There has been a lot of talk about the need for improved cybersecurity information sharing. The thought being that the more information that the government and private sector has about trends, vulnerabilities, and attack techniques the more nimble and directed - and hopefully effective - IT security defenses could be. Earlier this year, President Obama signed an Executive Order that established new information sharing and analysis organizations to provide ways for private business and government to more easily agree upon and actually share cybersecurity related information.
That Executive Order followed the Cybersecurity Enhancement Act of 2014, which creates an opt-in program for private and public information sharing, as well as taking steps to improve R&D and close the cybersecurity skills gap.
Proponents of such cybersecurity information sharing say that these sharing efforts will improve national security, opponents both doubt such security improvements and contend that some forms of sharing could harm consumer privacy and business confidentiality.
Regardless of who is correct, interest in cybersecurity information sharing is stalled. Consider the recent 2015 US State of Cybercrime Survey found that there was no uptick in cybersecurity information sharing from 2013 to 2014 and such participation remained steady at 25 percent. This study evaluated survey responses from just over 500 executives of US businesses, law enforcement services, and government agencies.
According to the survey, the industries most likely to participate include the electric power, water, banking and finance sectors, as well as government agencies.
It’s not as if the value of ISACs haven’t proven themselves. In my interviews with CISOs over the years, one of the most successful ISACs has repeatedly been reported to be the Financial Services ISAC, or FS-ISAC. The FS-ISAC was established in 1999 (also through a presidential action, Presidential Decision Directive 63). Years ago, just after 9/11, there were about 40 or so members of the FS-ISAC. Today, the 501(c)6 nonprofit organization has grown to about 4,500 organizations including commercial banks and credit unions of all sizes, brokerages and insurance firms, and reaches 99 percent of the banks and credit unions in the U.S.
Almost all of those with this ISAC say that it has helped to provide all involved with extensive financial industry sector analysis, able to determine the level of threat facing the financial services industry, and adjust defenses more rapidly than if only viewing data each organization could see on their own.
There are other existing ISACs too, such as those in the communications, electricity, IT, maritime industry and others.
One of the big concerns among businesses when it comes to ISACs is the confidentiality of enterprise and consumer data. And it is a real concern. But one of the challenges here is that ISACs and data sharing are spoken about as if the same rules should, or need, apply across industries. It’s not so.
For instance, a retail ISAC would have much different needs for confidentiality than the organizations that own or run critical infrastructure. In the retail industry, perhaps it is more important that very different privacy rules be in place than those managing the power delivery grid.
Regardless, considering the increased abilities of attackers and the rise in criminal cyber attacks, as well as the continued militarization of the Internet and our business-technology systems, the need for security information sharing will only increase. So, in the years ahead, let’s hope that there is more interest and use in industry ISACs. Our ability to defend against industry-wide attacks just may depend on it sooner, rather than, later.