There has been a lot of discussion recently about the need for improved cybersecurity information sharing. The catalyst is that the more information about cyber attack trends, vulnerabilities, and attack techniques organizations can share than the nimbler and directed and hopefully effective IT security defenses could be.
Later this month the United States’ DHS’s National Protection and Programs Directorate, or NPPD, will host a workshop to discuss the potential value as well as the feasibility of a cyber incident data and analysis repository, or CIDAR. According to the announcement, “such a repository would enable a novel information sharing capability among the Federal government, enterprise risk owners, and insurers to increase shared awareness about current and historical cyber risk conditions and help identify longer-term cyber risk trends. This information sharing approach could help not only enhance existing cyber risk mitigation strategies but also improve and expand upon existing cybersecurity insurance offerings.”
The stated goals of the working group, according to the statement, are:
1. Share the findings of the Cyber Incident Data and Analysis Working Group (CIDAWG), which is comprised of cybersecurity professionals from various critical infrastructure sectors, insurance companies, and other private sector organizations on the:
- Value proposition of a cyber incident data and analysis repository;
- Cyber incident data points that could be shared into a repository to support needed analysis; and
- Perceived challenges to sharing data into the repository and overcoming those challenges.
These findings can be found on Cyber Incident Data and Analysis Working Group White Papers.
2. Validate the feasibility of/ and solicit support for a CIDAR from the broad cybersecurity community - Receive input on how cyber incident data points shared into the repository should be prioritized, operationalized and automated and how the repository should be executed.
3. Receive input on voluntary information sharing approaches, models and best practices that could inform any future repository implementation.
Earlier this year, US President Barack Obama signed an executive order that established new information sharing and analysis organizations (ISAOs) that create ways for private business and government to more easily agree upon and actually share cybersecurity related information.
That Executive Order followed the Cybersecurity Enhancement Act of 2014, which creates an opt-in program for private and public information sharing, as well as taking steps to improve R&D and close the cybersecurity skills gap.
Proponents of ISAOs say such sharing efforts will improve national security when it comes to the critical infrastructure, opponents both doubt such security improvements and contend that some forms of sharing could harm consumer privacy and business confidentiality.
Interestingly, the recent 2015 US State of Cybercrime Survey found that there was no uptick in the use of information security sharing organizations from 2013 to 2014 and such participation remained steady at 25 percent organizations. This study evaluated survey responses from just over 500 executives of US businesses, law enforcement services, as well as government agencies. According to the survey, the industries most likely to participate in sharing organizations are electric power, water, banking and finance, and government agencies.
In my interviews with CISOs over the years, one of the most successful ISACs has proven to be the Financial Services ISAC, or FS-ISAC. The FS-ISAC was established in 1999 (also through a presidential action, Presidential Decision Directive (63)). Years ago, just after 9/11, I think there were about 40 or so members. Today, the 501(c)6 nonprofit organization has about 4,500 organizations including commercial banks and credit unions of all sizes, brokerages and insurance firms, and reaches 99percent of the banks and credit unions in the U.S.
Almost all of the CISOs with which I’ve spoken about the FS-ISAC say that it has helped to provide all involved with extensive financial industry sector analysis, helped to improve the level of threats facing the financial services industry, and helped members to adjust defenses more rapidly than if only viewing data each organization can see on their own.
There are other existing ISACs, too, such as those in the communications, electricity, IT, maritime, and many other industries.
However, one of the big concerns about ISACs is the risk to expose confidential enterprise and customer data. It is a real concern, but there should be plenty of security data that would provide value that wouldn’t place any organizational confidentiality at risk. And considering the increased abilities of and vigor of modern attackers, the rising interest in cyber attacks, as well as the continued militarization of the Internet and our business technology systems – in the years ahead let’s hope that there is more interest and use in industry’s ISACs. Our ability to defend against industry-wide attacks just may depend on a healthy exchange of information about vulnerabilities, attack techniques, and attackers.