There has been a lot of talk about the need for improved cybersecurity information sharing between the private sector and governments in the last year. And there certainly will be more this year, you can count on it. The thought being that the more information governments and private sector have about cybersecurity trends, vulnerabilities, and attack techniques the more nimble and directed (and hopefully effective) IT security defenses could be.
Earlier last year, the U.S. President signed an Executive Order to establish new information sharing and analysis organizations which create ways for private business and government to more easily agree upon - and actually share - cybersecurity related information.
That Executive Order followed the Cybersecurity Enhancement Act of 2014, which creates an opt-in program for private and public information sharing, as well as taking steps to improve R&D and close the cybersecurity skills gap.
Proponents of such ISAOs say such sharing efforts will improve national security, opponents both doubt such security improvements and contend that some forms of sharing could harm consumer privacy and business confidentiality.
Interestingly, the recent 2015 US State of Cybercrime Survey found that there was no uptick in the use of ISACs from 2013 to 2014 and such participation remained steady at 25 percent. This study evaluated survey responses from just over 500 executives of US businesses, law enforcement services, and government agencies. According to the survey, the industries most likely to participate are electric power, water, banking and finance, and government agencies.
Which makes sense, as they are all critical infrastructure industries, and they all have targets on their data centers. Perhaps the controversial (from a privacy perspective) Cybersecurity Information Sharing Act (CISA) passed into law just before the Christmas break in the U.S., as part of an omnibus budget package will help to increase the amount of cybersecurity data sharing among government and industry.
Some highlights from CISA are the authorization of non-public organizations to monitor for data security threats and to be able to share that data, and establishes the U.S. Department of Homeland Security to lead the process for the creation of the receipt and dissemination of cybersecurity information sharing, and provides for levels of liability protection for the monitoring and sharing of data security threat information.
In my interviews with CISOs over the years, one of the most successful ISACs has repeatedly been reported to be the Financial Services ISAC, or FS-ISAC. The FS-ISAC was established in 1999 (also through a presidential action, Presidential Decision Directed 63). Years ago, after 9/11, I recall the FS-ISAC having about 40 or so members. Today, it exceeds 4,000 and includes nearly 99 percent of the banks and credit unions within the U.S.
Almost all of the CISO’s with which I’ve spoken about the FS-ISAC say that it has helped to provide all involved with extensive financial industry sector analysis, able to determine the level of threat facing the financial services industry, and adjust defenses more rapidly than if only viewing data each organization can see on their own.
There are other existing ISACs, too, such as those in the communications, utility, IT, Maritime ISAC and others.
One of the big concerns about ISACs is the confidentiality of enterprise and consumer data. And it is a real concern. But one of the challenges here is that ISACs and data sharing are spoken about as if the same rules should, or need, apply across industries. It’s not so. A retail ISAC would have much different needs than the organizations that own or run critical infrastructure. In the retail industry, perhaps it is more important that very strict privacy rules are on place and much looser on the type of data being shared.
However, other industries that provide mission critical services and infrastructure may need tow work much more tightly in order for the industry to benefit.
Regardless, considering the increased abilities of attackers, the rising interest in conducting cyber attacks, as well as the continued militarization of the Internet and our business technology systems – in the years ahead let’s hope that there is more interest and use in industry ISACs. Our ability to defend against industry-wide attacks just may depend on it sooner rather than later.