Information sharing at work
There's been quite a bit of lip service paid to the ages-old concept of information sharing.
Early this year, President Obama came out with an Executive Order to encourage private sector companies to share threat intelligence data about cybersecurity risks and incidents with each other and the federal government in hopes of better addressing the rising number of cybercrimes. Among the many parts comprising this order, Obama noted that the Secretary of Homeland Security will push the creation of Information Sharing and Analysis Organizations (ISAOs) to establish the mechanisms and coordination of these efforts so that the best information is shared and privacy and civil liberties won't be trampled.
After this, it was just in April that we saw the House of Representatives pass bipartisan IT security legislation in an effort to make it easier for companies to share threat data with the federal government to combat cybercriminals. Two bills passed: One that raised the ire of privacy advocates, who noted that the act was nothing more than a means to engage in surveillance of private citizens (Protecting Cyber Networks Act); and another, which will allow companies to share information about data breaches with the Department of Homeland Security (DHS) and didn't raise the same privacy worries as the former (National Cybersecurity Advancement Act).
...cooperation and partnering among private entities will go a long way in continually bolstering the processes and methods used to combat cybercriminals...
We've still seen nothing on information sharing from our senators, but, as I write this, they must mull over and decide whether to reauthorize or not the USA PATRIOT Act and its far-reaching surveillance provisions. Depending how long the debate will last on whether we'll see the sunset on this infamous piece of legislation, combined with still other decisions the Senate must make, likely may determine if we hear anything further on these newest information-sharing laws.
Whatever the Executive Office or our usually bickering lawmakers decide on these initiatives, I can't help but think such acts will do little to prompt the degree of extensive and useful to-and-fro among companies and between private and government sectors necessary to help stem the impacts of cyberattcks. As I noted at the start, debate around information sharing is ages old and yet here we are today still talking about ways to make it happen effectively.
Where talk has been replaced by action is in the Information Sharing and Analysis Centers, which focus on such industries as financial services, information technology and health care. With volunteers from both private companies and government agencies, ISACs engage in everything from drills and exercises to classified briefings to liaising with DHS during significant incidents.
Over the years, their development has been hugely beneficial to the many participating ISAC representatives and their companies, helping them to better understand IT and physical threats and to share ideas for combating them. And, just at the time of this writing, it was announced that a new Retail Cyber Intelligence Sharing Center (R-CISC) will enlist advisory services, best practices operational support and other resources provided by the Financial Services ISAC (FS-ISAC), which should help to grow its membership quickly and furnish cross-sector collaboration and information sharing between the two industries, which is sorely needed.
Such cooperation and partnering among private entities will go a long way in continually bolstering the processes and methods used to combat cybercriminals of all sorts and the many attacks they're increasingly launching against organizations
All the while, lawmakers and other elected officials can continue doing little more than nonsensically arguing and unthinkingly peacocking while trying to fulfill obligations to elitists who helped get them into office in the first place.