President Barack Obama, who has characterized cybercrime as a “national emergency’ and authorized sanctions against foreign nationals and governments that participate in significant cyberattacks against U.S. interests, says that information sharing programs are a pillar of his defense strategy. That effort is very much a work  in progress, security executives and experts say.

The administration wants companies and governments to share more security-related information. Much of that sharing will be facilitated by Information Sharing and Analysis Centers, non-profit groups that support information sharing within industries such as healthcare, information technology and financial services.

Businesses support the idea of a trusted place to share information, and have shown a willingness to participate. However, some say the efforts are still in the early stages and need to be more fully developed before they can provide meaningful results for corporations, especially large ones.

“When you’re a large company, you’re not going to get a lot out of an ISAC,” Hewlett Packard Co. Chief Information Security Officer Brett Wahlin told CIO Journal. H-P has a business in security, and often receives and acts on threat information before it gets out to the public. As a result, H-P receives no actionable information from the IT ISAC, Mr. Wahlin said.

IT executives at other large companies express similar sentiments.

“Most of us are willing to put information into it largely because it provides good initial facilitation and informal networking opportunities,” said Darren Dworkin, CIO of Cedars-Sinai Medical Center and a member of the health care ISAC. As companies and the government create sharing standards, “expectations will mount in terms of the kinds of specific data needed as everybody figures it out.”

During the White House Summit on Cybersecurity, held at Stanford University in February, American Express Chairman and CEO Kenneth Chenault said the government needs to aggressively share security information with the private sector and give companies more incentives to share what they know about the issue with one another. “We source over 100,000 attack indicators yearly from various sources, but only 5% come from industry sharing through our ISAC and less than 1% come from the government,” he said at the time.

In testimony before the Committee on Homeland Security and Government Affairs in January, American Express said the company received 5,000 cybersecurity alerts from the financial services ISAC. Each of those alerts could include several threat indicators or other kinds of security information, a spokeswoman said, expanding upon Mr. Chenault’s earlier remarks. The actual percentage of information American Express gets from the ISAC is unclear, she said. American Express praised its relationship with the FS-ISAC and the practice of information sharing, calling it “one of the best tools any company can have when it comes to cyber protection.”

ISACs can help provide insight into how global events may impact security within a particular industry. The financial services ISAC, which has about 5,500 members, delivers value by giving companies a head start on dealing with potential attacks, said Thomas Bayer, CIO at Standard & Poor’s Ratings Services. “They get pretty prescriptive about what’s going to happen, so that’s a huge value.”

The industry ISACs face their own particular challenges. Sharing is particularly tough within the IT ISAC because many of its members sell cybersecurity products and services. “The challenge for us has been how do we provide value without competing against our members,” said Scott Algeier, executive director of the IT ISAC.

The IT ISAC began as a way to provide early warnings to threats facing the Internet’s infrastructure, Mr. Algeier said. As corporate security tools become more robust, the ISAC can deliver value by providing more advanced sharing platforms and hosting industry discussions with subject matter experts, which can be useful.

ISACs greatly benefit smaller companies that lack the security expertise of large organizations. While they can help develop meaningful relationships among large companies, they have a ways to go before providing a uniform way to deliver the depth of insight large companies can use on a regular basis.

“I would say generally speaking that it’s still industry network connections and industry associations that are still providing more insights into what’s going on,” said Mr. Dworkin, of Cedars-Sinai Medical Center. He welcomed the idea of more sharing from agencies like the FBI and NSA, but said the ISAC still remains a necessary but small part of his security ecosystem.

News Source: 

Source: Steven Norton (Rachael King contributor), CIO Journal, 6 April 2015, to

News Tags: