One of the biggest reasons that the “good guys” are always playing catch up, is because of a lack of collaboration and information sharing. Forgetting about semantics and connotations, the “Hacker Ethic” as described by Steven Levy in his 1984 book, “Hackers: Heroes of the Computer Revolution,” lists among its most important tenants:
- Free access to computers
- World Improvement
…most of which can be summed up with the saying “Information wants to be free.”
The criminal underground has embodied this. If you’re up to no good, trying to write some code to disrupt the online business of one of the Big Four banks, but you’re stuck on something, there are numerous forums and chatrooms on the Dark Net (more on that another time), or on IRC, where you can get an answer to your problem nearly immediately. Usually with nothing expected in return than that you’ll contribute back to the community with your own expertise.
That’s not to say that there aren’t a very large number of folks on the side of the angels who help each other out, throw ideas around and such. But most of the folks who would like to do so are generally employed by someone who would much rather make a profit off of that person’s ideas and skills. That’s capitalism, right? And we all need to put food on the table.
The problem I’ve been complaining about is that even though as inpiduals, you and I may be able to contribute and help out in our “off time,” we’re just that…inpiduals. The large corporations who have privatized security have vast resources, not just financially, but of intellectual property and intelligence they’ve gathered. Getting Symantec and McAfee to sit down together and compare notes? That might happen to some extent…but there will always be something held back. The same thing happens in the public sector. We’re constantly hearing about an “anonymous source” inside one agency complain about another’s lack of cooperation or information sharing, blaming the other for not preventing an attack.
***Sidenote: Do yourself a favor and DON’T search the web for examples of the above. You’ll be inundated with conspiracy theories and nutjobs on both far ends of the political spectrum***
In spite of all this, or perhaps because of it, NIST announced yesterday the signing of 11 major players in the information security business to their National Cybersecurity Center of Excellence, a public-private partnership working with “industry, academic and government experts to find practical solutions for businesses’ most pressing cybersecurity needs.”
As someone who fancies himself one of the good guys, I hope that this thing works. I don’t doubt that the men and women who will be participating on behalf of their organizations have the best intentions and want to make this happen. It’s the corporate offices that I suspect will have something else to say about it. If the big brains from the 11 firms are allowed to share freely and truly collaborate with each other, this could be a major step in the right direction. The cynic in me, on the other hand, wonders how long before the first one pulls the, “I can’t tell you that, it’s proprietary” card.
In the interest of giving kudos when due, congratulations to the following for stepping up and working together…I’m hoping you can make this work: