Several years after the beginning of a widespread effort between public and private parties to create an environment that would allow broader dissemination of vulnerability information, friction among the players is now scuttling such efforts.
The federal government, a key promoter of numerous information-sharing programs, announced last week it wants even more information from private network operators on vulnerabilities, infrastructure, traffic routing, disruptions and outages. At the same time, government officials and quasi-government agencies such as CERT have been making less and less information available to the private sector.
In response, many network operators and private security researchers, the sources of much of the data now available, have recently announced plans to take their information about viruses and worms and other hacks back underground, where, they said, it improves overall security and represents a lucrative revenue stream.
This reversal of efforts to create open exchanges of security data comes at a time when government agencies are being urged to change their secretive ways. In the short term, at least, the struggle will mean less free information available to the thousands of enterprises that depend on existing information-sharing programs to stay current on security and vulnerability matters, insiders said.
“I know Id be angry if Id been sitting on a potential breach for days without knowing,” said Jacob Bresciani, systems analyst at the University of Alberta, in Edmonton. “I should at least be aware of the problem and, at the very least, increase monitoring.”
Still, the industry seems intent on keeping vulnerability data under wraps.
“The security industry is very competitive, [and] to give full information on such issues loses your competitive edge,” said Mark Litchfield, co-founder of Next Generation Security Software Ltd., in Surrey, England. Litchfield, along with his brother David, is one of the more prolific and respected researchers in the security community.
Indeed, at the recent Black Hat conference in Las Vegas, David Litchfield discussed a slew of new holes NGSS has found in some of Oracle Corp.s products but gave few details on the actual vulnerabilities.
After CERT last year decided to distribute research to a paid mailing list and, later, to partner with the Department of Homeland Security to create US-CERT, which distributes information to other government agencies, NGSS stopped providing data to the organization.
For its part, CERT this spring closed its public mailing list and no longer shares technical advisories with the public, even though nearly all its bulletins are based on information provided by the private sector.
CERTs loss is the United Kingdoms gain. NGSS two weeks ago inked a deal with the British government to provide that countrys top cyber-security office with access to NGSS research on an advance basis, something the Litchfields said they will not offer CERT or the DHS.
CERT joins a growing list of agencies close to, and within, the U.S. government that, while demanding rising volumes of data from the private sector, have not set an example for an efficient flow of information, experts say.
Still, the thirst for increased data, even to a government body reluctant to share it, could hinder security efforts, according to Bob Collet, vice president for engineering at AT&T Corp.s Government Solutions division, in Washington.
“In the wrong hands, this compilation of critical infrastructure assets only increases vulnerability,” Collet told the House Government Reform committee last week. Collet added that sensitive network data should be closely guarded by individual providers.
That attitude has the owners of the popular Zone-h.org security portal taking a similar tack. Two weeks ago, the group announced plans to set up a private, restricted-access repository for exploit code. Also under development is a companion forum, which will be open to the public. No time frame was announced, however.
“We decided to use this scheme so that our exploit database will not be used by crackers or defacers to get access to other systems. Basically, we want to know whos who before granting access,” said Roberto Preatoni, administrator at Zone-h, based in Tallinn, Estonia. “Only when we trust somebody will we let him in. Everybody will have the possibility to gain our trust and get access, but it will not be an easy task.”
Another big part of the disclosure issue causing discontent among cyber-security players is compensation. Vulnerability information and exploit code have become valuable commodities, and many companies, including Internet Security Systems Inc., iDefense Inc. and others, provide some of their customers with prerelease versions of their research for a fee. As such, giving that data away to the government, or anyone else, is of very little interest.
“Our value proposition to customers is that they have advance notification of problems before the public does,” said John Watters, CEO of iDefense, based in Reston, Va. “People are not inclined to do things unless theres an economic incentive.”
Faced with the loss of security sources, state and federal agencies are gradually tightening the screws on the industries they hold regulatory sway over—mainly network operators—to turn over more data and keep the intragovernmental information-sharing programs vital.
Last week, the Federal Communications Commission imposed new mandatory outage reporting requirements, despite months of protest from AT&T and other major carriers. While the FCC assured the industry that sensitive information will be kept from public disclosure, some said they are not convinced.
Illustrating the waning leverage that the industry wields in the information-sharing struggle, FCC Commissioner Kevin Martin conceded last week that he is impressed with the carriers voluntary reporting initiatives and said he agrees that sensitive network information must be protected but that he voted for the new mandates because the DHS identified the outage information as critical to national security.