As crime rates rose in the early 1970s, Americans began coming together to improve the security of their neighborhoods. They established stronger communities, promoted pride, and built trust that brought members together to deter would-be criminals. They exchanged ideas and best practices for securing their homes and protecting themselves. Collectively and individually, they developed a clearer sense of “normal” neighborhood activity, so they could quickly spot something out of place. Keeping an eye out for unusual or suspicious activity in their streets and parks, they shared information with one another and the local police. When crimes did occur, they leaned on one another for support and shared the lessons these incidents taught so that every neighborhood household would be better prepared.
The cybersecurity problem is becoming more pervasive and complex, resulting in an urgent need to establish collaborative security mechanisms for our common defense.
The challenges facing the Internet today are similar to those first tackled in our 1970s neighborhoods. According to a recent study, security breaches increased by 38% last year alone, with thefts of “hard” intellectual property up 56% in the same period.1 As businesses and government agencies struggle to confront an increasingly challenging cybersecurity environment, adversaries continue to reap regular (and often spectacular and public) successes. The cybersecurity problem is becoming more pervasive and complex, resulting in an urgent need to establish flexible, collaborative security mechanisms for our common defense. We need an effective cybersecurity neighborhood watch program. The good news is that such a program is coming together.
This program’s foundation began with Presidential Decision Directive 63 (PDD 63), issued by the White House in 1998 to address the growing vulnerabilities in our national critical infrastructure, including telecommunications, energy, finance, transportation, water systems, and emergency services.2 Given the distributed nature of these systems and the fact that many are privately held, PDD 63 called for the establishment of a public-private partnership to address the nation’s readiness to meet emerging threats. A key element of this strategy was to establish a central hub to gather, analyze, sanitize, and disseminate information from the government and the private sector about vulnerabilities, threats, intrusions, and anomalies.3 This center was termed an Information Sharing and Analysis Center (ISAC).
Today, two dozen ISACs help critical infrastructure owners and operators protect their facilities, personnel, and customers. Addressing the needs of constituencies from the electricity sector to the defense industrial base, ISACs collect, analyze, and disseminate actionable threat information and provide their members with tools to mitigate risks and enhance resiliency.4 Many ISACs have 24/7 warning and response capabilities, and several key ISACs maintain a presence on the watch floor of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC). Together, ISACs have dramatically improved situational awareness within and across sectors as they share threat and mitigation information with each other and with government partners where appropriate.5
As successful as the ISACs have been, the critical infrastructure sectors they support comprise only a fraction of our broader national cyber ecosystem. Numerous organizations and entities within this ecosystem do not have the benefit of this type of collaborative and collective support. Compounding the challenge, we are rapidly increasing our dependency on automated and networked technologies through the Internet of Things, even as cyber-attacks continue to grow in number and sophistication. We need a robust yet flexible national program for rapid and voluntary sharing of information related to cybersecurity risks and incidents to improve our cybersecurity posture and to facilitate timely collective response.
In February 2015, the president issued Executive Order (EO) 13691 to promote broader cybersecurity information sharing. Specifically, the EO strongly encourages the development and formation of Information Sharing and Analysis Organizations (ISAOs). ISAOs are strictly voluntary organizations that are conceptually similar to ISACs, but differ in that they are not tied to critical infrastructure and may reflect a broader range of capabilities. Additionally, any given ISAO may determine for itself whether it will share information with the government. Per the EO, “ISAOs may be organized on the basis of sector, sub-sector, region, or any other affinity, including in response to particular emerging threats or vulnerabilities. ISAO membership may be drawn from the public or private sectors, or consist of a combination of public and private sector organizations. ISAOs may be formed as for-profit or nonprofit entities.”6 In short, any group with a shared interest in collaborating to improve its members’ individual and collective cybersecurity posture can form an ISAO.
What makes the ISAO construct so powerful is its potential to widely and rapidly propagate critical cybersecurity threat and incident response information across numerous communities of interest that are currently underserved from a cybersecurity perspective. By establishing a scalable model, ISAOs can be constructed to meet the modest needs of a niche local market or the challenging demands of an 8,000-company software trade association. The Cannabis Retailers of Colorado may choose to share within a small, relatively closed group, while the National Association of Defense Manufacturers may elect to routinely exchange information between members and the federal government.
Our cyber ecosystem consists of a multitude of entities with different objectives and priorities. From national agencies to academia to the private sector, the number of actors who influence and depend on cyberspace is vast. Creating resilience depends on improving our collective understanding of rapidly evolving threats and applying best practices in dealing with those threats. Promoting effective information sharing in this complex environment requires trust among disparate groups to address a complex web of privacy and security concerns. Establishing ISAOs grounded in core principles, with standards that reflect the flexibility to meet the needs of diverse constituents, will be essential for success.
To be effective in meeting the needs of such diverse constituencies, ISAOs must provide services that are valued by their members. On the other hand, they must adhere to behavioral norms and provide core underlying capabilities that facilitate trust and optimal functioning within the cyber ecosystem. The National Institute of Standards and Technology’s Cybersecurity Framework has been important in establishing a common language among government, academia, and the private sector to address cybersecurity through activities, profiles, measurements, and standards.7 Similarly, the RESILIA framework of cybersecurity best practices (created by the same organization that developed the globally recognized ITIL guidelines for IT service management) serves as a useful international reference for common dialogue around sound cybersecurity practices.8 The ultimate effectiveness of these frameworks in improving ecosystem health may be difficult to judge, but it is important to build on the shared concepts and vocabulary that these frameworks provide.
To provide a common basis for interaction with other entities in the cyber ecosystem, ISAOs must follow a defined set of core principles and select from flexible standards that meet the needs of their unique communities. These standards will clearly articulate required ISAO capabilities and should further clarify optional ones. Some ISAOs will rely on a largely manual process to collect, evaluate, and disseminate information, while others will take advantage of automated information-sharing networks using evolving cybersecurity-oriented data standards like STIX, TAXII, and CybOX.9 Taken together, the ISAO standards must include effective metrics to validate individual organizational compliance and prescribe an ISAO certification process.
By creating a clear framework of well-defined yet flexible standards based on core principles, we can set the conditions to deepen and broaden the sharing of cybersecurity information. In the same way that network access and unique content have rapidly proliferated through an open, standards-based Internet, we can also dramatically improve the quality, speed, and reach of actionable cybersecurity threat and response information.
The implications of such a construct are profound. Right now, adversaries are able to use and reuse malware exploits that vary in sophistication but are effective in large part because they go undetected or unmitigated. Estimates vary, but a recent Mandiant report indicates that the median time an organization is compromised before detecting the breach is four and a half months.10 The time when other similarly vulnerable organizations might learn about this breach may be even longer. Verizon states that although more breaches are being discovered within days, more compromises are also occurring in days, leaving a constant gap in undetected breaches.11 The problem is compounded when you consider the increasing number of zero-day vulnerabilities being exploited.
But what if we could change the equation? As dozens or hundreds of ISAOs form to meet the needs of various constituencies, actionable cybersecurity threat and response information could be rapidly disseminated through our cyber ecosystem by using forms and methods tailored for the consumption of individual organizations. This loose confederation of voluntary sharing organizations would benefit from the eyes and ears of thousands of members, in much the same way that individual households benefit from the observations of others in the neighborhood watch program. We will soon be in a position to create a national network of ISAOs that could rapidly share information about threats at a pace and scale that would dramatically reduce the effective lifespan of an adversary exploit and alter the balance between offense and defense.
So what will it take to get there? In October 2015, the University of Texas at San Antonio, LMI, and the Retail Cyber Intelligence Sharing Center joined forces to create the ISAO Standards Organization (ISAO SO). This non-governmental organization is engaged in an open, public dialogue to develop voluntary standards for the formation and functioning of ISAOs. These standards will address contractual agreements, business processes, operating procedures, technical specifications, privacy protections, and more. The ISAO SO will build on best practices and lessons learned from existing information sharing and analysis centers and other information sharing organizations. Given our global relationships and dependencies, the organization will also consider relevant voluntary international standards and practices.12 To date, more than 100 experts from multiple industry sectors, the government, and academia have volunteered to help create these standards and guidelines through six working groups. The ISAO SO continues to seek broader participation in the effort and has invited the public to contribute to the process through working groups, through monthly online and in-person meetings, and by commenting on draft documents that will be posted in the spring; an initial set of standards and guidelines is in the works for fall publication.
Through an active public-private partnership to establish flexible standards rooted in core principles, this team of industry, government, and academic experts is working to establish a sorely needed cybersecurity neighborhood watch program. Our economic and national security is at stake, but the team is committed to changing the landscape by creating a more secure and resilient Nation that is connected, informed, and empowered. For more information about the ISAO Standards Organization or to join in the process, go to https://www.isao.org.
- PricewaterhouseCoopers, The Global State of Information Security Survey 2016, http://www.pwc.com/gsiss.
- The White House, Presidential Decision Directive/NSC-63, http://chnm.gmu.edu/cipdigitalarchive/files/42_Critical%20Infrastructure%20Protection%20 (PDD%2063).htm.
- National Council of ISACs, Homepage and About ISACs, http://www.nationalisacs.org.
- The White House, Executive Order – Promoting Private Sector Cybersecurity Information Sharing, February 13, 2015, https://www.whitehouse.gov/the-press-office/2015/02/13/executive-order-promoting-private-sector-cybersecurity-information-shari.
- National Institute of Standards and Technology, Cybersecurity Framework, http://www.nist.gov/cyberframework.
- AXELOS, RESILIA, https://www.axelos.com/best-practice-solutions/resilia.
- United States Computer Emergency Readiness Team (US-CERT), Information Sharing Specifications for Cybersecurity, https://www.us-cert.gov/Information-Sharing-Specifications-Cybersecurity.
- Mandiant Consulting, M-Trends 2016 (Milpitas, CA: FireEye, Inc., 2016), available at https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf.
- Verizon, 2015 Data Breach Investigations Report, available via http://vz.to/DBIR15.
- ISAO Standards Organization, Homepage and FAQ, https://www.isao.org.