I was just sitting down with fellow Security magazine columnist, Lynn Mattice. Lynn is a risk manager extraordinaire, all around great guy, and straight talker. As we met over hot and sour soup, Lynn touched appropriately enough upon a hot topic that has soured many in industry -- the frequent government over-classification of cybersecurity information. Lynn pointed out the irony of withholding threat and vulnerability information in the name of national security that, if properly disseminated, would do more to help our national security.
Lynn’s point not only is valid, it has been acknowledged by the Government. In December of 2012, the White House put out our “National Strategy for Information Sharing and Safeguarding.” That document states, “Our national security depends on sharing the right information with the right people at the right time.” More recently, on February 15, 2015, the President issued an Executive Order for “Promoting Private Sector Cybersecurity Information Sharing.” The Executive Order begins, “In order to address cyber threats to public health and safety, national security, and economic security of the United States, private companies, nonprofit organizations, executive departments and agencies . . . must be able to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible.”