United We Secure: Why Cybersecurity Needs Information Sharing
Table of Contents
Introduction: A Tale of Two Mindsets
The cyber battlefield is heating up. On one side, cyber criminals are pooling their knowledge like a well-oiled team; on the other, many organizations still act like lone wolves. I recall a fellow CISO remarking at a meeting, “I don’t need perfect security – just better security than the other guys. Then attackers will leave me alone.” This popular “outrun the bear” analogy – you don’t have to outrun the bear, just the slower hiker – was often used to justify a go-it-alone security strategy. It implies that as long as your company is slightly more secure than others, attackers will move on to easier prey.
This mindset might have comforted some executives, but it always made me uneasy. In fact, it’s a terribly flawed perspective in today’s threat landscape. Why? Because while defenders hesitate to share information, the attackers already are – and it’s giving them the upper hand. It’s high time we as security practitioners embrace a new mindset: collective defense through information sharing.
The Dark Web’s Team Sport: Cybercriminals Do Share
If there’s one thing we know, it’s that cybercriminals are not lone geniuses working in isolation. They operate in vibrant underground communities – dark web forums, chat rooms, black-market bazaars – where they actively share tools, exploits, and stolen data. In these shadowy corners of the internet, every piece of knowledge has a price tag or a willing taker. Got a new zero-day exploit? You can auction it off to the highest bidder. Developed a sophisticated malware toolkit? Rent it out as a service. Indeed, the attackers are exceptionally good at sharing attack data and even selling stolen data to empower their fellow hackers. This underground economy means that even attackers with minimal skills can buy or rent advanced capabilities off-the-shelf. For example, the notorious Blackhole exploit kit is rented to miscreants for about $700 per quarter or $1,500 per year – essentially a subscription service for hacking tools. These exploit kits often come with customer support and regular updates, just like legitimate software products.
The result? Cyber crime has become a team sport. As an FBI briefing noted, “cyber criminals are forming private, trusted, and organized groups” and adopting “professionalized business practices”, which let hackers of all skill levels access the tools and knowledge needed for cyber attacks. In other words, the bad actors have figured out that by collaborating and sharing information, they can all be more effective. They trade tips on vulnerabilities, pool resources for bigger jobs, and even build reputations in their communities by contributing new tools. Every time one attacker learns how to crack a system or develop a clever phishing lure, that knowledge quickly propagates through the criminal networks. It’s no wonder that the threat landscape has evolved so rapidly – the adversaries are effectively crowdsourcing their tactics and innovating faster than ever.
Yet, while the hackers freely swap notes in dark web forums and black markets, many of us on the defensive side still operate in silos. This imbalance – attackers united, defenders divided – is dangerous. If the “bad guys” are sharing so effectively, we “good guys” need to do the same or risk constantly being a step behind.
Defenders in Silos: The Problem with “Outrunning the Bear”
Contrast the criminals’ information marketplace with how organizations often behave. Too many companies keep breach incidents and threat intel close to the chest, only sharing on a “need-to-know” basis (if at all). Outside of a few sector-specific info-sharing groups, it’s common for a company that gets hit by a new attack to quietly handle it and hope nobody finds out – including their peers who might be the next targets. There’s a prevailing notion among some executives that as long as their security is slightly better than others, they’ll be fine. This is the “outrun the bear” mentality mentioned earlier, and it’s still prevalent in boardrooms and CISO circles (often behind closed doors).
Let’s debunk that analogy. Yes, opportunistic attackers might go after the easiest targets first – if a hacker is just scanning for any vulnerable website, having stronger passwords than your neighbor could make the hacker move on. But in today’s world we face a full spectrum of threats. Many attackers are not random opportunists; they are determined adversaries – whether financially motivated cybercrime gangs or state-sponsored APT groups – who will specifically target an organization for what it has. If you have the data or assets they want, the bear is going to keep coming for you no matter how many other hikers (or companies) it passes on the trail. In these cases, you can’t simply run faster; the attacker will keep trying. We’ve already seen this in high-profile attacks: think of the Google Aurora breach in 2010 or the RSA Security breach earlier this year – those weren’t random drive-by attacks, but targeted campaigns that wouldn’t have been deterred just because the victims had above-average security.
Even against opportunistic threats like mass malware, the “better him than me” approach is shortsighted. If every company only cares about being just a bit more secure than the next, we end up with a race to the middle – and a lot of victims. The weakest organizations get compromised first, yes, but that doesn’t mean the slightly stronger ones are safe forever. In fact, widespread compromises can harm everyone: attacks on less secure firms can lead to attackers gaining infrastructure or footholds to pivot toward others (consider breaches of small suppliers leading to big corporations getting hacked). Moreover, when attackers easily chew through a herd of poorly defended targets, it enriches and emboldens them – the profits from those attacks fund the development of new tools and exploits, some of which will eventually be used on higher-value victims. In short, your organization’s security is interconnected with the security of the community at large.
To truly defend ourselves, we must move past the “outrun the bear” mindset and towards a “fight the bear together” philosophy. No single company can see every threat or stop every attack in isolation. But if we collaborate – sharing warnings about the “bears” (threat actors) prowling around and the traps they’re laying – we all stand a better chance of surviving. Security shouldn’t be a competitive differentiator we keep to ourselves; it should be a shared mission against a common enemy.
Strength in Numbers: How Sharing Benefits Defenders
Embracing information sharing in cybersecurity isn’t just altruism – it’s practical defense strategy. When organizations share timely details about attacks, vulnerabilities, and adversary techniques, everyone gains. Here are a few key benefits of robust info-sharing:
Early Warning and Faster Response: If Company A gets hit by a new strain of malware today and immediately alerts its peers, Companies B, C, and D can beef up their defenses or watch for indicators of that threat before it hits them. Sharing threat indicators (like suspicious IP addresses, phishing email fingerprints, malware signatures, etc.) can dramatically shrink everyone’s detection and response window. It’s the cybersecurity equivalent of neighborhood watch: one neighbor’s break-in can prompt the whole block to lock their doors and call the cops. We’ve seen this work in practice – for example, back in 2009 when the Conficker worm infected millions of computers worldwide, it was a coalition of security experts and companies sharing information that enabled a rapid, coordinated counterattack. The Conficker Working Group pooled their intel to devise a mitigation strategy, and through that collaboration (along with help from industry ISACs, incident response teams, and law enforcement) they contained a global threat relatively quickly. It’s a shining example of how sharing such information can and has protected users and boosted the security community’s response.
Collective Intelligence (No One Can Know It All): In today’s threat landscape, no single organization – public or private – can have full awareness of all threats and incidents. Attack techniques are too diverse and proliferating too fast. But each security team sees a piece of the puzzle. By sharing those pieces, we assemble a much more complete picture of the adversaries. One company’s network logs might reveal a novel attack pattern that others haven’t seen yet. Another company might have reverse-engineered a malware sample and can share indicators of compromise. When these insights flow into a shared pool (be it via an ISAC bulletin, a trust-group email list, or an informal Slack channel among CISOs), every participant’s defensive posture improves. We essentially multiply our threat intelligence. Attackers win by dividing us; we win by uniting our knowledge.
Raising the Baseline (Herd Immunity): Widespread info-sharing helps ensure that fewer “easy targets” are left for attackers to prey on. If all organizations know about the latest phishing campaign or software vulnerability, they can take action (user awareness, patching, etc.) before they become victims. This raises the overall baseline of security across the community. From the attackers’ perspective, their job gets harder – they encounter more resistance and fewer soft targets. As one security paper noted, when defenders share attack information broadly, it “improve[s] security as a whole while increasing the complexity and costs for the attackers”. In economic terms, we’re disrupting the attackers’ return on investment. The more we force them to retool and reinvent because their last trick no longer works (since everyone learned about it), the more we tilt the cost-benefit calculus in favor of the defense. Ideally, collaboration can lead to a form of herd immunity in cyberspace: if enough of us are patched and prepared, the chance of a malware epidemic or widespread breach decreases for all.
Speed and Effectiveness of Government Support: Sharing information doesn’t only help peer organizations; it also enables better support from law enforcement and government agencies. Remember, agencies like the FBI or national CERTs can only act on threats they know about. If industry keeps breaches and intel secret, the government is “flying blind” and can’t mobilize resources or craft policies to assist. Conversely, if businesses report incidents and share data, authorities can aggregate that to see the bigger trends and possibly take down threat actors. It’s in everyone’s interest to feed that broader view – without data, government can’t accurately measure the scope or impact of cyberattacks. In 2011, initiatives are underway to improve public-private cyber info sharing, but those rely on companies being willing to come forward. By sharing, we not only protect ourselves but fulfill a civic duty to help protect the larger economy and internet ecosystem.
In short, information sharing is a force multiplier. It lets defenders leverage each other’s eyes and ears. One company’s painful experience can become another company’s proactive defense – but only if that experience is shared.
Overcoming the Reluctance: Why Don’t Defenders Share?
Given the clear benefits, one might ask: why isn’t information sharing already ubiquitous among cybersecurity teams? The reality is, there are some entrenched barriers and fears that make companies hesitant to open up. Understanding these concerns is the first step to addressing them:
Legal and Regulatory Worries: Companies often worry that sharing cyber information could run afoul of laws or contracts. Antitrust laws, privacy regulations, or confidentiality agreements can create a “binding obligation of secrecy” in some cases. Even when exceptions exist (for example, sharing under a government program or with an ISAC), there’s fear that a broad interpretation might invite lawsuits. Until recently, there was no explicit legal safe harbor for exchanging cyber threat data. This legal gray area has undeniably chilled some sharing – firms don’t want to risk being sued for breaching confidentiality or privacy by sharing indicators, even if it’s to help others. (The good news is that policymakers are waking up to this; discussions are underway in Washington to provide clearer protections for cybersecurity info sharing.)
Reputational and Liability Concerns: Let’s face it – no one likes to admit they got hacked. Companies fear that if they share details of an incident, it could leak or eventually become public, harming their reputation and spooking customers or investors. As Microsoft’s security counsel Scott Charney pointed out in Senate testimony, a company disclosing its vulnerabilities might suffer reputational damage, and it “may even suggest to hackers that security is inadequate, encouraging other attacks.” There’s still a stigma around being a breach victim, which makes many executives default to “keep it quiet”. Additionally, organizations worry about liability – could sharing indicators implicate them in not doing enough to prevent the attack? Or might sharing data about a hacker violate privacy laws? These uncertainties make cautious lawyers pump the brakes on sharing.
Competitive and Business Disincentives: Some industries are very competitive, and companies may feel that sharing security insights is akin to giving a leg up to rivals. Remember the “outrun the bear” mindset – if a CISO secretly believes their security program is a competitive advantage (“we’re harder to hack than others in our sector”), they might hesitate to share what they know, lest they erase that edge. There’s also a resource concern: preparing information for sharing (sanitizing data, following intel formats) takes effort, and not all organizations want to invest time helping others if there isn’t an immediate ROI for themselves.
Lack of Trust or Mechanisms: Effective sharing often requires a trusted forum or relationship. Some organizations simply don’t know whom to share with safely. If you blurt out details of an ongoing attack on a public mailing list, that might backfire. The best sharing tends to happen in environments with established trust and rules (like ISACs or closed peer groups), where members know information won’t be misused or further disclosed. Many sectors beyond finance and government lack mature sharing groups, so companies are stuck in a catch-22: they don’t share because no network exists, and no network exists because companies aren’t yet sharing. This is starting to change, but it’s a slow culture shift.
These concerns are valid, but not insurmountable. Solutions are emerging: governments are considering legislation to shield companies from liability when sharing threat data in good faith. Organizations are learning to “share sanitized information” – meaning they strip out sensitive details like customer data or company specifics and share just the threat specifics. That way they contribute to collective defense without exposing any crown jewels or embarrassing details. Moreover, as more success stories of sharing come out, the mindset is shifting. Security leaders are beginning to see that not sharing is ultimately more risky: if you keep a breach secret, you might face that threat again and again in isolation, whereas sharing it could enlist others to help neutralize it (or at least warn them).
Perhaps most importantly, there’s a growing recognition that security is a “team sport” against attackers, not a competition among companies. A breach at one bank hurts all banks’ trust; a supply chain compromise at a small vendor can hurt its big clients. We rise and fall together in the face of cyber threats. As such, many forward-thinking CISOs (especially in sectors like finance) are championing a more open dialogue about threats. The old philosophy of “security through obscurity” – keeping your problems hidden – is giving way to a philosophy of “security through community.”
Toward a Culture of Sharing: ISACs and Informal Alliances
So how do we put this into practice? The good news is that we have some foundations to build on. Information Sharing and Analysis Centers (ISACs) have been around for a while in certain industries, acting as hubs for companies to share threat intelligence and best practices. For example, the Financial Services ISAC (FS-ISAC) has helped banks quietly share fraud and attack data for years, and there are ISACs for energy, healthcare, IT, and other sectors. These groups show that even fierce competitors can cooperate on security. If you’re a CISO and your industry has an ISAC, joining it is a no-brainer for access to a trusted sharing community.
However, ISACs alone aren’t enough. At the moment, they tend to be formal, sector-specific, and often limited to larger organizations. Cyber threats, meanwhile, don’t respect sector boundaries – an attack method used against a retailer might later hit a hospital or a government agency. We need more flexible and inclusive sharing mechanisms, beyond just the traditional ISAC model. (In fact, I predict that in the near future we’ll see the rise of new forms of information-sharing organizations that are not strictly tied to industries – perhaps ad-hoc trust groups or regional alliances – to cast a wider net. These might be the next evolution, complementing ISACs with a broader or more informal approach.)
In the meantime, we can foster informal sharing networks. As a CISO or security practitioner, you can start by building relationships with your peers. This can be as simple as a monthly meetup of local CISOs to swap war stories, or an email group of security contacts in companies you do business with. Many of us already attend cybersecurity conferences – let’s leverage those connections year-round. If you meet someone at Black Hat or RSA and you’re impressed with their insight, keep in touch. When you encounter a new attack, consider giving them a heads-up (“Hey, we saw attackers abuse a particular VPN flaw – you might want to check your systems”). One informal example I’ve encountered is a group of CISOs in the same city forming a WhatsApp chat to rapidly alert each other when they see suspicious activity targeting multiple companies. These kinds of trusted circles can be incredibly effective, especially when an official channel doesn’t exist for a given need.
Another avenue is public-private partnerships. Many governments have programs to share classified or sensitive threat intel with industry (for example, the UK’s CISP or the US InfraGard and the budding DHS information-sharing initiatives). If you have the opportunity to participate, doing so can give you early insight – and also lets you feed what you know back into the larger defense apparatus. Even sharing with vendors and suppliers is important: if you detect a new malware, telling your antivirus provider or security vendor helps them update protections for all their customers.
Ultimately, creating a culture of sharing means making it routine and expected. It shouldn’t feel extraordinary to pick up the phone and alert a peer about a threat; it should be as normal as forwarding a virus alert to your IT department. This is partly a leadership issue – CISOs should encourage their teams to contribute to information exchanges, and reward them for helping others, not just protecting the home turf. Over time, as trust builds and success stories spread (“We dodged that bullet thanks to an early tip from a partner!”), the momentum for sharing will grow. Our goal should be that by the time someone says “I have intel about an active cyber threat,” the next question isn’t “Why risk sharing it?” but rather “Who all should I share this with, and how fast?”
Conclusion: Stronger Together
In today’s cyber realm it’s clear that no one can fight the adversaries alone. The attackers have figured out the power of information sharing – it’s high time that we, the defenders, fully embrace it too. We must replace the outdated notion of “every company for itself” with an understanding that collective defense is our best defense. Every breach, every attempted intrusion, every new strain of malware carries a lesson. If those lessons stay locked within one organization’s walls, we’re doomed to let the attackers repeat their successes on others. But if those lessons spread across our community, each incident can fortify dozens of other companies’ shields.
Building a robust information sharing culture won’t happen overnight. It requires trust, willingness to sometimes swallow our pride, and frameworks (both formal and informal) to exchange data safely. But we’re on the right path: industry groups are talking more, government is beginning to support it, and many security leaders (like those of us who have witnessed the attackers’ collaborative strength) are championing the cause.
So, to my fellow CISOs and security practitioners: let’s take a page from the hackers’ playbook. They understand that information is power, and they don’t hesitate to share it (for their gain and our pain). We need to turn the tables. Share your knowledge, your warnings, your discoveries – whether through an ISAC, a joint task force, or just a friendly heads-up to a peer. By doing so, you’re not giving away an advantage; you’re creating a new one for the community that ultimately protects your own organization too. In cybersecurity, a rising tide truly does lift all boats.
