Standards group releases guidelines on cyber information sharing

The non-governmental Information Sharing and Analysis Organization Standards Organization has released an initial set of guidelines to promote private-sector cybersecurity information sharing.

ISAOs are the non-critical infrastructure version of Information Sharing and Analysis Centers, and were established under Executive Order 13691.  That directive, issued in February 2015, states:

"Organizations engaged in the sharing of information related to cybersecurity risks and incidents play an invaluable role in the collective cybersecurity of the United States. The purpose of this order is to encourage the voluntary formation of such organizations, to establish mechanisms to continually improve the capabilities and functions of these organizations, and to better allow these organizations to partner with the Federal Government on a voluntary basis."

Though voluntary, EO 13691 does call for the Department of Homeland Security to "strongly encourage the development and formation of [ISAOs]."

According to executive order, "ISAOs may be organized on the basis of sector, sub-sector, region, or any other affinity, including in response to particular emerging threats or vulnerabilities." They can also be public sector, private sector or a mix, and can be either for-profit or nonprofit entities.

ISAOs are designed to complement DHS' existing information sharing programs. The National Cybersecurity and Communications Integration Center is tasked with coordinating with ISAOs that wish to voluntarily share information.

The ISAO SO brought together members of industry, government and academia who spent months preparing the initial guidelines. 

The four resulting documents, the organization said, are designed to be informational and not prescriptive. They generally pose questions for prospective ISAO members to consider before forming an ISAO.

For example:

• How will the ISAO improve the cybersecurity position of the sharing partners and members of the ISAO? What information sharing problems will the ISAO solve?
• What goals does the ISAO intend to achieve?
• What is the ISAO's vision?
• What is the ISAO planning to do differently from other ISAOs?

"The purpose of these efforts is ultimately to improve the ability of organizations to, as outlined in the EO, 'detect, investigate, prevent, and respond to cyber threats' while protecting the privacy and civil liberties of citizens," the guidelines state.

In addition to focusing on the structure, mission and membership of ISAOs, the guidelines also stress the importance of developing trust mechanisms to encourage effective information sharing.

"An ISAO can only function when a certain level of trust exists between its members, between the members and the ISAO, and between the ISAO and its partners," states the guidelines.

The larger question is trust between ISAOs and DHS. So far, efforts by the department to encourage the sharing of cyber threat and breach data with the government have met with a lukewarm response by private entities.

The guidelines issued by ISAO represent another evolutionary step in what has been a long process of trying to develop information sharing systems and mechanisms. And, the ISAO SO stressed that establishing an ISAO is an iterative process.

"The guidelines presented in this document are intended to assist in this process by raising the most critical strategic and operational factors for consideration," the guidelines state.  "ISAOs are encouraged to periodically reevaluate these guidelines as they evolve."