The GDPR and the Future of Information Sharing

By Philip Reitinger

I know those who have given up on “information sharing” as a key part of the solution to cyber insecurity.  They, like me, have been working in this area for 20 years and more and have seen information sharing both develop slowly and be used as a rallying cry to avoid imposition of stricter cybersecurity requirements.

I’m not pessimistic.  We have seen information sharing grow measurably, if slowly, and there are non-profit, for-profit and government-supported information sharing mechanisms that are very effective.  In my view, we have gone through several generations of information sharing.

  • First Generation: individual and trust-based sharing;
  • Second Generation: lawyer-approved information sharing built into business practices;
  • Third Generation: machine-supported but still person-mediated information sharing; and
  • Fourth Generation: pure machine-to-machine, automated information sharing.

It is this Fourth Generation that I want to talk about.

I was recently at an forum where the newish General Data Protection Regulation (GDPR) was discussed in detail.  It seems a step forward in many areas, including explicit recognition of cybersecurity as a legitimate interest.  I was more troubled, however, by the suggestion by many that data transfers (that is, information sharing) need to be reviewed case-by-case by a human being for reasonableness.  If you will forgive the overstatement, that is what some would call “crazy talk.”

I use hyperbole with a purpose.  In this Fourth Generation of information sharing, devices running software will talk directly to other devices running software, and these devices will be responsible for observing their environment and making localized security decisions informed by a broader security context, also substantially provided by machines.  If we do not enable this process, we will not be sufficiently agile.  The only advantage the network defenders have is the size of the network, which can be instrumented and enabled to defend itself.  If we don’t use that advantage, “offense wins” will continue to be the underlying paradigm for the Internet, and privacy will suffer.

That means clarity is critical.  It’s fine to have case-by-case review of information sharing mechanisms to ensure they do what they need to do to protect privacy, while enabling network defense, so long as the results of that case-by-case review can then be written in code and implemented by machines.  Moreover, that case-by-case review must be at a general level, so that machines or people can implement new rules in near real-time that do not materially affect privacy.

It’s pretty simple.  If you have to assign a lawyer to every SOC analyst or autonomous device, we all lose.  I know nobody wants that; so let’s make sure as the further rules and practices are developed, we keep the need for automated information sharing in mind, in order to protect privacy.

The author, Phil Reitinger, is the President and CEO of the Global Cyber AllianceYou can follow him on Twitter @CarpeDiemCyber.

Image courtesy of