Cyber threat information sharing can benefit everyone, the director of a standards organization says.
In a 2015 executive order, President Barack Obama laid out a vision for a plethora of organizations dotting the nation that would share cyber threat information along with guidance, tips and best practices.
The big idea for these cybersecurity “information sharing and analysis organizations” was basically to replicate “information sharing and analysis centers” that already existed for critical infrastructure sectors such as financial services and electricity but sized and tailored for specific states or regions, business sectors, nonprofit and advocacy groups or even mariachi bands (more on that later).
The February 2015 executive order also called for an ISAO standards organization that would promulgate voluntary guidance for these new bodies and “create deeper and broader networks of information sharing nationally.”
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
Two years later, the ISAO Standards Organization at the University of Texas-San Antonio, which won a competition to host the organization in September of that year, has published a quartet of documents to help newly formed ISAOs get up and running and is working on or considering more than a dozen others.
It’s also planning an international information sharing conference in Washington later this year.
The organization’s goal is twofold, Executive Director Greg White told Nextgov: to provide guidance that can be used by any ISAO across the U.S. or even internationally and to help ISAOs tailor the information they share and the services they provide to the specific needs of their members.
Nextgov spoke with White this week about the standards organizations’ work in connection with an award he’s receiving from the cybersecurity accrediting group (ISC)². The transcript has been edited for length and clarity.
Nextgov: How many ISAOs have been stood up so far?
Greg White: There are some that are up and running and there are some that are forming. If you want to form an ISAO, you can simply say, ‘Hey there, I am now an ISAO.’ There are a number of folks who have done that. One of the things we’re doing is we’re reaching out to people who we hear have formed an ISAO and helping them understand what that means. What kind of things are you offering your members? Have you offered these capabilities? Have you thought about these kinds of analysis tools?
Nextgov: What are some examples of ISAOs that have formed so far?
White: Well, the ISACs [long-standing information sharing and analysis centers that represent critical infrastructure industry sectors] are technically also ISAOs. Otherwise, we’ve got a couple in California. They don’t always call themselves ISAOs, but that’s effectively what they are. There’s a Southern California ISAO. There are organizations like the Northeast Ohio Cyber Consortium. Virginia has stood up something called the Virginia Cyber Range. Those are some of the geographic-based ones.
Credit unions are still members of the Financial Services ISAC but a National Credit Union ISAO has been formed. Credit unions decided they have unique enough issues that apply to credit unions but maybe not to all financial institutions that they wanted to have an entity where they could just talk about credit union matters. There’s a medical device ISAO, a maritime and port security ISAO, a sports ISAO, a legal services ISAO, [which is supported by the Financial Services ISAC]. Different ISAOs are forming even as we speak.
Nextgov: It makes sense that cyber threats would be similar among similar businesses or sectors, but what’s the value of a regional ISAO?
White: First of all, over the last couple years we’ve seen communities that come under attack and communities that are being trolled.
Nextgov: For example, in Ferguson? [Missouri, where the hacktivist group Anonymous released personal information about police officers during protests following the police shooting of Michael Brown, an unarmed black teenager].
White: Yes, exactly. So far, [hacktivists] have basically confined themselves to the police departments and maybe the city web page or the mayor’s site or something like that. But what happens when you’ve got an overzealous Anonymous-like group that decides it needs to impact the community more because it’s just not getting listened to? So, now, they start attacking the power or the water [utilities]. So, absolutely, you want to get folks in the community talking about these kinds of things and preparing for these kinds of things so they’re better off when they do happen.
Nextgov: Are there other benefits to regional ISAOs?
White: Another thing these entities can help with is that you have an entity that is naturally concerned about spreading the word about security. If you have a community ISAO, it probably is going to start with things like the local government, infrastructure like water and power, those sorts of folks. But it should also include businesses in that area. Having established that ISAO with those other entities, you can start reaching out to the rest of the community. Then you’ve got dimension. With the entire nation worried about cybersecurity and talking about it, we believe this is a tremendous opportunity.
Nextgov: What kinds of groups or sectors should consider forming ISAOs?
White: An example I like to use—this is a fictitious one—is here in south Texas an ISAO could be formed for mariachi bands. Do they have websites? Yes. Do they potentially take credit card information for their gigs? Well, yeah. Do they use computers to store important information? Yeah. So, do these folks need to worry about cybersecurity? Well, yes, they do as a matter of fact.
Are these folks that need to be as capable as the Financial Services ISAC? Do they need 24/7 operations? Probably not. But, can they benefit by even just once a month coming together and talking about cybersecurity as it relates to them and what’s important to that community? Absolutely they would benefit from it. Will they benefit from coming together and sharing cybersecurity tips like, ‘Hey, we’re using this firewall. What are you guys using?' 'Hey, I’m thinking about getting a host-based intrusion system. What are you guys using?' That will make them much better off.
If we could get every little entity like that in the nation talking about cybersecurity, the nation’s better off. And then, maybe, the south Texas [mariachi ISAO] forms and others join and eventually the southwest U.S. mariachi band ISAO forms. Then a national ISAO forms and, at that point, with strength in numbers, maybe they do have the financial backing from all these members to have a 24 by 7 operation. If there’s some entity out there attacking all the mariachi bands for some reason, they would have a larger entity that could deal with that and help coordinate. That’s how we see a lot of ISAOs being born.
Nextgov: What are the biggest barriers to getting ISAOs formed?
White: One of biggest barriers is a misunderstanding of what needs to go into an ISAO. If folks take a look at something like the Financial Services ISAC and say, ‘Is that what we’re supposed to be?’ That’s not always the right model. It took the financial services sector a while before their ISAC became as robust as it is and they have a real reason to be that way because they are a target for multiple different types of threats. My mariachi bands will never need an infrastructure as robust as the Financial Services ISAC. If they go into this thinking that’s what they need to create, they’re going to throw their hands up.
An ISAO is an information security and analysis organization. If they have a mailing group where they share information on cybersecurity, that’s analysis. Trying to become a bunch of mini ISACs is not what’s needed.
Nextgov: Are you concerned that without training or expertise, people at smaller ISAOs will share the wrong information and either sow confusion or create legal liability problems?
White: We recognize that’s a possibility. You may [also] have some nefarious group that wants to send in false reports or get people looking in the wrong direction. That’s where the issue of trust comes in. My mariachi band ISAO, do they immediately start sharing information with all the other ISAOs? Do other ISAOs immediately start accepting information from the mariachi ISAO? Or do we have to have a certain amount of trust in that group before we start to freely share information? That’s an issue.
In terms of legal liability, that is up to the individual ISAOs when they create the documents that all their entities sign. That’s something we talk to ISAOs about when they form. Here are some considerations. Here are some things you need to think about.
Nextgov: One of your missions is to gather metrics about the value of information sharing. Have you done much work on that yet?
White: That’s something on our radar but we’ve been concentrating on helping ISAOs form and finding out who’s out there. We’ve not gone out and tried to do the studies and gather the metrics. Anecdotal evidence is basically what we have now. You have all the well formed ISACs and they’ll point you to very specific examples where it’s beneficial.
Nextgov: Is there international value to your work?
White: The grant we received is from [the Department of Homeland Security], so we’re trying to develop national standards. But we’re trying to develop these standards in such a way that they can be easily be adopted by an international audience and be just as applicable. There are obviously some documents and guidance we’ll be providing [that has less international value]. For example, the U.S. government provides some help that it’s not going to provide to folks internationally. But a lot of what we’re talking about is applicable outside the United States and information sharing is an international issue. We’ve already had discussions with some folks in Japan who are translating our first four documents into Japanese. We’ve had some talks with folks in Europe. That’s not our main focus by any stretch of the imagination, but it is an issue.
Nextgov: What do you want the ISAO landscape to look like five or 10 years out?
White: There’s a slide from the folks at DHS who were involved in the grant we won that shows this ecosystem of lots of different types of information sharing entities. Off to the right of this slide it said, ‘Currently there are approximately 20 ISACs.’ Then it had an arrow going to the future and it said ‘thousands of ISAOs.’ That’s the vision. We’re not going to have thousands of mini ISACs five years from now. They’re not gong to be offering services like the multi-state ISAC or the Financial Services ISAC. There will be some that do but not everyone. But, if I can get thousand of organizations talking about cybersecurity, then the nation is going to be much better off. That’s my vision. If you’re a group that wants to share information, there’s a place in that ecosystem for you. And we want [those groups] working together as an ecosystem to better the cybersecurity capabilities and posture of the nation.