With Cybersecurity Summit Over, What's Next?How New Information Sharing and Analysis Organizations Work
The one-day White House Summit on Cybersecurity and Consumer Protection, held in California on Feb. 13, holds out the promise that government and business will collaborate on battling cyberthreats. Now, the hard part begins: getting it done.
First up: Specifics need to be developed to fulfill President Obama's executive order to encourage industry to share cyberthreat information with the government.
"The devil is truly in the details," Tripwire Security Analyst Ken Westin says. "Although I believe the spirit and intentions of the order is good, it will be critical that there is transparency and oversight regarding its implementation. The government is breaking new ground and it is important to tread carefully, as there is a lot to learn in the process of developing a system of this scale and depth."
There's a dearth of details on a critical element of the president's plan, as outlined in the executive order: the creation of information sharing and analysis organizations. ISAOs would serve as intermediators between business and the government to share cyberthreat information. The executive order directs the secretary of homeland security to "strongly encourage" the development of ISAOs. DHS's National Cybersecurity and Communications Integration Center is charged by the president to engage in continuous and inclusive coordination with ISAOs to share cyber risks and incidents information.
But when contacted, DHS didn't offer specifics on how DHS would help facilitate the creation of ISAOs. "I don't have further details for you at this time," a DHS spokesman said Monday.
What's an ISAO?
In his speech at the summit moments before he signed the executive order, Obama characterized the ISAOs as "hubs" that also could share threat information with each other (see President Obama Grapples with Cyber Challenges). "It will call or a common set of standards, including protections for privacy and civil liberties, so that government can share threat information with these hubs more easily," Obama said. "And it can help make it easier for companies to get the classified cybersecurity threat information that they need to protect their companies."
President Obama discusses cyberthreat information sharing at the White House cybersecurity summit.
ISAOs differ from information sharing and analysis centers. ISACs are not-for-profit consortia focused on specific industries - such as financial services (FS-ISAC), healthcare (NH-ISAC) and state governments (MS-ISAC) - and provide members with services that include risk mitigation, incident response, alert and information sharing.
Unlike ISACs, ISAOs are more narrowly focused, and according to the executive order could be organized by industry, an industry sub-sector, region or any other affinity, including in response to particular emerging threats or vulnerabilities. An ISAO could have public and private sector members and be a commercial or not-for-profit enterprise. ISACs, if they choose, could serve as ISAOs.
Promised ISAO Initiatives
One of the first ISAOs will be run by a profit-making venture, the cybersecurity firm Crowdstrike, according to a fact sheet the White House issued on the executive order. That fact sheet said the Entertainment Software Association would create an ISAO, too. Neither organization or the White House provided details on these ISAO initiatives.
To become an ISAO, the organization must be certified. DHS, consulting other federal government agencies with cybersecurity responsibilities, will hold a competition to select a nongovernmental entity to serve as the ISAO standards organization to identify a common set of voluntary guidelines to create and operate ISAOs.
The White House, in its statement, said the online file sharing and cloud content management company Box would participate in the standards-development process for ISAOs and explore ways to use the Box platform to enhance collaboration among ISAOs. Neither Box nor the White House provided additional information on these initiatives or their timelines.
Need for Legislation
Even with the creation of ISAOs under the executive order, some experts question their effectiveness. Many businesses are reluctant to share cyberthreat information - with the government or other businesses - until Congress enacts a law to provide them with liability protection. Businesses don't want cyberthreat information they voluntarily release to be used against them in some type of legal or regulatory case. Legislation has been introduced in the current Congress to provide liability protection to businesses that share cyberthreat information, and additional bills are expected to be proposed in the coming week.
Until such protections are enacted, cyberthreat information sharing via ISAOs would mostly be one way, from the government to business. "I can't see that anything has changed for a sharing company," says Unisys CISO Dave Frymier. "That having been said, more information coming from the government is a tremendously good thing for companies. The government has a huge amount of very specific targeting information they have been reluctant to share for fear of possibly revealing their collection techniques. It looks like they have now decided the value of the information to industry is greater than their value in concealing how they might have obtained it."