I was just sitting down with fellow Security magazine columnist, Lynn Mattice. Lynn is a risk manager extraordinaire, all around great guy, and straight talker. As we met over hot and sour soup, Lynn touched appropriately enough upon a hot topic that has soured many in industry -- the frequent government over-classification of cybersecurity information. Lynn pointed out the irony of withholding threat and vulnerability information in the name of national security that, if properly disseminated, would do more to help our national security.
Lynn’s point not only is valid, it has been acknowledged by the Government. In December of 2012, the White House put out our “National Strategy for Information Sharing and Safeguarding.” That document states, “Our national security depends on sharing the right information with the right people at the right time.” More recently, on February 15, 2015, the President issued an Executive Order for “Promoting Private Sector Cybersecurity Information Sharing.” The Executive Order begins, “In order to address cyber threats to public health and safety, national security, and economic security of the United States, private companies, nonprofit organizations, executive departments and agencies . . . must be able to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible.”
Which made me wonder, perhaps there should be a Cybersecurity Information Sharing Classification System that is forced to live side-by-side with the current Classification System. Conveniently, only a few words would need to be altered from existing definitions, as shown here:
"Confidential'' “Code 1 Share” shall be applied to information, the unauthorized non-disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority is able to identify or describe.
"Secret'' “Code 2 Share” shall be applied to information, the unauthorized non-disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe.
"Top Secret'' “Code 3 Share” shall be applied to information, the unauthorized non-disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe.
Is this a practical recommendation? Perhaps not. But it sure would be nice if those who have the responsibility for classifying information in the first place paused, even for a brief moment, to have this debate with themselves. Just a thought, while sitting at a Chinese restaurant.
For more information on government information sharing, check out this free webinar from Lynn Mattice: A Major Intelligence Failure by the U.S. Government: How It Impacts Enterprise Security at