The Case for Information Sharing

I moderated a webinar last week for <a href="http://www.govexec.com/">Government Executive</a>, and the conversation unsurprisingly began with the important topic of information sharing versus information protection. Former Transportation Department Chief Information Officer <a href="http://twitter.com/technogeezer">Dan Mintz</a> led this part of the discussion, and his message was direct: Information sharing has to win out over protection because security should be part of everything users do online.

I moderated a webinar last week for Government Executive, and the conversation unsurprisingly began with the important topic of information sharing versus information protection. Former Transportation Department Chief Information Officer Dan Mintz led this part of the discussion, and his message was direct: Information sharing has to win out over protection because security should be part of everything users do online.

Let's face it: The Internet is an open book, and there aren't many people who aren't getting in on the action. This inevitably extends further than the individual computer user. In order for organizations and government entities to achieve their missions, they have to do aggressive information sharing. Why? Capability and cost, according to Mintz. Keeping information private is an expensive endeavor. And besides, Mintz believes the power of knowledge is greater than the loss of security in secrecy. He has a point.

A fairly common understanding within cybersecurity circles is that the bad guys know the vulnerabilities, and information protection prevents the good guys from weighing in with solutions. So what can you do about it? This is the million dollar question, unless you're comparing it FISMA-related expenses, and then it's more like the billion dollar question. Yes, times truly are changing.

Short answer? I don't have enough time to give a short answer. But there are plenty of useful tips in last week's webinar with Dan and Patrick D. Howard, chief information security officer of the U.S. Nuclear Regulatory Commission.

Important aspects include situational awareness, timely response, visibility and the demand for good policy from the top down, within each agency and on a federal scale. A concept worth exploring here is that we can't think security unless we accept that most information already has been compromised. This is another security catch-22, and I see them the more I learn about the industry.

Meanwhile, a useful exercise to help guide us over what information deserves protection was given to me by Dr. Eric B. Cole, a network security expert. He said the first question to address is, do the advantages of securing this information outweigh the disadvantages of it being leaked? Of course, this exercise is only as useful as your philosophy on information sharing and information protection. It's an endless cycle and another reason to stop fighting against information sharing even if when it's harmful in the short term.