Information sharing is critical to properly addressing cyber security. Particularly if one subscribes to the public health model versus a military security type model. As the Center for Disease Control (CDC) must have open information sharing if it is to help us fight pandemics, cyber security must have the same level of openness, or the public health model will fail.
Today we have two main impediments to open information sharing in the cyber security arena. On the Government to Private Sector (PS) side, the problem is government’s reluctance to share all the threat information it has because they want to protect their intelligence sources and methods. On the Private Sector to government side, there are actually two problem areas. The first is a fear that proprietary industrial information will be revealed. The second area is the fear that the government might use the information given by a private company, and the company would be held liable for any damage done, or for any breach of the law. While all of these concerns are legitimate and understandable, they are also problems that are clearly surmountable.
In the cyber realm, the government must do the hard work of developing trusted partners with whom they can share the most sensitive information. This will be a cultural change for the government, but one that must occur in order everything to work. Additionally, a method of redaction must be developed in the short term that allows the maximum amount of sharing and the most useful format for the information, while still protecting sources and methods. It is not enough to say it is “too hard” and do nothing. We must find a way.
In the other direction, the governemtn needs to help the PS to develop a way to pass on information of attacks, penetrations, and even successful defense techniques while protecting the industry equivalent of sources and methods. There must be sensitivity toward protecting proprietary information that raises the comfort level of the corporate leadership. The next step would be the development of a real liability protection for companies trying to assist the government. There must be a legislatively founded exemption program that specifically protects these companies. This needs to be further backed up with a real insurance protection program that would indemnify any firms that might fall through a crack in the legislative exemptions.
Only if we break down these very real concerns will we get to the needed level of information sharing. If we fail to achieve this, we will never reach the degree of cyber security that is needed. This should be a major priority for the Obama Administration and his Cyber Coordinator.