I am loosely affiliated with a couple of different organizations that are able to provide me with information about government issued cybersecurity reports that have restricted distribution markings on them; not classified just a variety of sensitive but unclassified markings. Of course, part of the condition of my receipt of copies of this is that I am not able to publicly disclose the information contained in those reports. So, the following discussion will be a tad bit vague as I describe a disturbing trend in such information sharing activities.
We all know that US-CERT provides a limited distribution web site where adequately vetted members of the various affected private sector organizations (this does not include me) can get up-to-date unclassified information about trends and issues in the cybersecurity realm. ICS-CERT has a portion of that portal that they use to discuss vulnerabilities in control systems and attacks on those systems that they don’t want widely disseminated so as to not allow control system adversaries to know what we know about their activities. This also includes information about specific vulnerabilities and fixes for those vulnerabilities that are being disseminated to system owners that will subsequently be publicly released on the ICS-CERT web site.
Now all of the above is clearly a good thing. Critical infrastructure organizations can get up to the minute information (okay day or week, not minute) about vulnerabilities that might affect their operations while the bad guys don’t know how much the good guys know about what is going on. On a number of occasions I have recommended that every control system owner apply for access to this portal.
It has come to my attention that in the last couple of weeks there have been two restricted access advisories published on the ICS-CERT portion of this portal that have dealt with vulnerabilities that have been publicly disclosed and discussed in the open press (including this blog). Now I have not seen the actual advisories, but the discussions about them on the Portal do not seem to fall into the realm keeping the bad guys in the dark while the good guys fix the problem. The advisories sound more like the ‘see how special we are because we know sensitive stuff’ types of advisories.
Now a certain amount of that is going to go on in any organization, even a very loose organization like this portal; membership becomes as important as the purpose of the membership. But, this portal serves an important purpose and US-CERT and ICS-CERT have a special obligation to ensure that information gets to the general cybersecurity community (not just this subset of it) as soon as practically possible. Playing ‘see how important you are because you belong to this group’ games does not serve well the purpose that group or the safety of the larger society.