Cyberdefender secrecy is a hacker’s best friend. The time for full disclosure has arrived.

Imagine Country A is invading Country B. A has 1,000 troops, while defending B has ten times as many. Who are you betting on?

Except the general commanding B decides to trot soldiers onto the battlefield one at a time. Now where’s your money?

Ludicrous, right? But this is how we battle cyberattackers every day. And it has to stop.

SolarWinds was a transparency nightmare, and could have been worse

Last June, WIRED published a harrowing, must-read blow-by-blow of the SolarWinds hack, which compromised ~100 companies and a dozen federal agencies. SolarWinds is the worst supply chain hack in history, and one of the most dangerous attacks of any sort. As WIRED’s analysis makes clear, it could have been much worse.

For instance, while few deployed it, 18,000 SolarWinds customers actually downloaded the infected software. And, despite the fact that the attackers had been in the various systems for several months, they could have done a lot more damage if they hadn’t been discovered when they were.

Notable throughout the narrative was the lack of transparency among the various players. The SEC went so far as to bring charges against SolarWinds and Timothy Brown, the company’s chief information security officer (CISO), for “fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.”

Toward the end of the story, it becomes clear that even federal investigators were failing to share critical intel.

Callers from the NSA [National Security Agency] and CISA [Cybersecurity & Infrastructure Security Agency] were suddenly livid, according to a person on the line—because for the first time, they were learning that Justice had detected the hackers months earlier. The FBI guy “phrased it like it was no big deal,” the attendee recalls. The Justice Department told WIRED it had informed CISA of its incident, but at least some CISA people on the call were responding as if it was news to them that Justice had been close to discovering the attack—half a year before anyone else. An NSA official told WIRED that the agency was indeed “frustrated” to learn about the incident on the January call. For the attendee and others on the call who hadn’t been aware of the DOJ breach, it was especially surprising, because, the source notes, in the months after the intrusion, people had been “freaking out” behind closed doors, sensing that a significant foreign spy operation was underway; better communication among agencies might have helped uncover it sooner.

Why can’t we all get along?

Cybersecurity has a transparency problem. The short version: attackers cooperate and defenders don’t, giving the hackers a tremendous advantage.

Sherri Ramsay, a former NSA director, notes the cooperation between attackers, saying “[t]he harsh reality is that there is extensive collaboration among the cyber bad guys; there are few lone wolves. This extends across the entire spectrum of bad actors—nation-states, criminals, hacktivists, and terrorists.”

But why don’t cyberdefenders cooperate? Well, for starters, if word of an incident gets out it will likely hurt the brand—the questions are how badly and how long will it take to recover? News of a breach will damage stock prices. It may cause customers to seek out competitors. So leadership may decide to keep it quiet.

And by may, I mean all the time. The DOJ estimates that 85% of cybercrime goes unreported.

This deprives other organizations of critical information needed to safeguard against the attack, which is sort of like not telling the neighbors that the au pair they just hired is Typhoid Mary.

The cybertimes, they are a’changin’

Most people in the industry are aware of the Federal Government’s increased emphasis on security and reporting, with its latest move being the recently activated cybersecurity disclosure rules. But the government’s campaign to drive transparency is actually broader than many realize.

Writing in Fortune, CyberSheath CEO Eric Noonan says the federal government is quietly “pulling every regulatory lever available” to “define and enforce mandatory cybersecurity minimums on the entire economy.”

Every sector of the economy is under a transformative directive to fortify its digital defenses. Security posture has evolved from a superlative to a crucial factor that affects the bottom line. This isn’t just a policy change–it’s a paradigm shift, making cybersecurity compliance a legal imperative because its implications are more far-reaching than ever before.

Full speed ahead

How many cyberattackers are there? It’s hard to say, for obvious reasons, but maybe a few hundred thousand? And while we don’t like them, we certainly respect them. Hacker ranks include a lot of really smart people.

How many security professionals are there? Last year’s ISC2 Workforce Study estimates “the size of the global cybersecurity workforce at 5.5 million—a 9% increase from 2022, and the highest [they’ve] ever recorded.”

In other words, the good guys have the bad guys vastly outnumbered. We may well have more geniuses than they have people. And yet, the cost of cybercrime in the U.S. hit $320 billion in 2023, and the number is predicted to clear $1.8 trillion in 2028.

…because Country B is fighting the invaders with one soldier at a time.

We have to wonder what life would look like for cyberattackers if the entire security industry were to share intel tactics, techniques, and procedures (TTPs) freely among public and private organizations. What if we combined forces to fight our adversaries? What if we actually used our superior intellectual horsepower and organizational resources strategically?

A particular company might lose some ground in the market in the event of an incident, but in an environment of transparency the odds of a successful breach would diminish dramatically. Hackers would execute an attack and two days later every CISO in the world would know all the details.

It’s damned sure worth a try.