Retail Info Sharing: How It Can SucceedBut Building Cyber-Intelligence Trust Will Take Time
In light of the massive Target Corp. breach and other recent retailer breaches, security experts welcome a new effort spearheaded by the Retail Industry Leaders Association to boost cyberthreat information sharing among merchants (see Retailers Launch Cyber Info-Sharing Center).
But for the effort to succeed in helping to prevent breaches, banking leaders say the association must develop a trusted cyber-intelligence sharing model that builds on the examples already set by other industries, including the financial services sector.
While the U.S. banking industry took about 10 years to build an adequate information sharing infrastructure, the retail industry does not have that much time to spare, says Bill Nelson, president of the Financial Services Information Sharing and Analysis Center, which spearheads information sharing.
"We think the key to all of this is speed, Nelson says.
Sharing cyberthreat information with the retail industry will be a priority for the FS-ISAC, he adds. "We would encourage the retailers to do the same," Nelson says. "Getting information out about these attacks as they happen is crucial."
Target's attacks, as well as other high-profile point-of-sale breaches such as Michaels and Neiman Marcus, have heightened the need for cyberthreat sharing within the retail sector, says Brian Dodge, RILA's senior vice president of communications and state affairs.
"We've been talking about this with our members since January," Dodge says. "We feel like our objective is right now is to listen intently to the input we are getting from our members and other stakeholders to make sure that what we establish here improves the overall cybersecurity of the industry."
RILA's long-term mission is to encourage information sharing among retailers and other sectors, as well as provide advanced-threat training and education and offer retailers resources for cyber-attack defense.
"A strong majority of our members are already sharing threat intelligence, but it's been in an informal way with other retailers or merchants and even government sources," Dodge says. "But recent breaches have raised interest in sharing information in a more comprehensive way, and so we have seen interest in taking cyber-intelligence to the next level."
Whether RILA's intelligence sharing center ultimately will become one of the nation's Information Sharing and Analysis Centers remains to be seen. The National Council of ISACs, established in 2003, compromises ISACs within critical infrastructure industries, including financial, government and healthcare.
It's not clear whether the retail industry could fall under the critical infrastructure category, says Doug Johnson, vice president of risk management policy for the American Bankers Association.
"But regardless of whether you are defined as being 'critical,' all industries need to take cybersecurity seriously," he says. "The phrase 'critical infrastructure' is important in some fashion, because it allows us to understand the pieces of our payments system that are most important. But what we also recognize is that we do have a network effect here, so even industries outside that critical infrastructure are impacting cybersecurity."
Johnson adds: "What is important at the end of the day is that each sector needs to come up with their own solution."
RILA's intelligence sharing center is open to participation from all retailers, even those that are not association members, Dodge says.
"One thing that makes this unique is that we have established the center as an independent organization," he explains. "In time, it will be run by the retail industry itself. So it was important to have other groups and associations involved."
RILA has reached out the National Retail Federation, which in April launched its own information sharing platform, as well as other retail and merchant groups, to gather their advice, Dodge says. The NRF and other merchant groups, such as the National Restaurant Association, are not part of RILA's initiative at this time.
"We want to branch out to the broader merchant community, such as hotels and restaurants, but we are leaving it up to those industries to see if it makes sense for them to be involved," he says. "We have worked with the merchant community on payments issues in the past, so we do have a relationship with them. If this retail intelligence sharing center can help, we are open to sharing any information we can."
For RILA's effort to work, it must adopt an information sharing model that fosters cross-industry collaboration. But that could prove challenging, Nelson says.
"You have to share with government; you share with private sectors; and you share within your own sector, and that inter-sector sharing is probably the most challenging," he says. "A lot of that has to do with having the right infrastructure in place - having a clear set of operating rules, and ensuring there is trust that information will be handled properly. You can't do that overnight."
But the retail sector can learn from the banking industry's model, Nelson and Johnson say, and the FS-ISAC can lend assistance based on its experience.
The FS-ISAC is now emphasizing automated threat intelligence sharing, Nelson says. And the group expects that this threat-intelligence will be shared with other industries, including retail, he says.
"Eighty-seven percent of the time, a compromise occurs within minutes of the attack," Nelson says. "Yet the discovery of the attack never occurs within minutes today. At best, it takes hours, and over 50 percent of the time it takes months."
Through the use of automated information and threat intelligence sharing, however, organizations could be warned of potential attacks earlier, which would allow them, in some cases, to take preventive action, Nelson says. "We think this is the way of the future."