The Sharing Imperative

Did you know that some meatpacking companies inject their plastic-wrapped product with carbon monoxide?

I just learned this from MSNBC.com’s ConsumerMan column. Seems that CO gas—you’ll recall that’s what comes out of your car’s exhaust pipe—helps keep beef from browning “prematurely.” Seems we’d rather buy pink beef-plus-gas that looks healthy than grayish beef that actually is healthy. (The Food and Drug Administration says this practice is harmless. To which I nonetheless reply, “Ick.”)

It’s truly remarkable, the power of this urge to pretty things up. The same urge, the one that says looking good is better than actually being healthy, is killing security efforts today, particularly in the electronic security arena.

By now I’m sure the corporate world is weary of pleas for information sharing about cybersecurity. The government has been banging on that drum for years. There’s a history of information-sharing tug-o-war between public and private worlds. Around the time we launched CSO in 2002, much of the talk revolved around the Freedom of Information Act: If you share data with the government, evildoers (particularly journalists) might be able to access that data because of FOIA. Without a FOIA exemption, we will not share data, the corporate world said. Well, they passed the exemption in 2003, and if anything changed, you’ve certainly fooled me.

Everybody’s getting pelted with hack attempts, network scans and so forth. Everybody. The beef is gray, people. Or maybe green by now. So the urge that makes us all pretend that we’re doing well, that our networks are airtight, that hacks never happened, is just ridiculous.

I put this issue to Bruce Schneier, who gets exercised about the ultimate benefit of information sharing: data about cybercrime. If we had it, you could do real risk calculations. Real annualized loss expectancy calculations. You could budget accurately and know the return on your expense, just as banks know how much to spend to mitigate the threat of bank robbers.

The police blotter is an apt analogy. This is an area where the cyberfolks should be taking notes from the physical security world. When your bank gets hit by a cell phone–toting robber, the police and all your branches and all the other banks get information about how this robber works, and that gives everyone the chance to implement measures to stop the next robbery and catch the crook.

Schneier says cybercrime data sharing won’t happen until it’s required by law. So I’ll lobby for the passage of a law. In the meantime, though, I make the appeal. There are plenty of forums you can use to share cybersecurity information: Infragard, Electronic Crimes Task Forces, CERT-CC, the Internet Storm Center, local security roundtables and councils, the media, whatever. Just share it. Swap stories. Trade data about hacks, attempted hacks, insider data theft. Keep putting the case in front of the CEO to stop trying to put a pretty face on it, so we can actually do something about it instead.