Private Sector to Develop ISAO StandardsRelying on Industry to Define How to Share Threat Data
The federal government plans to let businesses lead the way in creating standards for cyberthreat information sharing and analysis organizations, much as it did when it created a cybersecurity framework.
"It won't look exactly like the effort to develop the cybersecurity framework, but it won't be dramatically different, either," Andy Ozment, Homeland Security assistant secretary for cybersecurity and communications, tells Information Security Media Group. "The outcome is that the private sector will again have convened and come up with a set of best practices."
ISAOs, called for in an executive order signed last month by President Obama, would be the primary vehicle businesses would use to share cyberthreat information with the federal government and each other (see President Obama Grapples with Cyber Challenges).
To identify best practices for the cybersecurity framework, the National Institute of Standards and Technology held a series of workshops across the country that attracted hundreds of private-sector stakeholders who contributed ideas that were eventually incorporated into the well-received series of IT security best practices issued in February 2014 (see NIST Releases Cybersecurity Framework).
The Department of Homeland Security is taking a different tack to get ISAOs operational. Instead of conducting workshops, DHS will hold competitions to select private-sector groups known as ISAO standards organizations to develop the guidelines for the creation and operations of ISAOs.
Still, Ozment says, the government will make suggestions to the standards groups on ISAOs guidelines. But, he adds, "ultimately it will be up to the private sector to say, 'These are the practices that we think matter most that constitute an effective ISAO.'"
Andy Ozment discusses the government's vision for ISAOs. In his remarks, he references NCCIC, National Cybersecurity and Communications Integration Center; the Einstein intrusion prevention initiative; and CDM, continuous diagnostics and mitigation.
Information sharing is among the hottest topics in cybersecurity these days. Besides the executive order and last month's White House Summit on Cybersecurity and Consumer Protection at Stanford University in which information sharing dominated conversations, competing bills to encourage companies to engage in cyberthreat sharing are being debated in Congress.
At the summit, the White House announced that two organizations had expressed interest in creating ISAOs: the IT security firm Crowdstrike and the Entertainment Software Association. Neither organization has posted information on their websites regarding the creation of ISAOs, and they did not respond to repeated requests for comment on the White House announcement.
Lack of Commitment?
But according to the website GamesPolitics.com, the ESA issued a statement that says, "ESA has not committed to any particular approach to cybersecurity threat information sharing at this time. ESA will continue to engage with congressional leadership and the executive branch on policy initiatives aimed at protecting consumers, networks and services from attacks."
Ozment declined to discuss specifics regarding the ESA and Crowdstrike creating ISAOs, but says a number of officials from private-sector organizations have told him they're interested in creating ISAOs. "We have a lot of interest in folks who want to become an ISAO," he says.
For now, he says, government officials advise those interested in creating ISAOs to get involved in developing guidelines, pointing out that industry involvement in creating the cybersecurity framework served as an unintended educational effort on security best practices. Similarly, he says, getting involved in developing ISAO best practices should help organizations gain a better understanding of cyberthreat information sharing.
When ISAOs begin sharing cyberthreat information with the government, it will mostly be exchanged computer to computer, employing two standards: STIX (structured threat information expression), a standardized language that represents structured threat information, and TAXII (trusted automated exchange of indicator information), the transport mechanism to share cyberthreat information between computers.
Andy Ozment explains STIX and TAXII.
"We have been planning on this approach for a long time," Ozment says, noting that several years ago, DHS sponsored the development of STIX and TAXII. By relying on computer-to-computer communications, he says, "we're acting as fast as the bad guys, for once."
The Treasury Department and the Financial Services Information Sharing and Analysis Center has been using STIX and TAXII to share cyberthreat information. Treasury Assistant Secretary Amias Gerety, in a blog, says the cyberthreat information sharing between the department and FS-ISAC "enhances the value of this information by accelerating the process by which it is shared and utilized."