Tuesday, February 17, 2015

Executive Order Promoting Private Sector Cyber Info Sharing

On February 13, 2015 -- a year plus one day after the President's Executive Order directing NIST to build the new Cybersecurity Framework -- President Obama issued an Executive Order entitled Promoting Private Sector Cybersecurity Information Sharing.

There are seven sections to the four-page Order including:

  1. Policy
  2. Information Sharing and Analysis Organizations (ISAO)
  3. ISAO Standards Organization
  4. Critical Infrastructure Protection Program
  5. Privacy and Civil Liberties Protections
  6. National Industrial Security Program
  7. Definitions

The fundamental aspect of the EO is to emphasis that "...entities must be able to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible."  

The EO also notes that information sharing must:
  • ...be conducted in a manner that protects the privacy and civil liberties of individuals
  • ...preserves business confidentiality
  • ...safeguards the information being shared, and
  • ...protects the ability of the Government to detect, investigate, prevent and respond to cyber threats...
Certainly commendable policy and something the industry has needed/wanted for years.

Information Sharing and Analysis Organizations (ISAOs)

The Order directs the Secretary of the Department of Homeland security to "...strongly encourage the development and formation of..." ISAOs.

The Order offers some details on how the ISAOs should be organized and how their membership can draw on public or private sectors, and offers the option for the ISAOs to be formed as for-profit or nonprofit entities.

The National Cybersecurity and Communications Integration Center (NCCIC) is ordered to engage in "...continuous, collaborative, and inclusive coordination with ISAOs on the sharing of information..."

ISAO Standards Organization

The Secretary of DHS is orderd to "...enter into an agreement with a nongovernmental organization to serve as the ISAO Standards Organization (SO), which shall identify a common set of voluntary standards or guidelines for the creation and functioning of ISAOs under this order."

Observations and Questions

It is commendable that President Obama has stepped forward -- again -- to help raise awareness and take action relative to the issue of cyberthreats to our country, economy and its businesses and citizens.  However, a question continues to be raised with this Executive Order.  That question really is ... "Aren't we already doing this with Information Sharing and Analysis Centers (ISACs)?"

ISACs have been around since May 1998 and were established under the auspices of Presidential Decision Directive 63 (PDD-63) signed by President Clinton.  If you look at the National Council of ISACs website you will note that the definition of an ISAC is:

ISACs are trusted entities established by Critical Infrastructure Key Resource (CI/KR) owners and operators to provide comprehensive sector analysis, which is shared within the sector, with other sectors and with the government. ... Services provided by ISACs include risk mitigation, incident response, alert and information sharing.  The goal is to provide users with accurate, actionable, and relevant information.

And in another white paper on the subject, a description of an ISAC includes the following:

By definition, an ISAC is a trusted, sector-specific entity which performs the following functions: 
  • provides to its constituency a 24/7 secure operating capability that establishes the sector’s specific information sharing/intelligence requirements for incidents, threats and vulnerabilities; 
  • collects, analyzes, and disseminates alerts and incident reports to it membership based on its sector focused subject matter analytical expertise; 
  • helps the government understand impacts for its sector; 
  • provides an electronic, trusted capability for its membership to exchange and share information on cyber, physical and all threats in order to defend the critical infrastructure; and 
  • share and provide analytical support to government and other ISACs regarding technical sector details and in mutual information sharing and assistance during actual or potential sector disruptions whether caused by intentional, accidental or natural events. 

Isn't an ISAC filling part of the role of the ISAO discussed in the Executive Order?  Can't ISACs continue with their current roles and capture the essence and elements of the Executive Order?

The idea of establishing a new bureaucracy and hierarchy of ISAOs that essentially parallel the current ISAC structure and functions does not appear to be very efficient and could lead to more confusion, increased bickering and "turf wars" and finally not help or encourage effective information sharing to better protect our country, economy, businesses or citizens.  At a minimum it is highly recommended that the Department of Homeland Security take time to compare the efforts of the ISACs to the Executive Order and build upon current efforts and not try to push through a distracting, parallel effort.