedly

spent $61 million to try and rectify the situation. (Riley, Elgin, Lawrence, & Matlack, 2014)

Yes, the company made mistakes but this “blame the victim mindset” (C-Span, 2014) needs to

end so that the government and private sector can work together to prevent incidents like this

from happening in the future.

Trust and Risk

The trust factor plays a very large and important role in sharing information between the

public-private sectors when speed of the shared information increases risks of any unauthorized

parties getting to information can be reduced. The reluctance of some in the private sector to

provide information to the public sector is that they need to obtain assurance that any and all

proprietary information, whether that is computer systems or their in-house strategy in dealing


with incidents, not be divulged. Liability concerns are obviously not only about customer’s

private information or the breach itself but also about how well the company responded and how

quickly the issue was resolved. Concerns of a breach leak have to do with claims of inadequacy

on the company’s part. Disclosure of such information may trigger complaints of negligence,

inadequate security protection or that the company misrepresented the severity of the situation.

Despite the rising incidents of identity theft and data security breaches, many organizations deem

the costs of adding security measures to be higher than the losses from cyber theft. As a result

organizations have absorbed any losses incurred by data security breaches rather than reveal a

weakness in their cybersecurity procedures, all to save face and protect the reputation of the

organization and values that shareholders continue to expect.

Other liability concerns that a company has is when it involves the content and timing of

the disclosure and notification of a breach. The Target breach was one instance where many of

the complaints were about why the company did not notify the public sooner. Company’s

reluctances to release any information could be due to regulatory issues. There are many

government agencies that could reach out and grab a company for security or regulatory

violations. These agencies all have their own agendas and a different idea on how to approach a

security breach which is disclosed by a company. Some may encourage disclosure while others

bring down the hands of the law, blaming companies for lack of security and holding companies

liable for breaches which in turn could lead to civil and criminal charges against anyone involved

at the company.

Regulatory Issues

Some breaches goes way beyond the when and how bad the breach is and what agencies

will get involved. The fear is not only about their own customers, clients and shareholders but


from agencies like the SEC, FTC, FCC, CFPB and others alike. All have different agendas,

regulations and standards on how they approach a cyber-breach situation. The major fear for the

private sector is regulatory laws. What if they are not following federal regulatory requirements?

This is a risk that some companies are not willing to take to share information about a threat they

may have found. The agencies feared the most is the FTC and the SEC.

Federal Trade Commission (FTC) is a government agency that was initially “established

to play a critical role in combating anticompetitive conduct and mergers” (Brill, 2014). Entering

into the new age of technology, another area of consumer protection the FTC begun enforcing is

data security. They have litigated and settled with many companies for their failure to protect

consumer data. The latest suit against Wyndham Worldwide Corporation (Federal Trade

Commission), a global hospitality company, and three of their subsidiaries charging them with

failures in their data security procedures which led to three data breaches in a matter of two

years. The FTC claims that the company misrepresented their security measures to protect

consumer information. After the first breach occurred, Wyndham failed to put additional

security measures in place to not only detect access that was not authorized but also to fix

security vulnerability. This failure is what leads to their data security being breached twice more

in less than two years.

The FTC is not the only agency that has issued some kind of guidelines for organizations

to follow when it involves data security. The latest data breaches involving retail giants like

Target and Neman Marcus, the Payment Card Industry Council issued security guidelines that

are stricter and are meant for any retailers, banks or credit card companies that process credit

card transactions. Noncompliance of the security guidelines could result in fines. Many

agencies have increased their oversight for security measures that companies are expected to


follow and maintain. In 2011 the Security and Exchange Commission (SEC) released guidance

for public traded companies regarding their obligation to release and disclose incidents of

cyberattacks (Clarke & Olcott, 2014). The Chairman of the Commerce, Science and

Transportation Committee teamed up with four United States Senators to write a letter to the

Chairman of the U.S. Securities and Exchange Commission asking for clarification of disclosure

requirements and reiterating the importance of information sharing by telling her that:

Securing cyberspace is one of the most important and urgent challenges of

our time. In light of the growing threat and the national security and economic

ramifications of successful attacks against American businesses, it is essential that

corporate leaders know their responsibility for managing and disclosing

information security risk. (Rockefeller, Menendez, Whitehouse, Warner, &

Blumenthal, 2011)

Cybersecurity issues are not something just for the IT department to decipher and

manage. Board of directors and executives of companies need to educate themselves regarding

data security within their respective organizations because they are now being held accountable

for failure to secure data. Accountability goes all the way up the ladder and the added

responsibility of prioritizing and overseeing risk management is an added responsibility they

must endure. After all, a business in in the business of making money and the financial and

economic impact of a data breach could result in lawsuits, operational and reputational damage

along with the loss of their competitive advantage.

There are no laws that mandate notifications; notifications are all voluntary. Since it is a

voluntary system, it is uncertain what information to release and to whom to release it to. Some

kind of a balance is needed for liability protection against the private sector from the public


sector if security breach information is released. Some might say that partnering up with the

government might hinder some situations that can cause further harm. There are proactive

measures that a company can take but how far can they legally go without the assistance of the

government. The challenge here is to have some kind of protection against breaches so that there

will be open communication between the public-private sector in order to solve and prevent

cyber issues. There is insurance that is available to organizations, that is similar the identity theft

protection insurance for individuals, which will protect them by absorbing some of the costs

related to data breaches. But without timely information, the ability to limit the damage of

cyberattacks diminishes and more companies may fall victim to the same attack. An important

step in uniting against cybercrimes is awareness of various situations as they are happening. No

one sector can fight the fight alone. The need for an environment where information sharing and

collaboration is done in a timely and relevant manner is essential if we are to mitigate cyber

risks.

Unite in the Fight against Cybercrimes

Organizations are always weighing the pros and cons of information sharing. Does the

risk of sharing versus not sharing impact the organization in a negative way? Misinterpreted

information or late information can be detrimental to any organization public or private. The

turnaround in the mindset of the public-private sectors is the result of the many recent data

breaches such as the Target, which rocked and ruined many consumers 2013 holiday season.

Other recent data breaches include Neiman Marcus, White Lodging, Michaels, 11 casinos

spanning across 4 states (Nevada, Colorado, Iowa and Missouri), and The Home Depot just to

name a few. The responsibility of a failed attempt to secure the information highway falls on the

public-private sectors. Neither can protect against cyber risks alone. Both sectors know that it


will be impossible to attain 100 percent security of their systems so there is a need to change

behaviors in a positive way in order to reduce cyber risks.

Senator Tom Carper (D-Del), Ranking Member of the Homeland Security and

Governmental Affairs Committee stated this challenge the best:

Given the threats we face today in cyber space, it’s imperative that

Congress, the Administration, and stakeholders work together on legislation to

bolster our nation’s cyber defenses, and do so with a sense of urgency.

(Committee, 2015)

The public sector is stepping up their efforts in this war against cybercrimes by working

to pass bills, working on amendments and passing resolutions. Democrats and republicans alike

are joining forces to sponsor bills and legislations that work towards protecting our great nation

against cybercrimes. Anyone interested in see the progress the public sector is making towards

this fight can look at Congress.gov which will show the progress that both the house and senate

is making toward cybersecurity. You will not find one legislation or bill that will cover all

aspects that concern both the public and private sector. As a result you will find that the public

sector is constantly working to introduce new bills with information not covered previously or

amend bills to cover concerns of both parties.

Public Sector Contribution

President Obama is stepping up to the plate and pushing cybersecurity efforts by

announcing new proposals and urging congress to pass any legislative efforts that are presented.

It is the President’s goal to protect the nation’s cyber world against cyberattacks that affect both

the public and private sectors. He is urging Congress to put bipartisan aside and work together to

advance proposals to resolve the challenges of information sharing between the public and


private sectors. The latest action by the White House shows that the government is clearly aware

of the need for information sharing between the public and private sector. They are also aware

that mandating specific information sharing would place an undue burden on the private sector.

To address these concerns, any proposed legislation or bill provides voluntary standards for

information sharing. In January 2015, new legislation was announced by President Obama that

addresses privacy concerns along with concerns regarding private sector liability. This specific

bill includes wording to include that the voluntary information sharing is to include only

indicators specifically related to the technical aspect of the threat. Information related to any

person(s) private information is to be removed before the threat information is shared. In

addition, privacy concerns and liability protection is also specifically address in this new

legislation to protect the private sector when sharing cyber threat information with the public

sector. No new bill or legislation is every going to be perfect and please all sectors all the time

but this legislation does show that the public sector is making a good faith effort to address the

privacy and liability concerns that many in the private sector has that prevents them from sharing

information with the public sector.

Although each bill and legislation seems to blur together at times, each does address,

revises or modifies specific concerns raised by both the public and private sectors. Other recent

announcements of advancements in the fight against cybersecurity area include:

Protecting Cyber Networks Act (sponsor: Rep. Nunes, Devin (R-CA-22) which has

passed the house and was received in the senate aims to help the private sector share cyber threat

information by removing some legal obstacles. Some might say that the far-reaching

interpretation of this bill could be abused by some public agencies, this bill is meant to state stern

requirements on how the public agencies can use information they obtain. (Congress, 2015)

https://www.whitehouse.gov/sites/default/files/omb/legislative/letters/updated-information-sharing-legislative-proposal.pdf


The Cybersecurity Information Sharing Act of 2015 (CISA) (U.S. Senate Committee,

2015) was approved by the Senate Select Committee on Intelligence. This bill allows for the

sharing of information between the government and the private sector with liability protection so

as to facilitate the sharing of data relating to cybersecurity threats. This bill, like others that are

up for consideration, reiterate that information sharing is voluntary, that the private sectors needs

only to share information as it relates directly to the cybersecurity threat, and that the information

is to be used for cybersecurity resolutions only. Vice Chairman Dianne Feinstein (D-Calif.)

made it very clear that the main objective of this bill is to have the public-private sectors “share

information about cybersecurity threats – NOT personal information – in order to better defend

against attacks” (Committee, 2015).

Cyber Intelligence Sharing and Protection Act (CISPA) is introduced to address the “real-

time sharing of actionable, situational cyber threat information” (Congress, 2015) between the

public-private sectors.

National Cybersecurity Protection Advancement Act of 2015 has passed the House and is

an amendment to the Homeland Security Act of 2002 that improves the sharing of information in

addition to clarifying privacy protection as it relates to cybersecurity risk. This measure won

with an overwhelming House vote of 355 to 63 in favor of the bill. The next step for this

legislation is the pass the Senate and head for the President’s desk for signature. (Congress,

2015)

The key to any policy, strategy or initiative is “real-time” information sharing and

“actionable intelligence” (U.S., 2014) which many of the above bills reiterate. Legislations that

reinforce the capability that all entities can work together to develop a more effective agenda to

react to cyber threats is what the President is striving for. Trust starts with communication and


the public sector is making great strides towards building a professional relationship with the

private sector by listening to their concerns and adopting those concerns in recently presented

bills. The greater the trust that is developed, the effectiveness of the communication and

information sharing between the public and private sector will become more comfortable and the

flow of information will happen. (Givens & Busch, 2013)

No one entity can ward off cyber threats alone. There needs to be a solid collaboration

between the public-private sectors to promote awareness, educate and share information that is

not only “relevant, timely, but actionable” (C-Span, 2014). The government is making every

effort to address concerns that the private sector raises regarding information sharing that will

better protect themselves and their customers. President Obama is pushing the government to

come up with ways to better communicate cyber threats and so he “directed the Director of

National Intelligence (DNI) to establish the Cyber Threat Intelligence Integration Center

(CTIIC)” (The White House, n.d.). This center was created to coordinate efforts to better assess

cyber threats, share information rapidly with other existing government cyber groups about

current threats and those individuals that are involved. President Obama’s commitment to fight

cybercrimes is backed up with $14 billion added to the new budget to protect networks,

governments and others, in addition to critical infrastructures. Lisa Monaco, who is the assistant

to the president for homeland security and counterterrorism, stated that the private sector can and

should expect the public sector to respond quickly when they share cyber information. She

specified that the public sector will: (Pellerin, 2015)

-- Provide as much information as it can about the threat to help companies

protect their networks and critical information;


-- Coordinate a quick and unified response from government experts, including

those at the Department of Homeland Security and the FBI;

-- Look to determine who the actors are and hold them to account; and

-- Bring to bear, as government experts respond to attacks, all the available tools

and draw on the full range of government resources to disrupt threats.

An excellent example of collaboration to fight cybercrimes is the Sony Pictures

Entertainment attack. Within hours of the intrusion, Sony contacted the FBI and they were able

to join forces during the investigation of the cyber incident. (Federal Bureau of Investigation,

2014) By Sony’s rapid reporting of the attack, the FBI was able to use their resources to identify

who was behind the attacks. The public sector is committed to working with the private sector

and will continue to do so in a way that will protect the civil and privacy rights of all involved.

Another example of the effort the government is making to improve information sharing

is an “online collaboration called Project Interoperability” (Paul, 2014). This is a platform that

will enable both the government and the private sector to not only share information but to work

together to develop techniques and standards to fight cybercrime. The project’s website states

that “information interoperability is the ability to transfer and use information in a consistent,

efficient way across multiple organizations and IT systems” (United States Government, n.d.).

This web-based tool is meant to develop a system of communication between the public-private

sectors so that no matter what level or role in the organization you have, you will be able to

utilize this website. The ability to share information with individuals who speak the same

language and have the same understanding of the struggles about safeguarding a system is

exactly the type of collaboration that is needed.


Public-Private Sectors Collaboration

For public-private collaboration to work, they need to be on the same page and speak the

same language when sharing information. Structured Threat Information Expression (STIX),

Cyber Observables eXpression (CybOX), and Trusted Automated eXchange of Indicator

Information (TAXII) are three tools that will aid both the public and private sector to focus on

the collection and distribution of cyber threats between the two sectors. These tools are

constantly evolving as more members join to exchange cyber threat information. No tool is

perfect at its initial roll out and these three tools are no different. They will continue to improve

as both public and private sectors communicate and better define protocols, concepts and

specifics that are needed to combat cyber threats.

STIX uses a standardized XML programming language to send data regarding cyber threats.

The MITRE Corp. and The Department of Homeland Security collaborated in developing this

tool to address issues like interoperability, threat indicators and mitigation efforts. The main

objective of this language was to make it flexible, automatable, extensible and easy-to-read by

everyone. Information that can be shared using this platform includes: (Barnum, 2014)

Cyber observables

Indicators

Incidents

Adversary Tactics, Techniques, and Procedures

Exploit Targets

Courses of Action

Cyber Attack Campaigns

Cyber Threat Actors


Figure 2: A high level representation of how STIX works (Connolly, Davidson, Richard, &

Skorupka, 2012)

STIX is the language to communicate information and cyber observables are represented

in the Cyber Observable eXchange (CybOX) language. CybOX provides a tool for “addressing

cyber observables across and among this full range of use cases improving consistency,

efficiency, interoperability, and overall situational awareness” (Corporation, 2015). Trusted

Automated eXchange of Indicator Information (TAXII) is the means by which both STIX and

CybOX information is transported.

Establishing a mechanism for which all parties can share information is ineffective if

there is not a secure way to transport that information. Without a secure means of transporting

data, organizations will limit the type of information shared. TAXII is an exchange that allows

the transportation of cyber threat information. The exchange of detection, prevention and

mitigation efforts all can be sent in a secure way. With the ability to encrypt, authenticate, alert

and query between systems, TAXII enables organizations to not only leverage agreed standards


to “enable the sharing of actionable indicators” (Connolly, Davison, Richard, & Skorupka, 2012)

but also enables timely and secure sharing of threat information.

Figure 3: A high level vision of how TAXXII works (Connolly et al., 2012)

The ability for humans to manually digest data in large volumes in a timely manner and act on it

is near impossible. When it comes to minimizing damages and recovery time from cyberattacks,

time sensitive actions is necessary. Timely transfer of information can also reduce confusion to

allow the public-private sectors to better predict and anticipate future events. These tools allow

for proper communication and actionable information to be shared in a timely manner.

Private Sector Contribution

The importance of information sharing between the public and private sectors is

important enough that there are both individuals and companies collaborating to produce

methods to share data securely. They believe in their method so much so that they have applied

for and are waiting or have been granted United States patent protection. In November 2014,

the United States Patent and Trademark Office (USPTO) held an information session to discuss

the efforts of both the public and private sector to combat cybercrimes. TC2400 is the


technology center where patent applications in the field of information security are examined.

Subject matters related to data and user protection, security policies, access control, monitoring,

and countermeasures are the area of concentration for TC2400. The USPTO is enthusiastic

about examining cybersecurity patents and is aware that their examiners, currently numbering

200 examiners who are dedicated to this technology, need further training in order to better

understand the specific nature of best standards and emerging technology. Currently the average

time from initial filing to first action by an examiner is about 16 months, granting patent

protection could take about three years. With the speed that technology changes and cyber

threats increase, there is a need for the USPTO to somehow accelerate the process.

There are organizations that are taking the initiative to develop methods and standards to

better protect themselves. The top 5 companies filing patent applications in the field of

information security are: IBM (173 patents), Symantec (103 patents), Google (71 patents),

Microsoft (67 patents) and Samsung (64 patents) (United States Patent and Trademark Office,

2014).

Large corporations are not the only organizations that are developing improved responses

to cyber threats. Swan Island Networks, Inc., a company based out of Portland, OR, who

provides business intelligence solutions. They started out as a software engineering lab working

with the U.S. government and in 2009, took their R&D to the private sector. The Trusted

Information Exchange Service (TIES) was launched and currently “help protect more than 250

large enterprises and 20% of Fortune 100 companies every day”. (Swan Island Networks, 2015)

Being the innovators that they are, they filed a patent application in April 2013 for “Human-

Authorized Trust Service”, patent application number 20130312115 (Jennings & Jones). The

claims of this patent application define methods that allow trusted access to data between two


parties. This application is currently in the review process and has not yet been granted

exclusive rights and protection.

Another private sector company, Norse Corporation, a leader in live attack intelligence

based out of Mateo, CA has also filed a patent application (patent application number:

61508493) in July 2012. Their patent claims defines systems and methods for “ gathering,

classifying, and evaluating real time security intelligence data concerning security threats

presented by an IP address, and reporting in real time the degree and character of such security

threats” (USPTO, 2012). Their application is currently in the review process and has not yet

been granted exclusive rights and protection.

The USPTO embraces the role the private sector is playing in cybersecurity. Their goal

is to work diligently to approve innovative product and services as quickly and efficiently as

possible.

http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=3&f=G&l=50&co1=AND&d=PTXT&s1=cybersecurity&s2=google&OS=cybersecurity+AND+google&RS=cybersecurity+AND+google

http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=3&f=G&l=50&co1=AND&d=PTXT&s1=cybersecurity&s2=google&OS=cybersecurity+AND+google&RS=cybersecurity+AND+google


Conclusion

With the ever growing and real threats cybersecurity poses, the need to mitigate cyber

risks is crucial. There is no easy solution to the cybersecurity challenge of information sharing.

There is no foolproof protection against cyberattacks and navigating through best practices and

standards starts with information sharing. President Obama, early in his first term, made

cybersecurity a priority. The President is constantly making noise about cybersecurity and how

the public-private sector must work together to come up with a mutually agreed upon method for

information sharing. The public sector is working to improve by introducing new legislation and

updating previous ones to address concerns from both sectors. They are committed to pull

together all their resources to coordinate responses to breaches in a united timely manner. In

addition, they will work to break through the barrier that is preventing timely, actionable

information sharing by providing quantifiable information regarding a cyber-threat or

cyberattack that will help the private sector to better protect their systems and other critical

information. The threats in the cyber domain can get complicated but through coordinated

efforts from both the public and private sector, preemptive measures can be taken to mitigate

cyberattacks remembering that this is a two-way street. If the public sector is willing to share

information then the private sector must reciprocate in kind with the same quantifiable

information.

The private sector needs to remember that information on cyber threats covers limited

technical type of information and should not let the fear prevent them from open communication

with the many government agencies. The challenge here is to have some kind of protection

against breaches, the sharing of privileged information and liability concerns so that there will be

open communication between the public-private sector in order to solve and prevent cyber


issues. The private sector made their concerns known and the public sector has responded by

approving legislation such as The Cybersecurity Information Sharing Act of 2013 (CISA).

President Obama’s executive directive has made it very clear that his administration is putting

cybersecurity at the top of their priority list. The private sector needs to do the same and learn

from the lack of communication that caused the many data breaches of 2014. The consequences

of not making cybersecurity a top priority within the organization will lead not only to data theft

but also the reputation loss, and loss of customers not to mention the cost involved due to a

cyberattacks. Given the sophisticated nature of some of the cyberattacks, a disaster is in the

making if cybersecurity is not made a priority. Cultural changes will need to be made within the

private sector because although cybersecurity is technical in nature, the way cybersecurity is

managed is human. Changing the mindset of the private sector starts at the executive level of an

organization to effective combat cyber-threats in a timely fashion.

As President Obama’s presidential term is coming to an end, his cybersecurity initiative

needs to continue with the next administration. It should not matter whether the next president is

Democratic or Republican because cyberattacks do not care what party you represent. We need

to do more to strengthen security in the cyber domain so that we can create a better world for our

children. There is always going to be a need to reiterate that open communication and

information sharing between the public-private sectors will be an ongoing challenge.

Collaboration is the key to unite in the fight against cybercrimes and the public-private sector

must jump in with both feet to educate each other so that every action to mitigate a cyber-threat

will be timely, significant and actionable.



References

Barnum, S. (2014, February 20). Standardizing cyber threat intelligence information with the

Structured Threat Information eXpression (STIX). MITRE Corporation, v1.1, Rev. 1.

Retrieved from http://stix.mitre.org/about/documents/STIX_Whitepaper_v1.1.pdf

Brill, J. (2014, November 6). What's past is prologue: FTC's competition and consumer

protection priorities. Presenter at the ABA Fall Forum Keynote Address. Retrieved from

https://www.ftc.gov/es/system/files/documents/public_statements/597211/141106abafallf

orum-2.pdf

C-Span. (2014, August 22). Cybersecurity challenges. Retrieved from

http://www.c-span.org/video/?321116-7/discussion-cybersecurity-threats

Carton, B. (2014, May 29). ISS recommends ouster of seven Target directors for data breach

failures. Retrieved from http://https://www.complianceweek.com/blogs/enforcement-

action/iss-recommends-ouster-of-seven-target-directors-for-data-breach-

failures#.VUBi_iFVhBc

Cichonski, Millar, Grance, & Scarfone. (2012, August). National Institute of Standards and

Technology (U.S.), Special Publication 800-61 (SP 800-61, rev. 2). Computer security

incident handling guide: Recommendations of the National Institute of Standards and

Technology. Gaithersburg, MD: U.S. Dept. of Commerce, National Institute of Standards

and Technology.

Clarke, R., & Olcott, J. (2014, March). The board's role in cybersecurity. Retrieved from

http://www.kispertgroup.com/wp-content/uploads/2014/06/Good_Harbor_Directors_Not

e_Cyber.pdf

http://www.kispertgroup.com/wp-content/uploads/2014/06/Good_Harbor_Directors_Note_Cyber.pdf

http://www.kispertgroup.com/wp-content/uploads/2014/06/Good_Harbor_Directors_Note_Cyber.pdf

http://https://www.complianceweek.com/blogs/enforcement-action/iss-recommends-ouster-of-seven-target-directors-for-data-breach-failures#.VUBi_iFVhBc



http://www.c-span.org/video/?321116-7/discussion-cybersecurity-threats

https://www.ftc.gov/es/system/files/documents/public_statements/597211/141106abafallforum-2.pdf

https://www.ftc.gov/es/system/files/documents/public_statements/597211/141106abafallforum-2.pdf

http://stix.mitre.org/about/documents/STIX_Whitepaper_v1.1.pdf


Committee, I. (2015, March 18). Senate Intelligence Committee introduces cybersecurity bill,

addresses privacy concerns. Retrieved from

http://www.intelligence.senate.gov/press/record.cfm?id=358715

Committee, U. S. (2015, March 12). Sen. Carper statement on the cybersecurity information

sharing act (CISA). Retrieved from

http://www.hsgac.senate.gov/media/minority-media/sen-carper-statement-on-the-

cybersecurity-information-sharing-act-cisa

Congress, 1. (2015, February 2). H.R.234 - Cyber Intelligence Sharing and Protection Act.

Retrieved from http://https://www.congress.gov/bill/114th-congress/house-bill/234?q=

%7B%22search%22%3A%5B%22cyber+intelligence%22%5D%7D

Congress, 1. (2015, April 22). H.R.1560 - Protecting cyber networks act. Retrieved from

http://https://www.congress.gov/bill/114th-congress/house-bill/1560?q=%7B%22search

%22%3A%5B%22The+Protecting+Cyber+Networks+Act%22%5D%7D

Congress, 1. (2015, April 23). H.R.1731 - National cybersecurity protection advancement act of

2015. Retrieved from

http://https://www.congress.gov/bill/114th-congress/house-bill/1731?q=%7B%22search

%22%3A%5B%22cybersecurity%22%5D%7D

Connolly, J., Davidson, M., Richard, M., & Skorupka, C. (2012, November 8). The trusted

automated eXchange of indicator information (TAXII). Retrieved from

http://taxii.mitre.org/about/documents/Introduction_to_TAXII_White_Paper_November_

2012.pdf

Corporation, MITRE. (2015, April 14). CybOX, v2.1. Retrieved from http://cybox.mitre.org/

Denning, P. J., & Denning, D. E. (2010). Discussing cyber attack. Communications of the ACM,

53(9), 29-31.

http://taxii.mitre.org/about/documents/Introduction_to_TAXII_White_Paper_November_2012.pdf

http://taxii.mitre.org/about/documents/Introduction_to_TAXII_White_Paper_November_2012.pdf

http://https://www.congress.gov/bill/114th-congress/house-bill/1731?q=%7B%22search%22%3A%5B%22cybersecurity%22%5D%7D

http://https://www.congress.gov/bill/114th-congress/house-bill/1731?q=%7B%22search%22%3A%5B%22cybersecurity%22%5D%7D

http://https://www.congress.gov/bill/114th-congress/house-bill/1560?q=%7B%22search%22%3A%5B%22The+Protecting+Cyber+Networks+Act%22%5D%7D

http://https://www.congress.gov/bill/114th-congress/house-bill/1560?q=%7B%22search%22%3A%5B%22The+Protecting+Cyber+Networks+Act%22%5D%7D

http://https://www.congress.gov/bill/114th-congress/house-bill/234?q=%7B%22search%22%3A%5B%22cyber+intelligence%22%5D%7D

http://https://www.congress.gov/bill/114th-congress/house-bill/234?q=%7B%22search%22%3A%5B%22cyber+intelligence%22%5D%7D

http://www.hsgac.senate.gov/media/minority-media/sen-carper-statement-on-the-cybersecurity-information-sharing-act-cisa


http://www.intelligence.senate.gov/press/record.cfm?id=358715


Federal Bureau of Investigation. (2014, December 29). Update on Sony Investigation. Retrieved

from http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation

Federal Trade Commission. (2012, June 26). FTC files complaint against Wyndham hotels for

failure to protect consumers' personal information. Retrieved from

http://https://www.ftc.gov/news-events/press-releases/2012/06/ftc-files-complaint-

against-wyndham-hotels-failure-protect

Fernandez Vazquez, D., Pastor Acosta, O., Brown, S., Reid, E., & Spirito, C. (2012, June).

Conceptual framework for cyber defense information sharing within trust relationships.

In Cyber Conflict (CYCON), 2012 4th International Conference on (pp. 1-17). IEEE.

Germano, J. H. (2014, October). Cybersecurity partnerships: A new era of public-private

collaboration. Retrieved from

http://www.lawandsecurity.org/Portals/0/Documents/Cybersecurity.Partnerships.pdf

Givens, A. D., & Busch, N. E. (2013). Information sharing and public-private partnerships: The

impact on homeland security. Retrieved from

http://www.austengivens.com/wp-content/uploads/2013/05/Givens-and-

Busch_Information-Sharing-and-Public-Private-Partnerships.pdf

Givens, A. D., & Busch, N. E. (2013). Realizing the promise of public-private partnerships in US

critical infrastructure protection. Internaional Journal of Critical Infrastructure

Protection, 6(1), 39-50.

Hearing before the Committee on Armed Services, House of Representatives, 12th Congress

(March 16, 2011). National defense authorization act for fiscal year 2012: (H.A.S.C. No.

112-26). (statement of General Keith B. Alexander, US Cyber Command). Retrieved

from http://fas.org/irp/congress/2011_hr/cybercom.pdf

http://fas.org/irp/congress/2011_hr/cybercom.pdf

http://www.austengivens.com/wp-content/uploads/2013/05/Givens-and-Busch_Information-Sharing-and-Public-Private-Partnerships.pdf

http://www.austengivens.com/wp-content/uploads/2013/05/Givens-and-Busch_Information-Sharing-and-Public-Private-Partnerships.pdf

http://www.lawandsecurity.org/Portals/0/Documents/Cybersecurity.Partnerships.pdf

http://https://www.ftc.gov/news-events/press-releases/2012/06/ftc-files-complaint-against-wyndham-hotels-failure-protect

http://https://www.ftc.gov/news-events/press-releases/2012/06/ftc-files-complaint-against-wyndham-hotels-failure-protect

http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation


Jennings, C., & Jones, D. M. (2013, November 21). Publication 20130312115 - Human-

authorized trust service. Retrieved from http://www.ptodirect.com/Results/Publications?

p=1&r=34&query=%40PD%3E%3D20131119%3C%3D20131125

John, P. (2014, March 18). Target breach lesson: PCI compliance isn't enough. Retrieved from

http://www.technewsworld.com/story/80160.html

Kissel, R. (2013, May). National Institute of Standards and Technology (U.S.) (NISTIR 7298,

rev. 2). Glossary of key information security terms.

Nakashima, E., & Peterson, A. (2014, June 9). Report: Cybercrime and espionage costs $445

billion annually. Retrieved from http://www.washingtonpost.com/world/national-

security/report-cybercrime-and-espionage-costs-445-billion-annually/

2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.html

National Institute of Standards and Technology. (2014, February 12). Framework for improving

critical infrastructure cybersecurity. Retrieved from

http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf

Navare, J., & Gemikonakli, O. (2010, September). Governance and risk management of network

and information security: the role of public private partnerships in managing the existing

and emerging risks. Paper presented at the Global Security, Safety, and Sustainability –

6th International Conference, ICGS3, Braga, Portugal. Retrieved from

https://www.researchgate.net/publication/221193068_Governance_and_Risk_Manageme

nt_of_Network_and_Information_Security_The_Role_of_Public_Private_Partnerships_i

n_Managing_the_Existing_and_Emerging_Risks

Norton, S. (2014, September 30). Former NSA director: Better information sharing needed on

cybersecurity. Retrieved from http://blogs.wsj.com/cio/2014/09/30/former-nsa-director-

better-information-sharing-needed-on-cybersecurity/

https://www.researchgate.net/publication/221193068_Governance_and_Risk_Management_of_Network_and_Information_Security_The_Role_of_Public_Private_Partnerships_in_Managing_the_Existing_and_Emerging_Risks



http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf

http://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.html



http://www.technewsworld.com/story/80160.html


Pager, T. (2015, March 19). Private sector remains wary of government efforts to increase

cybersecurity collaboration. Retrieved from http://nationalsecurityzone.org/site/private-

sector-remains-wary-of-government-efforts-to-increase-cybersecurity-collaboration/

Paul, K. (2014, March 24). Fork it, grab it, use it: Announcing project interoperability.

Retrieved from http://www.ise.gov/blog/kshemendra-paul/fork-it-grab-it-use-it-

announcing-project-interoperability

Pellerin, C. (2015, February 11). New threat center to integrate cyber intelligence. Retrieved

from http://www.defense.gov/news/newsarticle.aspx?id=128164

Ponemon Institute LLC. (2014, May). 2014 cost of data breach study: United States. Retrieved

from http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?

subtype=WH&infotype=SA&appname=GTSE_SE_SE_USEN&htmlfid=SEL03017USE

N&attachment=SEL03017USEN.PDF#loaded

Ponemon Institute LLC. (2014, October). 2014 Global report on the cost of cyber crime.

Retrieved from http://https://ssl.www8.hp.com/ww/en/secure/pdf/4aa5-5207enw.pdf

Prieto, D. (2006). Information sharing with the private sector. Seeds of disaster, roots of

response: how private action can reduce public vulnerability.

https://scholar.google.com/citations?view_op=view_citation&continue=/scholar%3Fq

%3Dprieto%26hl%3Den%26as_sdt%3D0,16%26scilib

%3D1&citilm=1&citation_for_view=ZLNwTTgAAAAJ:2osOgNQ5qMEC&hl=en&oi=

p

Riley, M., Elgin, B., Lawrence, D., & Matlack, C. (2014, March 13). Missed alarms and 40

million stolen credit card numbers: How target blew it. Retrieved from

http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epic-hack-

of-credit-card-data

http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data

http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data

https://scholar.google.com/citations?view_op=view_citation&continue=/scholar%3Fq%3Dprieto%26hl%3Den%26as_sdt%3D0,16%26scilib%3D1&citilm=1&citation_for_view=ZLNwTTgAAAAJ:2osOgNQ5qMEC&hl=en&oi=p



http://https://ssl.www8.hp.com/ww/en/secure/pdf/4aa5-5207enw.pdf

http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=WH&infotype=SA&appname=GTSE_SE_SE_USEN&htmlfid=SEL03017USEN&attachment=SEL03017USEN.PDF#loaded



http://www.defense.gov/news/newsarticle.aspx?id=128164

http://www.ise.gov/blog/kshemendra-paul/fork-it-grab-it-use-it-announcing-project-interoperability

http://www.ise.gov/blog/kshemendra-paul/fork-it-grab-it-use-it-announcing-project-interoperability

http://nationalsecurityzone.org/site/private-sector-remains-wary-of-government-efforts-to-increase-cybersecurity-collaboration/

http://nationalsecurityzone.org/site/private-sector-remains-wary-of-government-efforts-to-increase-cybersecurity-collaboration/


Rockefeller, J. D., Menendez, R., Whitehouse, S., Warner, M., & Blumenthal, R. (2011, May

11). Letter to Ms. Mary Schapiro, Chairman U.S. Security and Exchange Commission.

Retrieved from http://www.commerce.senate.gov/public/?

a=Files.Serve&File_id=4ceb6c11-b613-4e21-92c7-a8e1dd5a707e

Rosenbush, S. (2014, June 20). Former NSA Chief Mike McConnell says culture, not tech, is

key to cyber defense. Retrieved from http://blogs.wsj.com/cio/2014/06/20/former-nsa-

chief-mike-mcconnell-says-culture-not-tech-is-key-to-cyber-defense/

SIFMA. (2014, October 20). Principles for effective cybersecurity regulatory guidance.

Retrieved from http://www.sifma.org/issues/item.aspx?id=8589951691

Swan Island Networks. (2015). About Swan Island Networks, Inc. doi:swanisland.net/company

Symantec. (2015, April). Internet security threat report. V20. Retrieved from

http://https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-

security-threat-report-volume-20-2015-social_v2.pdf

U.S. (2014, November 3). Partners in cybercrime prevention. Retrieved from

http://www.nationaljournal.com/library/198396

United States Department of Justice. (n.d.). What is FOIA? Retrieved from

http://www.foia.gov/index.html

United States Government. (n.d.). Project Interoperability. project-interoperability.github.io/

United States Patent and Trademark Office. (2014, November 14). Cybersecurity partnership.

Retrieved from http://www.uspto.gov/about/contacts/phone_directory/pat_tech/nov2014-

cybersecurity-partnership-presentation.pdf

United States Senate Committee. (2015, March 12). Sen. Carper statement on the cybersecurity

information sharing act (CISA). Retrieved from

http://www.uspto.gov/about/contacts/phone_directory/pat_tech/nov2014-cybersecurity-partnership-presentation.pdf

http://www.uspto.gov/about/contacts/phone_directory/pat_tech/nov2014-cybersecurity-partnership-presentation.pdf

http://www.foia.gov/index.html

http://https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-report-volume-20-2015-social_v2.pdf

http://https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-report-volume-20-2015-social_v2.pdf

http://www.sifma.org/issues/item.aspx?id=8589951691

http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=4ceb6c11-b613-4e21-92c7-a8e1dd5a707e

http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=4ceb6c11-b613-4e21-92c7-a8e1dd5a707e


http://www.hsgac.senate.gov/media/minority-media/sen-carper-statement-on-the-

cybersecurity-information-sharing-act-cisa

USPTO. (2012, July 16). Norse Corporation Patent Appl. No.: 13/550,354. Retrieved from

http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=

%2Fnetahtml%2FPTO%2Fsearch-

bool.html&r=3&f=G&l=50&co1=AND&d=PTXT&s1=cybersecurity&s2=google&OS=c

ybersecurity+AND+google&RS=cybersecurity+AND+google

White House. (n.d.). The comprehensive national cybersecurity initiative. Retrieved from

http://www.whitehouse.gov/issues/foreign-policy/cybersecurity/national-initiative

The White House. (2015, February 25). Fact sheet: Cyber threat intelligence integration center.

Retrieved from http://https://www.whitehouse.gov/the-press-office/2015/02/25/fact-

sheet-cyber-threat-intelligence-integration-center

http://https://www.whitehouse.gov/the-press-office/2015/02/25/fact-sheet-cyber-threat-intelligence-integration-center

http://https://www.whitehouse.gov/the-press-office/2015/02/25/fact-sheet-cyber-threat-intelligence-integration-center

http://www.whitehouse.gov/issues/foreign-policy/cybersecurity/national-initiative

