The hardest thing to get large companies to do is to share sensitive corporate information with direct rivals. A very close second to that is to get them to talk about a security attack they just suffered. But that double reticence provides a favorable business climate for cyberthieves.
If all companies in a sector shared information about cyberattacks with one another, they would all learn about new things to look out for. Because potential victims would be aware of where a new danger lies, cyberthieves would have to give up new tactics fairly quickly. If that information isn't being shared, the cyberthieves can just keep repeating their new attacks at one company after another. You would hope that companies could see how it would be beneficial to them to share information with rivals, which would then be encouraged to share information that could save them from a cyberattack as well. But cyberthieves needn't be too worried about that. There's far more suspicion and paranoia in large companies than can be overcome by security self-interest.
I've been thinking about all of this in the wake of the March 19 shutdown of the 12-year-old, highly respected global security mailing list called Full Disclosure. FD was a wonderful forum for security professionals to share new cyberthief tactics and report security holes. The folk who ran FD were vague about why the list was being shut down, other than it involving legal threats.
John Cartwright, the administrator of the list, bemoaned changes in the hacker community, saying in a message, "I'm not willing to fight this fight any longer. It's getting harder to operate an open forum in today's legal climate, let alone a security-related one. There is no honor amongst hackers any more. There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry."
Fortunately, we won't be writing the obituary for Full Disclosure -- yet. A few days after the list was shut down, Gordon Lyon, a fan of the list and himself a respected security researcher, surfaced to take over the administration of the list, with Cartwright's blessing.
Lyon decided to revive the list because he doesn't buy the arguments of some in the security field that lists like FD are no longer needed. To the suggestions that researchers can just host their advisories on websites like Pastebin and post links to them on Twitter, he said, "Mailing lists create a much more permanent record, and their decentralized nature makes them harder to censor or quietly alter in the future."
Sign up for CIO Asia eNewsletters.