The fundamental problem is that there are few limits on why a customer or investor can sue a company. Getting hacked is obviously a material impact on a business, and so public disclosure of a hacking often leads to lawsuits.
There is an entire industry of lawyers who look for any excuse to sue companies; they often get "go-away" settlements even if there's not much to the case. It's just cheaper for the company than a trial.
So, this creates a strong incentive for companies to never ever reveal any cybersecurity problem unless they are compelled to do so by law. As a result, most of the current systems for sharing real-time cybersecurity info are private, invite-only, your-buddy-has-to-invite-you type affairs.
The government is not a private company and can't be sued for revealing cybersecurity information. So it could collect the detailed threat info and share it widely--helping security teams get smarter faster.
The hard part is that details of intrusions and hacks almost always include data that could be characterized as personally identifiable (since every attack has a person behind it somehow). So the hard part is setting a legal standard that keeps data usefully specific, while protecting everyone else's privacy.
There is an entire industry of lawyers who look for any excuse to sue companies; they often get "go-away" settlements even if there's not much to the case. It's just cheaper for the company than a trial.
So, this creates a strong incentive for companies to never ever reveal any cybersecurity problem unless they are compelled to do so by law. As a result, most of the current systems for sharing real-time cybersecurity info are private, invite-only, your-buddy-has-to-invite-you type affairs.
The government is not a private company and can't be sued for revealing cybersecurity information. So it could collect the detailed threat info and share it widely--helping security teams get smarter faster.
The hard part is that details of intrusions and hacks almost always include data that could be characterized as personally identifiable (since every attack has a person behind it somehow). So the hard part is setting a legal standard that keeps data usefully specific, while protecting everyone else's privacy.