The underpinnings of an information sharing program are taking shape all around us.
In the world of cyber threats, bad actors far outnumber good ones. The number of potential attack vectors exceeds the capacity of any defender to effectively guard all vulnerabilities. In response, we see a growing recognition that cyber defense must include more than just perimeter defenses: it must also focus intensively on organization-wide awareness and resilience. One pathway to increasing both is the act of sharing information among peers who share exposure to the same cyber threats.
In February 2015, President Obama issued Executive Order 13691, Promoting Private Sector Cyber Security Information Sharing. It tasked the Department of Homeland Security with creating a program to encourage the formation of groups called ISAOs – Information Sharing and Analysis Organizations. ISAOs are intended to foster private sector/public sector collaboration that raises overall awareness of – and resilience against – cyber threats in the broader economy.
This effort has revealed a broad sentiment in federal agencies: unease about growing tension between industry and government. Government officials believe that the nation’s cybersecurity efforts will be severely impeded until we create a shared understanding of the total threat. At the same time, competing views around controversial topics, like encryption, privacy and surveillance, have led to an erosion of trust between the private sector and the federal government.
Governmental actions are being taken to counteract this eroding trust. The Cybersecurity Information Sharing Act of 2015 allows businesses to share cyber information with the government by shielding them from liability. The NIST Cybersecurity Framework (CSF) issued in 2014 has proven to be a tremendously successful outreach effort by the US government, spawning widespread collaboration and contributions by the private sector. Creation of ISAOs is another example of this rising outreach effort.
In 2017, expect to see groups creating methods to measure, quantify, and standardize the practices of the NIST CSF, thereby creating the fittings and sockets for effective information sharing around cyber resilience. We expect the organizational structure of ISAOs and the liability protections of the CISA will further these efforts.
We sincerely hope that the government continues their efforts at outreach by creating voluntary programs like NIST and the ISAOs. A shared awareness will act as an early warning system that is not unlike the behavior of the human immune system.