back to article Private sector needs a little sumthin' sumthin' to get it sharing threat intel – US security chap

Bigwigs mulled giving the UK's National Cyber Security Centre, the information assurance division of GCHQ, a regulatory function or even letting it charge for its services - before settling on its current role of encouraging better cybersecurity. That's what chief exec Ciaran Martin told Israel Cyber Week during a panel on …

  1. adnim

    who do ya share with?

    Those that in the short term fulfil requirements.

    Or those whom you have looked in the eye and felt the sincerity when they pulled ya from the shit?

    Leaders change, psychopaths sharing with psychopaths does nothing to convince me that the world is becoming a better place.

  2. fidodogbreath

    thought should be given to allow "deference in regulatory action" to companies that suffered a breach despite being involved in information-sharing programmes.

    Anything you tell the US government could potentially become public, by loss or leak. I can't imagine that corporate legal departments would allow their company to voluntarily disclose information that might be used against them. Even "deference in regulatory action" isn't very enticing, since disclosure could lead to lawsuits from investors or (in the case of a breach) affected customers.

    1. Anonymous Coward
      Anonymous Coward

      The only breaches that have happened to me were OPM and the Veterans Administration. Trust the government?

      1. tom dial Silver badge

        Not Equifax, Target, or one of several medical insurance providers?

        Concern by company law departments probably is justified, though, since the shared information might include details pointing to a company's culpability, and therefore civil liability, in a breach. Such information should, and probably would, turn up during a lawsuit's discovery phase, but a government leak could help plaintiff attorneys know exactly what to look for and judge whether the discovery product was complete.

        Indemnity for the companies, as it seems Krebs hinted, seems a bad idea; it might be better to require technical data sharing for all breaches requiring victim notification under state law.

  3. Claptrap314 Silver badge

    Not feeling it

    Twenty years ago, a startup was pushing a vulnerability sharing program. The response was...tepid at best. They were pushing for a unified response. When they mentioned offense responses as a possible unified response, they got an almost immediate visit from the FBI. They were concerned about who would be identified as an attacker. The startup decided the safest course of action was to just shut the whole thing down.

    Twenty years on, the main changes are that we are far, far more reliant on the internet--and the average code quality is almost certainly worse.

    The problem is that the average consumer is extremely poorly situated to judge the seriousness of the security vulnerabilities of products. This practically requires that companies pay little attention to it unless forced by something external to their customer relationship. That pretty much limits us to government regulation, or the insurance industry.

    Let's please drive towards option #2. #1 is bringing in elephants to chase off the lions.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not feeling it

      Given economic history, I've been hoping that the insurance industry get to it. They are flawed in some ways* but nothing like with government regulation which often results in regulatory capture.

      *- As my Mother puts it: All any insurance company would like to cover is "pig iron, underwater for fire." She once long ago worked for TransAmerica.

  4. GnuTzu
    Coat

    Collaboration, Yes!!! Government Incentives, Careful With That?

    I think I'd rather see incentives for a private-sector organization, perhaps like the PCI Council--not that they don't have their own dysfunction, being essentially owned by the banks (which, perhaps, ought to be balanced by a private-sector consumer watch dog--if you can keep the banks from getting the government to outlaw such a thing). O.K., I admit that's terribly cynical; but like John Lennon, I'm not the only one.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like