Lack of Trust Thwarts Cybersecurity Information Sharing

By Matthew Harwood

Walters pointed to the open-source software-development community as a model. Everyone who joins the community must be willing to share something to foster trust. If they don’t, they get “voted off the island,” Walters said, referencing the TV show "Survivor."

Another model is the National Security Information Exchange (NSIE), said Sachs, which was created two decades ago by the federal government as a way for the private sector to share sensitive information. By exposing confidential information within the NSIE, incoming participants show long-time members that they can be trusted.

“You’re allowed to come to one meeting and not bring anything,” Sachs said. “The next time you come if you don’t have something to lay on the table to share with others, you’re not invited back.”

An information-sharing arrangement can only work if all parties share."It's not a voyeuristic mindset," according to Sachs. "That's not how we get to this common picture or this situational awareness that we want. Part of that trust breakdown may be each of us being able to open up a little more or show a little offering of what we're doing so that others may then develop their trust in us."

Brigadier General John Davis, director of current operations for U.S. Cyber Command, admitted he didn’t know how to build the trust necessary to achieve cybersecurity situational awareness, but he predicted the evolving nature of the threat could help facilitate more partnerships.

“I think urgency is one of the things that’s going to get us through this,” he said.

Originally organizations had to primarily worry about information theft. Then, in 2007 and 2008, massive cyberattacks on Estonia and Georgia showed that the threat could be tied to traditional military actions. “Now what we’re seeing is destructive capabilities that are being built and cause us great concern,” Daivis said without specifying an example.

This means government and the private sector must join together to alert each other before a massive cyberattack hits U.S. critical infrastructure.

“I’m very hopeful that we can do that by working together in advance,” Davis said. “But I do think that if we don’t, that situation’s coming, and it’s coming probably faster than we think.”

♦ Photo by opensourceway/Flickr


View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.