The Expert's View

IT Security Requires More Transparency

IT Security Requires More Transparency

It's a not-too-uncommon sight: high-ranking government officials and top private-sector security experts sitting around a conference table complaining about the lack of information sharing between the two groups. It's a subject that seems to come up over and over again.

There are some fundamental issues at play here. For instance, the challenge of government sharing classified information with specific businesses that don't have the appropriate security clearances. But new intermediaries that have been created in the past few years - such as Infragard, an information sharing partnership between the FBI and business, and the various information sharing and analysis centers, such as the Multi-State ISAC - provide a workaround.

But what about sharing of non-classified information, such as details of a breach or security incident, one where our fellow security experts could learn from the example?

While there are no statistics that I am aware of on non-disclosure, in many off-the record discussions, I've heard of many cases where the government and private sector have chosen not to publicly disclose incidents involving unclassified information. Why? In the private sector, going public vs. non-disclosure is a business calculation. A company must take into account its stakeholders' interests. Obviously, the well-being of the business is paramount, and the board and senior executives weigh the risks involved in publicly disclosing a breach. Sometimes they decide that non-disclosure is the appropriate path, and they accept any risk involved with their decision.

The decision making process is not much different in government, except there is no board, but elected officials and their appointed senior managers. The owners of government IT systems are its citizens, and decisions should be made in the interest of the owners, just like the private sector, but all too often that's not the case. Sometimes the negative press that would result from a government admitting its faults could cause a drop in its political leaders' poll numbers, creating distrust in the government or perhaps for the elected officials adversely affecting their chances of winning reelection.

But there are signs that more transparency in sharing information is occurring, at least in the private sector. At conferences and meetings, I hear more business chief information security officers openly discuss the IT security challenges they face.

And, there's hope that the public sector will follow. Howard Schmidt, who became the first White House cybersecurity coordinator in January, in recent weeks has been making a number of public appearances where he is repeating his mantra of a public-private partnership that includes sharing of information between the two groups, a positive step forward for those of us who care deeply about government IT security.

Now, we likewise need to hear from our elected government officials and their top cabinet appointees, and lets hope that their decisions on IT security transparency is based on what's best for the public and not what gets their administration re-elected to office.

Bob Maley, the former chief information security officer of the Commonwealth of Pennsylvania, is an IT security consultant.

* * *

Also see Maley's previous blog: Why I Spoke Publicly About Cyber Incident .



About the Author




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.