The menace of cyber attacks has become a concern for both the public and private sectors. Several approaches have been proposed to tackle the challenge, but an approach that has received widespread acceptance among cyber security professionals in both public and private sectors is cyber threat information (CTI) sharing. CTI refers to any information that can help an organisation identify, assess, monitor and respond to cyber threats. It includes indicators of compromise; tactics, techniques and procedures used by threat actors; suggested actions to detect, contain, or prevent attacks; and the findings from the analyses of incidents. Sharing CTI has been proposed as an efficient and effective way of improving overall cyber intelligence and defence. However, there are sources of liability that may dissuade private entities from participating in such sharing. The most cited source of liability is privacy and data protection law; although antitrust law, tort of negligence law and intellectual property law are also cited as potential sources of liability. In this study, we review the extent to which the provisions of privacy and data protection law support or refute the sharing of CTI. This will provide guidance and incentives for private entities willing to participate in CTI sharing, especially for critical infrastructure protection.
[1]
Rogério de Lemos,et al.
Risks of Sharing Cyber Incident Information
,
2018,
ARES.
[2]
Rogério de Lemos,et al.
Sharing Cyber Threat Intelligence Under the General Data Protection Regulation
,
2019,
APF.
[3]
Stephanie von Maltzan.
No Contradiction Between Cyber-Security and Data Protection? Designing a Data Protecton Compliant Incident Response System
,
2019
.
[4]
Clare Linda Sullivan,et al.
"In the public interest": The privacy implications of international business-to-business sharing of cyber-threat intelligence
,
2017,
Comput. Law Secur. Rev..