NIST’s DRAFT Cyber Threat Information Sharing Guide

NIST released it’s Draft Cyber Threat Information Sharing guide. As an analyst I share information. It is what I do. I consider myself an information sharing professional too. So, this topic intrigues me.

NIST title page

Now, recommendation 2 of the guide says:

Organizations should exchange threat intelligence, tools, and techniques with sharing partners.

Generally, that sounds ok. But there could also be some concerns.

One is that it seems anti-competitive. At a fundamental level, should cyber security be a “competitive enabler” (e.g. a way to beat out the competition) or a “cost center” (e.g. an expenditure that has to be made as a part of doing business)? Because there is a key difference to how organization leadership makes investments in enablers vs costs.

For example, at a meta economic level, we might want consumers and investors (see SEC guidance) to make decisions based on the security capability of organizations. For example, if Target can’t make sense of its network security sensor alerts, but Shopko can, then maybe an investor will want to invest in Shopko, or maybe a consumer will want to shop there instead of Target.

Encouraging organizations to share information about cyber threats intuitively weakens the “competitive enabler” vision, and strengthens the “cost center” vision.

I recognize that the issue is much more complex that what I have set forth above: I do not believe that most consumers and investors are prepared or discerning enough to make investment or purchase decisions based on cyber security competence. I am merely pointing out a potential flaw in the recommendation to simply “exchange threat intelligence”.

I might feel better if recommendation 2 included an adjective such as “deliberately”, “carefully”, “consciously”, or “thoughtfully”.