Big Banks & Cybersecurity

For those of you who have access to the Wall Street Journal, there is an interesting piece today about how banks are banding together to exchange information on cyber threats.  It closes with interview comments from a deputy at Homeland Security, so you can see the motivation behind this is that Homeland leads this initiative and the banks are leading the effort to get exahanges of information about cyber threats to one another.  Homeland, according to this article is "working hard" to declassify information to be shared with these cyber sharing partners, J.P. Morgan, BOA, Wells Fargo and Goldman, among others.  The article also mentions some other interesting things about sharing of information:  " Despite the new law, banks fear legal issues that could emerge if they share threat information with the government. Although the law provides liability protection to companies for sharing certain kinds of information, the banks are worried that such disclosures could open them up to shareholder lawsuits.". 

Banks have been the leaders in information sharing since my time on the President's Critical Infrastructure Protection Committee, so they are not doing anything new.  What is new is that Homeland may be trying to help them fix the problem of classification, which is also not new. Incidents get reported and combined with intelligence information.  That makes the whole incident classified, even though it may have been reported by a commercial business and not releasable even to the people who reported it.  This way of doing business could have been worked on 15 years ago, but was uniformity ignored by commercial and government interests who also didn't want to know things that might create liability for them- either professional or business liability.  It isn't the banks, who have real targets with real losses;  it is our Technology Sector which has no liability for anything they do, and does not want any.  These special interests pay well to keep the status quo.  

The Chamber of Commerce and some of the major technology companies in the US fought hard to water down the Cybersecurity Information Sharing Act, and for several years, from getting it to a vote.  They used a variation of the "we might get sued" argument to justify that, when what they really mean is "I don't want to know about something that could give me liability".  Thus, the shareholder suits that might result from not having due diligence over things they know about.  As one of my professors told me, being right does not keep you from being sued.  It just helps you to win.  Delta Airlines will know that pretty soon.