The executive order (EO) creating Information Sharing and Analysis Organizations (ISAOs) – to be anchored by the Department of Homeland Security (DHS) – has highlighted a debate among information security specialists, not only about the increased role of government, but about the limitations of the entire threat intelligence sharing efforts.
Is the world's premier cybersecurity apparatus finally moving in to bolster the defenses of business beleaguered by a barrage of cyberattacks? Or is Big Brother muscling in on threat intelligence sharing efforts that are better left to private industry?
Some prominent advocates of threat intelligence sharing welcome ISAOs as a way to give momentum to the privately run, industry-specific Information Sharing and Analysis Center (ISAC) efforts. Along with a raft of free and paid threat intel sharing services and a growing number of new tools to evaluate such data, ISAOs will further data sharing efforts, according to Merike Kaeo, CISO at IID, a Tacoma, Wash.- based cybersecurity firm.
“How the ISAOs will interact with ISACs and other sharing initiatives will largely depend on the evolving governance models,” Kaeo (left) says. “There is a consolidation ongoing in the industry to create more effective means of sharing data that is considered ‘classified' by the government.” She believes these efforts are all complementary and that rather than confuse the matter, they will create a better dialogue between government and private sector to enhance the overall data-sharing ecosystem.
But that ecosystem could also be disrupted by ISAOs, notes Denise Anderson, vice president of government and cross-sector programs for the Financial Services Information Sharing and Analysis Center (FS-ISAC).
“We have concerns that the established lines of communications and operations between the ISACs and the national partnership model can be diluted and rendered less effective,” she says.
Vague language
Anderson points to ambiguities in the February 13 EO creating ISAOs in which the White House stipulated that the DHS's National Cybersecurity and Communications Integration Center (NCCIC) will coordinate with ISAOs. While ISAOs are mandated for critical infrastructure under existing legislation, the Secretary of Homeland Security “shall strongly encourage” the formation of ISAOs in other sectors – including through profit-making businesses.
“We also are concerned about language indicating for-profit companies can form an ISAO,” Anderson says. “All ISACs are [nonprofit] for good reason – our mission is not to make money off of information that is shared.”
Another issue for Anderson (left) is that ISACs embracing companies outside critical infrastructure industries could be left behind in ISAO efforts. “The White House and DHS need to come out and recognize the formal role the ISACs play in critical infrastructure resilience in line with the national partnership model,” she says.
Such a partnership will, in fact, be driven by ISAOs, the record of ISACs notwithstanding, says Eric Burger, a research professor of computer science and director of Georgetown Center for Secure Communications at Georgetown University in Washington D.C. “The issue is that by law and executive order, ISACs are only available to critical infrastructure industries,” he says. “ISAOs extend the ability to protect industries not designated as critical infrastructure.”
The result will be a far greater government role in the coordination of threat intelligence sharing, predicts Dave Frymier, CISO at Unisys, an information technology company based in Blue Bell, Penn. “The reason for involving DHS is to get a central organization to act as a security operations center for the entire country,” he says.
Are skeptics right?
Yet, such centralization of data sharing through ISAOs and the DHS could, in fact, impede the sharing of information, says Adam Vincent, CEO of Threat Connect, an Arlington, Va.-based provider of threat information services. “The fear is that industry is being told that without an ISAO, they shouldn't share.” The reality, he says, is that in the private sector, the best information industries can use is from peers, not the federal government.
Rafal Los, director of solutions research at Accuvant, a Denver-based information security company, makes a similar point. “The addition of ISAOs will likely muddy the waters with more options, thereby adding complexity which is bad for the system,” says Los.
Even if ISAOs make threat intelligence sharing more effective, it won't necessarily improve security, says Larry Ponemon, chairman and founder of the Ponemon Institute, a research think tank. “It seems that it makes good sense to share information between the private sector and the government,” he says. “The problem is that you can have great sharing but lousy data.”
A recent Ponemon Institute survey suggests that many CISOs are indeed doubtful of the utility of such information. The study found that 53 percent of respondents agreed that threat intelligence was critical. But that leaves the other 47 percent unconvinced.
The skeptics are right, says Jeff Williams, co-founder and chief technology officer of Contrast Security, a Palo Alto, Calif.-based application security company. Pointing to the amount of time it's taken to diagnose major attacks at Target and Sony Pictures, he says “everyone will share data that is not very significant.” While he's supportive of collaborative efforts, such as those initiated by the FS-ISAC, he's dubious about ISAOs.
In any case, many companies, mindful of international concerns about U.S. government's access to private data, may steer clear of ISAOs, says Fred Cate a law professor and director of the Institute for Information Policy Research at Indiana University. “For many, the absence of a government connection [in ISACs] is important, because the participants are happy to share data with others, but don't want to share it with the government,” Cate says. “If industry perceives that its participation in an ISAO makes it less able to offer services in Europe, Asia or South America, no matter how strong the trust measures are, companies may still choose not to participate.”
[sidebar]
To share or not: Pitfalls and concerns
With or without ISAOs, indiscriminate sharing of threat intelligence can snarl legitimate business-to-business transactions, says Ron Gula, CEO of Tenable Network Security, a Columbia, Md.-based network monitoring firm. He cites a personal experience in which a business associate couldn't communicate with him because a suspect IP address was hosted somewhere else on the server being used. “Information sharing prevented me from doing business with someone not at fault,” he says.
A potential pitfall of ISAO-led threat information sharing is privacy in the wake of the Edward Snowden revelations, says Juanita Koilpillai, CEO and president of Waverley Labs, a Waterford, Va.-based consulting group. “It's a real fear that organizations have,” she says. “Ultimately, they have to sell this to consumers. If the ISAOs come up with some metadata for industry that is shareable, maybe that would work.”