There’s a significant difference between the capabilities of the “good guys” and the “bad guys” when it comes to cybercrime. The bad guys have no national boundaries when it comes to information-sharing, and they’re not bound by copyright law that keeps them from swapping code samples or by ethics in disclosing details of vulnerabilities. Without getting into the argument over whether the “good guys” should throw off the gauntlets and “play dirty” (would they even be good guys if they played dirty?), there are plenty of things we can do to share information and analyze data that don’t fall afoul of any laws or rules of ethics.
One of the complaints that I have often heard when speaking with data security people at large companies is that coming up with Return On Investment (or ROI) data to plead their case for more security funding can be incredibly difficult — there’s just not a lot of info out there. Many companies fear releasing details of security breaches, as it can be incredibly damaging to brand loyalty or it could lead to lawsuits or fines against the company. But by sharing details of breaches, it improves information so that other companies can better assess their own level of risk and prepare appropriately. And it can also be used to help law enforcement track, identify, and prosecute cybercriminals.
From an everyday user perspective, when companies share data, they’re less likely to accidentally leak their customers’ (your!) data and more cybercriminals can be caught and stopped. That’s a big improvement for all of us. Recently proposed European Union legislation could make a big change in that regard — companies would be required to report breach data or face fines. Most states in the US have enacted similar legislation already, but other countries have resisted such changes because it requires a fairly thorough examination of related issues, and there is fear that the legislation could lead to class action lawsuits and other things that might push businesses elsewhere. This article about the discussion of similar legislation in Australia gives a good idea of what concerns need to be addressed.
The EU and US governments have also recently agreed to share data about cross-border crimes that involve online fraud, phishing, and child pornography. Many cybercrime rings are international, which can make finding and prosecuting criminals incredibly difficult. This agreement will increase the pool of data law enforcement agents can use to identify cybercrime groups; rather than looking at small islands of what may appear to be unrelated incidents, with more data they can see patterns that indicate coordinated cybercrime efforts.
From a security wonk perspective, this is very exciting. The more cooperation we have within industries like law enforcement agencies, ISPs, Domain Name Registrars, banks, security vendors, and even private citizens, as well as between those different industries, the more we can better protect ourselves and successfully go after bad guys. Of all the cybercriminals that have been brought to justice, not one arrest has been made without the cooperation of companies, affected individuals, and law enforcement. The bad guys will always be a step ahead if they’re willing to share and the rest of us are not.