A Cyber Threat Sharing Group for Mariachi Bands? Maybe One Day.

deepadesigns/Shutterstock.com

Featured eBooks
Digital Transformation
Read Now

Federal IT Modernization Still a Major Challenge

Read Now

DHS’ next chapter as an enterprise services provider

Read Now

What's happening in health tech

Read Now
Joseph Marks By Joseph Marks,
Senior Correspondent

By Joseph Marks

|

Cyber threat information sharing can benefit everyone, the director of a standards organization says.

In a 2015 executive order, President Barack Obama laid out a vision for a plethora of organizations dotting the nation that would share cyber threat information along with guidance, tips and best practices.

The big idea for these cybersecurity “information sharing and analysis organizations” was basically to replicate “information sharing and analysis centers” that already existed for critical infrastructure sectors such as financial services and electricity but sized and tailored for specific states or regions, business sectors, nonprofit and advocacy groups or even mariachi bands (more on that later).

The February 2015 executive order also called for an ISAO standards organization that would promulgate voluntary guidance for these new bodies and “create deeper and broader networks of information sharing nationally.”

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Two years later, the ISAO Standards Organization at the University of Texas-San Antonio, which won a competition to host the organization in September of that year, has published a quartet of documents to help newly formed ISAOs get up and running and is working on or considering more than a dozen others.

It’s also planning an international information sharing conference in Washington later this year.

The organization’s goal is twofold, Executive Director Greg White told Nextgov: to provide guidance that can be used by any ISAO across the U.S. or even internationally and to help ISAOs tailor the information they share and the services they provide to the specific needs of their members.

Nextgov spoke with White this week about the standards organizations’ work in connection with an award he’s receiving from the cybersecurity accrediting group (ISC)². The transcript has been edited for length and clarity.

Nextgov: How many ISAOs have been stood up so far?

Greg White: There are some that are up and running and there are some that are forming. If you want to form an ISAO, you can simply say, ‘Hey there, I am now an ISAO.’ There are a number of folks who have done that. One of the things we’re doing is we’re reaching out to people who we hear have formed an ISAO and helping them understand what that means. What kind of things are you offering your members? Have you offered these capabilities? Have you thought about these kinds of analysis tools?

Nextgov: What are some examples of ISAOs that have formed so far?

White: Well, the ISACs [long-standing information sharing and analysis centers that represent critical infrastructure industry sectors] are technically also ISAOs. Otherwise, we’ve got a couple in California. They don’t always call themselves ISAOs, but that’s effectively what they are. There’s a Southern California ISAO. There are organizations like the Northeast Ohio Cyber Consortium. Virginia has stood up something called the Virginia Cyber Range. Those are some of the geographic-based ones.

Credit unions are still members of the Financial Services ISAC but a National Credit Union ISAO has been formed. Credit unions decided they have unique enough issues that apply to credit unions but maybe not to all financial institutions that they wanted to have an entity where they could just talk about credit union matters. There’s a medical device ISAO, a maritime and port security ISAO, a sports ISAO, a legal services ISAO, [which is supported by the Financial Services ISAC]. Different ISAOs are forming even as we speak.

Nextgov: It makes sense that cyber threats would be similar among similar businesses or sectors, but what’s the value of a regional ISAO?

White: First of all, over the last couple years we’ve seen communities that come under attack and communities that are being trolled.

Nextgov: For example, in Ferguson? [Missouri, where the hacktivist group Anonymous released personal information about police officers during protests following the police shooting of Michael Brown, an unarmed black teenager].

White: Yes, exactly. So far, [hacktivists] have basically confined themselves to the police departments and maybe the city web page or the mayor’s site or something like that. But what happens when you’ve got an overzealous Anonymous-like group that decides it needs to impact the community more because it’s just not getting listened to? So, now, they start attacking the power or the water [utilities]. So, absolutely, you want to get folks in the community talking about these kinds of things and preparing for these kinds of things so they’re better off when they do happen.

Nextgov: Are there other benefits to regional ISAOs?

White: Another thing these entities can help with is that you have an entity that is naturally concerned about spreading the word about security. If you have a community ISAO, it probably is going to start with things like the local government, infrastructure like water and power, those sorts of folks. But it should also include businesses in that area. Having established that ISAO with those other entities, you can start reaching out to the rest of the community. Then you’ve got dimension. With the entire nation worried about cybersecurity and talking about it, we believe this is a tremendous opportunity.

Nextgov: What kinds of groups or sectors should consider forming ISAOs?

White: An example I like to use—this is a fictitious one—is here in south Texas an ISAO could be formed for mariachi bands. Do they have websites? Yes. Do they potentially take credit card information for their gigs? Well, yeah. Do they use computers to store important information? Yeah. So, do these folks need to worry about cybersecurity? Well, yes, they do as a matter of fact.

Are these folks that need to be as capable as the Financial Services ISAC? Do they need 24/7 operations? Probably not. But, can they benefit by even just once a month coming together and talking about cybersecurity as it relates to them and what’s important to that community? Absolutely they would benefit from it. Will they benefit from coming together and sharing cybersecurity tips like, ‘Hey, we’re using this firewall. What are you guys using?' 'Hey, I’m thinking about getting a host-based intrusion system. What are you guys using?' That will make them much better off. 

If we could get every little entity like that in the nation talking about cybersecurity, the nation’s better off. And then, maybe, the south Texas [mariachi ISAO] forms and others join and eventually the southwest U.S. mariachi band ISAO forms. Then a national ISAO forms and, at that point, with strength in numbers, maybe they do have the financial backing from all these members to have a 24 by 7 operation. If there’s some entity out there attacking all the mariachi bands for some reason, they would have a larger entity that could deal with that and help coordinate. That’s how we see a lot of ISAOs being born.

Nextgov: What are the biggest barriers to getting ISAOs formed?

White: One of biggest barriers is a misunderstanding of what needs to go into an ISAO. If folks take a look at something like the Financial Services ISAC and say, ‘Is that what we’re supposed to be?’ That’s not always the right model. It took the financial services sector a while before their ISAC became as robust as it is and they have a real reason to be that way because they are a target for multiple different types of threats. My mariachi bands will never need an infrastructure as robust as the Financial Services ISAC. If they go into this thinking that’s what they need to create, they’re going to throw their hands up.

An ISAO is an information security and analysis organization. If they have a mailing group where they share information on cybersecurity, that’s analysis. Trying to become a bunch of mini ISACs is not what’s needed.

Nextgov: Are you concerned that without training or expertise, people at smaller ISAOs will share the wrong information and either sow confusion or create legal liability problems?

White: We recognize that’s a possibility. You may [also] have some nefarious group that wants to send in false reports or get people looking in the wrong direction. That’s where the issue of trust comes in. My mariachi band ISAO, do they immediately start sharing information with all the other ISAOs? Do other ISAOs immediately start accepting information from the mariachi ISAO? Or do we have to have a certain amount of trust in that group before we start to freely share information? That’s an issue.

In terms of legal liability, that is up to the individual ISAOs when they create the documents that all their entities sign. That’s something we talk to ISAOs about when they form. Here are some considerations. Here are some things you need to think about.

Nextgov: One of your missions is to gather metrics about the value of information sharing. Have you done much work on that yet?

White: That’s something on our radar but we’ve been concentrating on helping ISAOs form and finding out who’s out there. We’ve not gone out and tried to do the studies and gather the metrics. Anecdotal evidence is basically what we have now. You have all the well formed ISACs and they’ll point you to very specific examples where it’s beneficial.

Nextgov: Is there international value to your work?

White: The grant we received is from [the Department of Homeland Security], so we’re trying to develop national standards. But we’re trying to develop these standards in such a way that they can be easily be adopted by an international audience and be just as applicable. There are obviously some documents and guidance we’ll be providing [that has less international value]. For example, the U.S. government provides some help that it’s not going to provide to folks internationally. But a lot of what we’re talking about is applicable outside the United States and information sharing is an international issue. We’ve already had discussions with some folks in Japan who are translating our first four documents into Japanese. We’ve had some talks with folks in Europe. That’s not our main focus by any stretch of the imagination, but it is an issue.

Nextgov: What do you want the ISAO landscape to look like five or 10 years out?

White: There’s a slide from the folks at DHS who were involved in the grant we won that shows this ecosystem of lots of different types of information sharing entities. Off to the right of this slide it said, ‘Currently there are approximately 20 ISACs.’ Then it had an arrow going to the future and it said ‘thousands of ISAOs.’ That’s the vision. We’re not going to have thousands of mini ISACs five years from now. They’re not gong to be offering services like the multi-state ISAC or the Financial Services ISAC. There will be some that do but not everyone. But, if I can get thousand of organizations talking about cybersecurity, then the nation is going to be much better off. That’s my vision. If you’re a group that wants to share information, there’s a place in that ecosystem for you. And we want [those groups] working together as an ecosystem to better the cybersecurity capabilities and posture of the nation. 

NEXT STORY: Can a voluntary framework deter cyberattacks?

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.