by David Burg. A few weeks ago, PwC provided the White House and made public our Study and Considerations of Information Sharing and Analysis Organizations. Ever since President Obama issued Executive Order 13691 in February, promoting Information Sharing and Analysis Organizations (ISAOs), the private and public sectors have been trying to make sense of just what ISAOs should do, how they should do it, and how to incentivize ISAO participation. The paper makes recommendations on these core issues, explains where consensus exists, and focuses attention on those areas that need prompt deliberation and agreement. Much progress has been made, but much work remains.
This is no academic exercise. First, there is an undeniable need for an additional model for information-sharing and analysis to try to fill the gaps that current groups do not reach. Second, both public and private sector entities have already announced plans to form ISAOs notwithstanding that important issues need to be resolved to maximize their effectiveness. To be sure, we will all benefit and learn from these pioneers’ first efforts, but the stakes are too high to leave this to trial and error.
Consequently, PwC’s paper recommends what we believe are critical attributes ISAOs must have to succeed, and then identifies four fundamental issues that stakeholders must address. The paper is based on PwC’s analysis of a half-day summit we hosted with participants from the private sector, government, think tanks, academia, and on subsequent interviews with private and public stakeholders.
As the paper details, ISAOs should comprise six key attributes to maximize their success:
- A trust-group approach to membership, where rules such as those governing membership, size, expectations, and roles are all aligned to maximize members’ trust in each other;
- Governance and process standards that allow for flexibility, so that these standards can apply equally to ISAOs organized around industries, geographies, issues, events, and other bases;
- Timely and reliable cyber intelligence, emphasizing both the need for speedy delivery of information and for validating that information’s utility before delivery;
- Common vernacular and technical specifications to make information-flow as smooth and actionable as possible;
- Scalability, so that information could flow to those who need it; and
- Government’s participation as a peer, not as a convener or manager.
While the paper explains each of these recommendations, it also identifies four important areas on which stakeholders must work promptly. First, stakeholders must reach consensus on convening and governance standards, as current standards vary widely among the existing information-sharing and analysis groups. Moreover, the Department of Homeland Security, should research what key performance indicators have been developed previously for threat intelligence and information-sharing, and which of these could be applied to an ISAO to track its progress and value.
Second, while we want ISAOs to be scalable, there is no doubt a negative correlation at some point between size and trust in an organization, and trust will be crucial to ISAOs’ success. Stakeholders, however, are currently stymied on determining optimal size and scalability due to the apparent lack of academic research into this topic. Such research would be welcome and put to good use.
Third, when it comes to uniform adoption of technical specifications for sharing information, there are two prominent protocols in use: the Trusted Automated eXchange of Indicator Information (TAXII) and the Structured Threat Information eXpression (STIX). It is not clear, though, whether these are the best systems and format for transmitting threat information or just the best currently available. Stakeholders need to focus on this.
Finally, stakeholders must determine the best role for the U.S. government. While everyone agrees that it should not manage ISAOs, there is not yet agreement on the best approach to facilitate information flow between the private and public sectors. For example, U.S. agencies could act as ISAO members or form their own ISAO, which in turn would share information with other ISAOs and information-sharing and analysis groups.
To help address some of these issues, PwC will continue to help move the conversation forward, in part by keeping an open dialog with the stakeholders and convening in the coming months additional summits with consumer and privacy advocates, additional private sector representatives, multinationals, and others. Among the additional issues stakeholders might need to contend with is the outcome of cyber legislation in the U.S. Congress. As of now, the prospects do not look good for its passage, yet the bill contains liability protections important to the private sector. Without those protections, all of us will have to work that much harder to maximize the private sector’s participation in ISAOs. As of now, it’s too hard to predict the impact if the legislation fails, but market forces may well shape the future as much as anything.
In too many ways, these are trying times for cybersecurity, but ISAOs and other developments make these exciting times as well.