Voluntary cyberthreat information-sharing groups (ISAOs) would have to meet certain baseline standards and would be able to seek third-party certification of their capabilities under a proposal unveiled Wednesday.
Third-party verification is essential for scalability of trusted information-sharing, explained Gregory White, executive director of the Information Sharing and Analysis Organization Standards Organization, or ISAO-SO.
“When we have thousands of ISAOs out there, how the heck do I know who I can trust?” asked White, a University of Texas San Antonio computer science professor. He compared certification to the security clearance individuals need to access classified information.
“Because you have that clearance, I know certain things about you have been verified by a trusted third party … I know I can trust you with certain kinds of information,” he said, adding it was a scalable alternative to developing face-to-face or individual trust relationships.
But he acknowledged the move would prove controversial among ISAOs, many of which feel they lack the resources for such procedures.
ISAOs were initially envisaged in a February 2015 executive order signed by then-President Barack Obama, “to serve as focal points for cybersecurity information sharing and collaboration within the private sector and between the private sector and government … An ISAO could be a not-for-profit community, a membership organization, or a single company facilitating sharing among its customers or partners,” explained a White House factsheet.
ISAO-SO was established in October 2015, to write voluntary standards for such organizations, which vary tremendously in size and composition. White said what he called “the ISAO ecosystem” encompassed organizations as large as the Retail Cyber Intelligence Sharing Center (R-CISC), with members including Lowe’s, Walgreens and Starbucks; and as advanced as the Financial Services Information Sharing and Analysis Center (FS-ISAC) which offers its members access to a sophisticated intelligence-sharing infrastructure.
At the other end of the scale, Smith said, was the South Texas Mariachi Band ISAO, which meets monthly or so for lunch, where its members swap cybersecurity advice and experiences with invited speakers from local universities and business associations.
“It’s a very broad spectrum,” White said.
Part of the remit of the ISAO-SO when was it was established by the Department of Homeland Security “was to take a look at this whole concept of self-certification. And even self-certification wasn’t a popular topic,” when it was first discussed a year ago.
The issue was so divisive that the organization agreed to table it for a year, he said.
“Well, it’s been a year,” he said. “We want to get that conversation started…. We’ve decided that we want to do it.”
Self-certification would be voluntary he explained. “You can be registered as an ISAO and not self-certify,” he said, “If you don’t want to certify, that’s fine … But if you do, I know certain things about you … I can have a certain level of trust.”
Groups could self-certify against “minimal” baseline requirements set out by ISAO-SO. “They are pretty basic,” White said of the so-called “foundational capabilities,” outlined in a draft document published Monday.
Would the South Texas Mariachi Band ISAO meet those baseline requirements?
“Think about it,” White said, “Are they receiving and sharing information? … Are they performing analysis? If you get a notification about some cyber event going on and you think to yourself, ‘Hmmm, the rest of the group should see that,’ … you’ve just had a basic level of analysis done,” he explained.
Beyond self-certification to the minimal baseline, third-party verification would provide additional assurance about other ISAO capabilities, White said. “Before the [DHS National Cybersecurity & Communications Integration Center, or] NCCIC is freely going to share information with you, they may want you to be doing other things [in addition to the foundational capabilities]; to have gone through some other process … State governments might have their own requirements … beyond the baseline … That’s where third-party certification comes in.”
He said the group would shortly draft and publish for public comment “our first thoughts about what self-certification and baseline certification should be. And we’ll see what people think.”
White said some of the opposition last year came from the larger, more established end of the ISAO ecosystem spectrum — the 21 sector specific Information Sharing and Analysis Councils, or ISACs, established during the Clinton administration to share threat information among the owners and operators of vital national industries like banking, telecommunications and power.
“What happens if one of the those ISACs can’t do what we have laid down [as a baseline capability]?” he asked. “All those ISACs … They didn’t want us coming out and telling them how to do their business which they’ve been doing a dozen years.”