Several years after the beginning of a widespread effort between public and private parties to create an environment that would allow broader dissemination of vulnerability information, friction among the players is now scuttling such efforts.
The federal government, a key promoter of numerous information-sharing programs, announced last week it wants even more information from private network operators on vulnerabilities, infrastructure, traffic routing, disruptions and outages. At the same time, government officials and quasi-government agencies such as CERT have been making less and less information available to the private sector.
In response, many network operators and private security researchers, the sources of much of the data now available, have recently announced plans to take their information about viruses and worms and other hacks back underground, where, they said, it improves overall security and represents a lucrative revenue stream.
This reversal of efforts to create open exchanges of security data comes at a time when government agencies are being urged to change their secretive ways. In the short term, at least, the struggle will mean less free information available to the thousands of enterprises that depend on existing information-sharing programs to stay current on security and vulnerability matters, insiders said.
"I know Id be angry if Id been sitting on a potential breach for days without knowing," said Jacob Bresciani, systems analyst at the University of Alberta, in Edmonton. "I should at least be aware of the problem and, at the very least, increase monitoring."
Still, the industry seems intent on keeping vulnerability data under wraps.
"The security industry is very competitive, [and] to give full information on such issues loses your competitive edge," said Mark Litchfield, co-founder of Next Generation Security Software Ltd., in Surrey, England. Litchfield, along with his brother David, is one of the more prolific and respected researchers in the security community.
Indeed, at the recent Black Hat conference in Las Vegas, David Litchfield discussed a slew of new holes NGSS has found in some of Oracle Corp.s products but gave few details on the actual vulnerabilities.
After CERT last year decided to distribute research to a paid mailing list and, later, to partner with the Department of Homeland Security to create US-CERT, which distributes information to other government agencies, NGSS stopped providing data to the organization.
For its part, CERT this spring closed its public mailing list and no longer shares technical advisories with the public, even though nearly all its bulletins are based on information provided by the private sector.