Legal Issues Related to Cyber Threat Information Sharing Among Private Entities for Critical Infrastructure Protection

The menace of cyber attacks has become a concern for both the public and private sectors. Several approaches have been proposed to tackle the challenge, but an approach that has received widespread acceptance among cyber security professionals in both public and private sectors is cyber threat information (CTI) sharing. CTI refers to any information that can help an organisation identify, assess, monitor and respond to cyber threats. It includes indicators of compromise; tactics, techniques and procedures used by threat actors; suggested actions to detect, contain, or prevent attacks; and the findings from the analyses of incidents. Sharing CTI has been proposed as an efficient and effective way of improving overall cyber intelligence and defence. However, there are sources of liability that may dissuade private entities from participating in such sharing. The most cited source of liability is privacy and data protection law; although antitrust law, tort of negligence law and intellectual property law are also cited as potential sources of liability. In this study, we review the extent to which the provisions of privacy and data protection law support or refute the sharing of CTI. This will provide guidance and incentives for private entities willing to participate in CTI sharing, especially for critical infrastructure protection.