A new non-governmental body has published the first set of voluntary standards for setting up Information Sharing and Analysis Organizations (ISAO) for the private sector. The voluntary standards have been developed over the past year to implement an executive order intended to improve sharing of information about cybersecurity threats.
“These publications provide the cornerstones to build out an information sharing ecosystem at unprecedented scale,” Rick Lipsey, Deputy Director of the ISAO Standards Organization, said in a statement.
This probably does not seem like big news. After all, industry-specific Information Sharing and Analysis Centers (ISAC) have been operating since 1999. There now are more than 20 ISACs sharing information about cyberthreats. But President Obama’s 2015 Executive Order is intended to expand sharing beyond specific industrial sectors.
According to Homeland Security Department’s National Cybersecurity and Communications Integration Center, which coordinates the program, it addresses those organizations that felt left out because they do not fit neatly into the sector-based ISAC structure.
“ISAOs may allow organizations to robustly participate in DHS information sharing programs even if they do not fit into an existing critical infrastructure sector, seek to collaborate with other companies in different ways (regionally, for example), or lack sufficient resources to share directly with the government” the center said in a statement. “ISAOs may participate in existing DHS cybersecurity information sharing programs and contribute to near-real-time sharing of cyber threat indicators.”
The ISAO Standards Organization, led by the University of Texas at San Antonio, was created in October 2015 to establish technical and operational models and best practices for the new organizations. The first four standards documents were published today (Sept. 30, 2016). They are:
• Introduction to Information Sharing and Analysis Organizations: An overview that previews the full ISAO document series and the scope of future guidelines and standards.
• Guidelines for Establishing an Information Sharing and Analysis Organization: Guides readers through critical considerations in creating an effective organization.
• Introduction to Information Sharing: A conceptual framework for information sharing concepts, the types of cybersecurity-related information an ISAO might want to share, ways to facilitate information sharing, and privacy and security concerns to be considered.
• U.S. Government Relations, Programs, and Services: Describes relevant federal laws and regulations on cybersecurity information sharing, as well as state and local requirements. It includes a comprehensive listing of government resources available to ISAOs and their members.
Will this expanded information-sharing ecosystem make a difference in our cybersecurity? That remains to be seen. It is difficult to say for sure whether the existing ISACs have made a difference. The National Council of ISACs says that its members have successfully provided operational services such as risk mitigation, incident response, and information sharing to protect critical infrastructures, and that “many ISACs have a track record of responding to and sharing actionable and relevant information more quickly than government partners.”
Still, reports of growing threats, continuing vulnerabilities and repeated breaches—some of them spectacular—are not encouraging. But we should probably not be too quick to condemn the ISACs and their members. It is likely that things would be even worse without their efforts.
Hackers, hacktivists, organized crime and national cyberwarfare and espionage organizations have a history of cooperating to discover and exploit vulnerabilities. Increased sharing among victims, defenders and other good guys can only help in countering our increasingly organized adversaries.
The ISAO SO will host its next online public meeting at 1pm CT, Oct. 20. Upcoming publications and a national information sharing conference for 2017 will be discussed.