DHS Wants Businesses to Share Threat Data, Not So Keen on Sharing Its Own

The Department of Homeland (In)Security’s recent call for industry and government to share IT-security data would be much more impressive if:

1. The agency had any idea of how businesses actually operate; and
2. It followed its own advice.

Last month Mark Weatherford, DHS’s deputy undersecretary for cybersecurity, said it would be great if groups of companies in the same industry could pool infrastructure resources to help each other mitigate the effects of cyberattacks.

His comments were in response to a recent wave of DDoS attacks against U.S. banks. Weatherford imagined a situation “where you buy a bunch of servers, more than any one company might need at one time, but you co-op that for like-minded organizations and when someone needs that kind of service you point it at them and they have it available to them.”

Dear Mr. Weatherford: Have you met any senior execs at financial firms? They would sooner feed their children to zombies than share information or resources with other companies. Banks, like many other industries, have asked themselves which is worse: Online services being down for a while or my competition getting information I don’t want them to have. In most cases the answer has been the latter.

Proof: Last week two presentations were pulled from the 12th ICS Cyber Security Conference over concerns they would give away too much information. A company threatened to sue to stop one of the presentations.

As CSO’s Taylor Amerding notes,

“[One] unnamed vendor reportedly said the presentations would have revealed too much about its equipment, even though the plant’s officials had approved the presentation. The threatened suit was not an isolated instance. Those at the conference were also told that ‘a security firm that had uncovered the thousands of pieces of control equipment exposed to online attacks did not tell U.S. authorities where they were installed because it feared being sued by the equipment owners.'”

Thankfully other talks did go ahead as scheduled, including one about the government not telling private sector companies FOR FIVE YEARS about a way to attack electricity-generation equipment. That, the report said, meant potential targets “had not realized they were vulnerable and therefore did not buy hardware needed to protect themselves.”

This explains DHS’s newly adopted motto: Do as I say, not as I do.