Why does there need to be secrecy and indemnity for corps sharing non-PII data? Everything I've heard about these CISPA-esqe sharing schemes is that the gov wants to have corps share potentially unmasked data with the gov AND with each other without risk of getting in trouble for privacy violations.
Secrecy mostly because it's live intel -- these aren't your run of the mill hackers, they'll adapt. If you publish your intel each month publicly, they'll just make sure to run your intel against their latest malware and make sure you can't detect them.
Indemnity I'm not fully versed on (I'm just a dev, and this is more of a law area), but I get the idea that they want to be able to say, "Block these domains, and watch out for these email addresses -- they're spear phishing addresses" without getting in trouble for sharing those email addresses in the first place.
After all, if we're hunting for hackers, and the hackers end up being users of your website, do the hackers suddenly get immunity from being detected? If I see "l33th4x0r12345" as a user on my system, and I know that user just tried a bunch of XSS on my support staff, I'm going to want to let other groups know that "l33th4x0r12345" is a bad actor.
This is a valid question, and honestly I'm not sure.
Once you're asking this question though, you've gotten past the point I think a lot of folks are hung up on, and that's the content of the intel.
I'd just like to get folks to a point where they're understanding that their mother's maiden name isn't getting blasted through the cybersecurity world.
How many businesses have access to that list or even know it exists? Every single business in the U.S. needs to get smarter about online security, and a big part of that is getting useful information about modern lines of attack. A few private arrangements are not going to do the job.
The fundamental problem is that there are few limits on why a customer or investor can sue a company. Getting hacked is obviously a material impact on a business, and so public disclosure of a hacking often leads to lawsuits.
There is an entire industry of lawyers who look for any excuse to sue companies; they often get "go-away" settlements even if there's not much to the case. It's just cheaper for the company than a trial.
So, this creates a strong incentive for companies to never ever reveal any cybersecurity problem unless they are compelled to do so by law. As a result, most of the current systems for sharing real-time cybersecurity info are private, invite-only, your-buddy-has-to-invite-you type affairs.
The government is not a private company and can't be sued for revealing cybersecurity information. So it could collect the detailed threat info and share it widely--helping security teams get smarter faster.
The hard part is that details of intrusions and hacks almost always include data that could be characterized as personally identifiable (since every attack has a person behind it somehow). So the hard part is setting a legal standard that keeps data usefully specific, while protecting everyone else's privacy.
