Hashing out standards for information sharing

As information sharing legislation makes its way through Congress, industry and Department of Homeland Security officials gathered on Nov. 9 to discuss how to blunt cyberattacks by sharing cyberthreat information.

The Information Sharing and Analysis Organization (ISAO) Standards Organization convened its first public meeting at one of the steering companies' office in Northern Virginia.

Even though the House and Senate have yet to combine their respective versions of legislation that would give companies liability protection when they share cyberattack forensic data, the effort to create standards on how to share that information is moving forward.

"We'll be ready" when legislation is approved, said Suzanne Spaulding, undersecretary of the National Protection and Programs Directorate (NPPD) at DHS. "ISAOs are the key to an effective network of networks" that can block cyberattacks by making details about them widely available almost instantaneously.

In February, President Barack Obama's Executive Order 13691 -- Promoting Private-Sector Cybersecurity Information Sharing -- laid out a framework to help companies work together and with the federal government to quickly identify and protect against cyberthreats. Included in the order was a mandate to fund the creation of a nonprofit organization to develop a common set of voluntary standards for ISAOs.

In September, Andy Ozment, assistant secretary of cybersecurity and communications at DHS, selected the University of Texas at San Antonio to lead the standards effort that will help ISAOs form across the private sector. Longtime government consultant LMI and the Retail Cyber Intelligence Sharing Center were also chosen to participate in the ISAO Standards Organization.

The meeting today drew hundreds of attendees from industry and government to LMI's new Tysons Corner office. It was the initial get-together in a planning cycle that is projected to conclude in March 2016, when a set of ISAO standards will be issued.

When Obama mandated the creation of ISAOs, it wasn't immediately clear how Information Sharing and Analysis Centers currently operated by critical infrastructure owners would fit in. But Spaulding said ISACs are essential for providing expert advice on best practices and other hands-on experiences.

Furthermore, input from industry will be combined with information gleaned from DHS' Einstein and the Continuous Diagnostics and Mitigation program to help NPPD "operate as a weather map" of cyberthreats for industry and government and forecast threats in near-real time, Spaulding said.

Companies have been cautious about responding to information-sharing efforts. Greg White, executive director of the ISAO Standards Organization, stressed that participation in ISAOs is voluntary -- as is compliance with the standards that result from industry meetings.

The ISAO Standards Organization plans to have initial working groups for specific ISAOs set up within 30 days of the initial meeting. The groups' first meetings will take place by February, and a second public meeting is scheduled for Feb. 13, 2016, in San Antonio.

A series of comment and review cycles will run through 2016, with an initial set of standards published by Sept. 12, 2016, White said.