Under a new White House order, the Department of Homeland Security (DHS) will select a non-profit organization to create common, voluntary standards for a new type of private sector entity that will become the focal point of sharing cyber threat data with the department’s cyber watch center.
DHS is expected soon to release a Request for Information (RFI) or a survey seeking input about the standards and then eventually release a Request for Proposals (RFP) for a competition to fund the non-profit standards body. A department spokesman told Defense Daily he has no estimate of when either an RFI or RFP will be issued.
The executive order signed by President Barack Obama on Friday says that the creation of these voluntary standards will allow the private sector-led Information Sharing and Analysis Organizations (ISAOs) “to quickly demonstrate their policies and security protocols to potential partners,” which in turn “will make collaboration safer, faster, and easier, and ensure greater coordination within the private sector to respond to cyber threats.”
In January Obama announced a new legislative proposal that among other things would make ISAOs the focal point for sharing cyber threat indicators between the DHS cyber watch center, known as the National Cybersecurity and Communications Integration Center (NCCIC) and the private sector.
The ISAOs could be non-profit organizations, member organizations, or even a single company that share information among its partners or customers, according to a White House fact sheet released Friday ahead of the new executive order. The White House said that the data breach investigations company CrowdStrike will form an ISAO and that the cyber security firm FireEye, Inc. [FEYE] is launching an information sharing framework that the company calls Global Threat Intelligence Sharing to allow its customers to receive threat indicators in near-real time.
Box, [BOX], an enterprise software platform company, will be participating in the standards development process for ISAOs, the White House said.
The ISAOs could also be the existing Information Sharing and Analysis Centers (ISACs) that exist for critical infrastructure and other sectors of the United States economy. ISACs are sector specific—there are nearly 20 of them for industries such as energy, water and finance—and already have information sharing relationships with the NCCIC and with their members.
Scott Algeier, the executive director of the Information Technology ISAC, outlined several concerns regarding the new executive order and the establishment of ISAOs as the focal point of information sharing with the private sector about cyber threat intelligence. One is just the cost for firms large and small that may have to choose which entities they join to be part of an information sharing network.
Another challenge for a small company or utility might be if they share data with an ISAO, they may not hear back from the NCCIC, or the NCCIC may lack the staff and expertise to understand the significance of the information, whereas an ISAC will share the information “instantaneously” with its membership, which has the expertise and analytical capability to more quickly act on potential threats, Algeier says.
The ISACs basically already have well-oiled information sharing mechanisms with their members, Algeier says.
Algeier is also concerned about the requirement for the new standards, saying “it’s a voluntary framework but if you don’t adopt it you don’t get information” from the NCCIC. Whatever the standards might be aren’t known at this point, he said, adding that “the devil is in the details.”
“My essential point here is I’ve never heard anyone say that the way to solve the information sharing problem is to create standards for organizations that have been doing it successfully, Algeier said, referring to the ISACs.
The White House also said that the voluntary standards for ISAOs will include privacy protections.
The executive order was issued in conjunction with an administration-led cyber security summit held at Stanford Univ. that featured government and industry officials in various panel discussions.
The administration wants to incentivize information between the government and private sector by providing limited liability protections to companies that share cyber threat indicators. There are several bills in Congress now that would include these targeted liability protections to companies.
Ken Chennault, the CEO of the financial services company American Express [AXP], said at the summit that information sharing on cyber threats will provide the highest impact for the lowest cost.
The White House on Friday also announced private sector support for a number of initiatives it initiated in the past few years to strengthen cyber space. In support of its trusted identities effort, called the National Strategy for Trusted Identities in Cyberspace, Intel [INTC], American Express, and MasterCard [MA] are all conducting efforts to include biometrics and other multifactor authentication technologies to allow for more secure online transactions.
In line with the Buy Secure Initiative announced last October, the White House said Visa [V], MasterCard, Apple [AAPL], the Financial Services Roundtable, the Retail Industry Leaders Association, and others are making new efforts to promote secure payment technologies.