Shostack + Friends Blog Archive


Don't Share, Publish

I’d like to offer up a thought with regards to the latest swirl of discussion around ‘information sharing’ in security: Don’t share, publish.

I want to talk about this because more and more folks are starting to question the value of information sharing frameworks and forums. Andrew and I share that skepticism in The New School, and I’m glad more people are starting to question these assumptions. These questions exist, and are debated, because of secrecy. If the forums would show the data that’s being shared, or what was shared a year or three ago, we could evaluate it, rather than offer up opinions. And those of you that listen to me know that I’m bored with opinions, and like data, observation, and analysis. (Not to mention, when helpful, the Oxford Comma.)

So let’s talk about publishing. Publishing is when you put the information out there. We all agree, it’s appropriate when the victim is known and the vulnerability addressed, or when the victim is anonymized. The victim may be known because of breach disclosure, or because the hackers engaged in defacement or data dumping. Contrast that with ‘sharing’ under some constrained set of conditions.

The instant you go from publish to sharing, you start spending time and money on controlling who can see the data. That time and money is always limited, and so we should evaluate the return on that investment. Further, the instant that you start to de-contextualize an incident, by definition, you’re removing information that someone might use to gain understanding.

In some recently announced initiatives, there’s controls on who can join in, and effort spent on anonymizing the data. Now, maybe what comes out is useful to you. Maybe it’s not. Maybe all that effort spent on controlling the flow of data would be better spent on its quality.

For years, people have asked me to justify my calls for public breach disclosure. I think it’s now time to level the playing field, and demand explanations from the advocates of sharing. Why are you advocating for sharing over publishing?

If you think that effort to anonymize the breach is worthwhile, I’d like to invite you to justify what effort is worthwhile, and under what conditions it’s worthwhile. There are some good reasons, including that the vulnerability exploited is not yet fixed or to protect an active investigation. If you think your data sharing initiative is worthwhile, please show us the data that you were sharing years back. Let’s compare the models and see how it’s working out, and let’s work to do better.

Otherwise, let’s stop talking about sharing, and show me — and everyone else — the data.