There’s been considerable talk in recent years about the importance of cybersecurity information sharing. After all, few organizations can really work in a vacuum and no single organization can see all of the threats laying in wait on the internet.
And many CISOs find it helpful to share notes with others in their industry to compare which strategies and practices work best and compare program maturity levels. But the nearly two-decade effort to share such information hasn’t been smooth.
Many organizations are wary of sharing sensitive cybersecurity information, especially with governments. Not only can such information jeopardize the security posture of an organization, it can damage customer impressions of a company and even affect stock values.
Still, Information Sharing and Analysis Centers (ISAC) and Information Sharing and Analysis Organizations (ISAO) have been gaining importance in recent years. Their success may play a significant role in improving the state of cybersecurity for industries and governments worldwide. The first ISAC, the FS-ISAC for financial services, was formed in 1999. Since then ISACs/ISAOs have formed throughout the world and in many industries. But what constitutes success for information sharing organizations?
What standards are, or should be, in place to certify ISACs/ISAOs themselves meet high standards? What is the best way to share and exchange information considering the ever-evolving nature of cyber threats? What are the lessons learned and recommended practices for forming new information sharing organizations? That’s where the newly formed International Association of Certified ISAOs (IACI) comes in. The IACI hopes to help solve the challenges surrounding cybersecurity threat information.
To get a sense of where the IACI is today and the challenges it faces, we caught up with Michael Echols, IACI CEO. Echols joined the IACI in August after serving seven years at the Department of Homeland Security focusing on how public/private partnerships can help overcome national security and cybersecurity challenges.
During his time at DHS, Echols chaired activities that optimized national cybersecurity sharing programs, strategy, interagency coordination, public safety and counterterrorism across federal agencies and the private sector. Echols also helped create the ISAO standards organization and developed a national program for ISAOs so that any community of interest could share cyber threat information.
CSOonline: Why don’t enterprises share as much cybersecurity information among themselves and with the government as they likely could?
Echols: There's a significant lack of understanding when it comes to cybersecurity information sharing. This is partly due to a lack of education as to what cybersecurity information sharing means. There are also many companies that worry about what type of information that is shared and whether it could create a liability or damage their stock value.
There are never easy answers to cybersecurity issues. This makes it hard to explain why cybersecurity information sharing is worth it, despite the perceived risks in being part of an information-sharing infrastructure. It’s hard for security professionals to even explain to their boards, and potentially stockholders, why they should be sharing this information in the first place.
This lack of education also means that there is a general lack of understanding about the potential gains from being a part of a cybersecurity information sharing ecosystem. These benefits include the opportunity to essentially share intelligence costs. In such an ecosystem, enterprises have the advantage of accessing the expertise of their sharing partners and individuals in a particular community of interests, or region, or industry. There is also shared threat intelligence. When something is happening to others in your community, it can happen to you, too. With information sharing, you now have an incredible level of threat intelligence.
How is the federal government helping to overcome cybersecurity information sharing challenges?
The first advancement that Homeland Security has made is naming the National Cybersecurity and Communications Integration Center as the cyber center. Second, determining information that's shared with National Cybersecurity and Communications Integration Center needs to be anonymized so that it can be that neutral place to gain or gather information and then disseminate it.
However, there are still limitations. Many companies and entities will never trust the government enough to share. There are also entities that want to know who their information is going to, in general, their community, even though the information is anonymized. Hence, one of the opportunities that the IACI provides.
I imagine an important benefit of security information sharing, in addition to heading off new threats, is understanding how you compare to your peers in cybersecurity readiness?
Absolutely. In addition, because many of the issues are not technical, we want to create opportunities to overcome challenges to cybersecurity. For instance, in many cases there are issues related to taxonomy. Too many times some term means different things to different people, creating communication barriers. By adopting a similar taxonomy, everybody is always on the same page.
Our status as a non-for-profit creates another opportunity. In some cases, for-profit companies are trying to overcome cybersecurity hurdles and advance the science, but being a for-profit company hampers their credibility to a degree.
An additional opportunity is to help small and mid-sized businesses. These businesses are the engine of the country. We have a number of plans to advance cybersecurity for small and mid-sized businesses. This is important because small businesses have been a big hurdle when it comes to for-profit vendors to successfully serve this market.
How important is it that successful efforts for cybersecurity information sharing be international?
Cyber has no borders. As long as we are forming cyber threat information organizations across this country, some of those organizations are going to be global and the rules are different all over the world. I think a major part of this is that the data privacy rules in Europe, and in particular countries, are much different than they are in the United States. There are different rules when it comes to data localization and dealing with foreign-based entities in countries like Russia and China.
We believe that we can play a role in normalizing information sharing and getting the information to the right people without the politics. We lower these privacy concerns in order for us to work better together.
As the IACI comes to fruition, how do you see it benefiting the interests of cybersecurity?
We are creating an ecosystem that allows for-profit businesses to benefit from working together and to allow for a level of information sharing that raises the minimal standards for everyone. We hope to set new expectations for how people should be working together. From this, we believe that fears about cyber threat information sharing will be minimized over time and cybersecurity information sharing will become the norm.