Sharing. Revisited. Again

Laura Keehner, a DHS spokeswoman, dismissed the criticism as a political gambit aimed at snaring a few headlines. "Rearranging the deck chairs is a classic 'inside the Beltway' pastime,"

None of this should come as a surprise to anyone who has worked related issues in the government or private sector. I've been a Fed and done nothing but ask and gave little to nothing in return; I've worked for the private sector and balked at reporting because of the legal issues as well as dealing with the extra burden of reporting. It's not that people don't want to work together, but when the process is onerous and roadblocks high, well, no one wants to voluntarily play Sisyphus.

The fact remains though that both government and commercial systems are being run over by serious attackers and just the negative fiscal impact alone is significant:

Industry's annual loss of intellectual property has been estimated at more than $200 billion a year, Kurtz said. One defense contractor recently spent up to $15 billion to repair the damage caused by a cyber attack, said Melissa Hathaway, a senior adviser on the White House cyber security initiative.

It's not all about money. You can always find a way to make more money, once you lose a strategic advantage – through the loss of intellectual property or sensitive government information – the cascading effects don't just put you behind the eight ball, they wipe you clean off the table.

There are some things that would facilitate sharing:

1. Make it Easy. When the only way to report data to Uncle Sam is through yet another closed system with more security credentials and more overhead, people won't report or they'll report trivial items that don't take a lot of time. A PGP-wrapped attachment in email is secure enough (If your network is pwned what difference does it make? If it isn't, what good is the data X years from now once the crypto is cracked?).
2. Make it Fair. Feds take but never give, so eventually industry stops giving: a familiar refrain. So implement an anonymization system that allows meaning and insight to be communicated back and forth without revealing sensitive data. Adapting the "arbitrary unit designator" concept from intelligence analysis (e.g. If an IP address is too sensitive to share, give it a random but fixed alpha-numeric ID for the purposes of sharing) is a start.
3. Make it Legal. Industry-government sharing initiatives tend to fail because industry has these people called "shareholders" and "auditors" that get riled up if a company says it's been breached. Legal top cover for corporations would go a long way towards improving cooperation. It's not about hiding misconduct or culpability but avoiding the fickle inclinations of the market.
4. Pay for It. DHS has asked for private sector expertise, but only at the expense of industry. Corporations want to help, but when they pay someone a salary they like that person to show up to work. Industry experts will participate in secondments if the government stops trying to do everything on the cheap and just expands the IPA program to cover the people they want.

The fixes themselves are easy enough to implement; actually getting to the point where they can be implemented is hard and costs money. Again, if we're serious about cyber security then we should be willing to deal with the expense and level of effort. You'll know we're not serious if more or less this same discussion is repeated in a year or two.