It's rare that I have guest posts in the Salted Hash blog. But the author of this post, Joe Franscella, has a birthday today. So, I figured, why not? He also raises some important points about how we might get breached companies to stop being so secretive.

***

In an effort to improve cybersecurity, private enterprise and government agencies have sponsored and co-sponsored numerous industry associations designed to encourage cyber threat intelligence sharing. As recently as last month, another association emerged to help healthcare organizations reduce their risk of a breach through threat intelligence sharing. Although most of these organizations are well-intentioned and provide some security benefits, many industry experts agree that regulatory compliance, trust issues, privacy concerns and legal ramifications often stop companies from sharing meaningful information that organizations could actually use to improve cyber defenses.

During an RSA 2012 session on Big Data, several panelists confirmed this fact once again. They agreed that although Big Data repositories may prove to be a treasure trove of threat intelligence, regulations and the threat of lawsuits would continue to prevent security and risk professionals from sharing useful information outside of their own organizations.

Fast forward to the Global Payments breach. Analysts, qualified speculators and journalists estimated that through this compromise, hackers stole the personal information of as many as 1.5 million payment card users. How did this happen? Are any other organizations still in danger? Did the attackers simply go silent, just waiting to start operating again? No one outside of the investigation's inner circle really knows.

You would think that in the name of security Global Payments would have stumbled over itself in a rush to let other organizations know exactly what happened and how to prevent such an attack, but this wasn't the case. What the world has received is a tight-lipped, well-prepared statement and scripted conference call where even some of the most responsible of journalists claim that they were prevented from asking questions. Moreover, anyone who read the Global Payments press release on the subject could have concluded that a more appropriate headline would have been, "We've Been Breached, Every Man for Himself!"

Global Payments isn't a microcosm. Their publicity strategy is no different from the path many other breached organizations would take. Moreover, no one should fault Global Payments entirely for its minimalist stance. The company operates in a world where regulations are punitive, lawyers advise clients to take the Fifth, and everything you say can and will be used against you. Until this changes, we are going to continue to experience radio silence around breaches. Silence that experts say can stall security, assist attackers and leave potential victims at risk.

Experts' opinions on voluntary industry organizations, continued breaches and increasing numbers of successful cyber attacks clearly demonstrates that organizations require greater motivation when it comes to threat intelligence sharing. The question everyone with a stake in Internet security should be asking themselves is, "How do we incentivize organizations to share threat intelligence through a structure that will protect as many organizations and individuals as possible?"

One way would be for government to provide financial incentives and reduced breach-related legal and cost burdens to organizations that regularly share on-the-record threat intelligence. Such incentives should be contingent on organizations willingness to follow a few simple rules, for example:

• Rule 1: Share regularly and on-the-record -- into a designated industry community -- threat and attack information that organizations can use to better secure their environments.

• Rule 2: Divulge immediately all information into the community that could help other organizations to defend against active attacks.

• Rule 3: Endorse openly to the community the names of security solutions and technologies that are fulfilling their mission and reducing security risks.

Creation of a designated community would be key to the success of a share, divulge and endorse approach. The spirit of the idea is not that organizations should outline their threat intelligence or breach details on the nightly news or violate personal privacy as some say the controversial CISPA would do. There are times when law enforcement agencies' investigations will benefit from properly timed public disclosure, and everyone has the right to privacy. The community would be a tightly-governed place that authorized and thoroughly-checked-out members who need threat intelligence to perform their jobs would have access to. When appropriate, such a community should release information to the public, of course.

By no means should any organization that suffers a breach be completely relieved of the financial and legal responsibility it has to its customers, shareholders, employees, and partners. And by no means should any organization with an obligation to protect consumer privacy be granted complete immunity, especially if it shares information in an abusive or unethical manner. However, those that follow a few simple rules in the name of improved information security should be rewarded with -- at the very least -- financial incentives and a degree of protection.  

Joe Franscella is the IT Security Practice Director at Trainer Communications, a high tech public relations and marketing firm based near California's Silicon Valley. Prior to this, he was the managing editor of a community newspaper where he covered the impact of regulatory compliance on businesses ranging in size from mom and pop shops to global enterprises. Prior to this, he worked in state government and within the highly regulated California public utilities industry. He has a holds a BA degree in Political Science from the California State University at Long Beach. He blogs regularly at www.securityheavy.com. Opinions expressed in this are his own and do not represent the opinions of his employer or associated clients.