Policy Observatory

Facebook has built a platform where organizations can share information about the security threats they face in order to better fend off cyberattacks. Facebook unveiled the new platform, ThreatExchange, on Tuesday. The idea behind it was born over a year ago when several Internet companies, including Facebook, were trying to stop a botnet that was abusing their services to send spam.

Security vendors have long had private channels for sharing such data among themselves, but this form of collaboration has limits, because, after all, many of them are competitors and have business models built around providing security intelligence to customers as a service. Some companies also share information about attacks through dedicated industry groups, but this leaves them blind to attacks on companies in other industries that could later affect them too.

U.S. lawmakers should put strict privacy controls into planned legislation to encourage companies to share cyberthreat information with government agencies and each other, some advocates said.

Members of the Senate Homeland Security and Governmental Affairs Committee said Wednesday they plan to work on a cyberthreat information-sharing bill in the coming months. But representatives from Microsoft and the Center for Democracy and Technology told lawmakers they can avoid the controversies of other recent bills by requiring companies and government agencies to strip out personally identifiable information before sending cyberthreat information to other organizations.

FBI’s assistant director Joseph Demarest suggested three ways Congress could combat cyber threat: to update the Computer Fraud and Abuse Act, to require businesses to provide prompt notice to consumers in the wake of cyber attacks, and for government and the private sector to share insights into cyber threats.