President Obama wants private sector companies to share information about cybersecurity threats with each other – and the government. That sounds like a novel idea – and some industries already are doing this among themselves.
However, the federal government doesn’t share their experiences with us (“National Security!”), but presumably they do share with each other. The big question then is – should the private sector share a one-way flow of information with the government? That would be extremely altruistic, wouldn’t it?
The truth is that not everyone in the private sector has a choice in the matter. Healthcare for example, must report breaches to the Office for Civil Rights (OCR) – or face penalties.
Overall, the playing field is really quite bumpy and uneven. Government doesn’t share with us; we optionally share with each other (but often are too timid or embarrassed to do so); and some industries share with the government.
The private sector should share information – as long as it can be done without mandated punitive retaliation.
Go beyond cybersecurity threats, for example and look at one specific type, cyber-warfare. When examined closely, cyber-warfare is similar to analog warfare. Threats affect assets. If I saw terrorist activity on the street or my building was attacked, I would tell the authorities in the hope that the attack would be curtailed and others would not suffer the same fate.
Furthermore, the authorities might even be able to help me prevent such attacks or provide me with a response plan because they had seen this before and have a response already worked out (send in a S.W.A.T. team perhaps). I would have readily shared my information with the government and it could potentially help me.
The difference might be that in the above scenario there is a sense that it is the government’s duty to help its citizens. However, I get no feeling that this is the case for cyber warfare or cyber security threats in general.
Back to the earlier point on altruism – really, what’s in it for me? Sharing cybersecurity information increases my risks of further attack if shared with the bad guys — otherwise it is potentially beneficial. Though it would be beneficial overall if we did share cybersecurity threats with each other and the government as a security professional I am naturally paranoid, so I’m still not 100% sure.