Data breaches make for strange bedfellows/hookups. As the effects from the Target breach continue to ripple out, the Retail Industry Leadership Association (RILA) and a group of top retailers who might ordinarily be viewed as competitors, have joined forces to launch the Retail Cyber Intelligence Sharing Center (R-CISC) to share information on cyber threats with each other, and private and public entities such as the FBI, the Secret Service and the Department of Homeland Security, according to RILA,
The group, which includes retail luminaries Lowe's, The Gap, Target and Nike, came together to fight “increasingly sophisticated methods of attack” employed by cyber criminals, Sandy Kennedy, president of RILA, said in a statement sent by email correspondence to SCMagazine.com.
“Retailers place extremely high priority on finding solutions to combat cyber attacks and protect customers,” Kennedy noted, adding that “the R-CISC is a comprehensive resource for retailers to receive and share threat information, advance leading practices and develop research relevant to fighting cyber crimes.”
What emerged from the alliance of retailers, cyber experts and government entities is a three-pronged R-CISC that includes a Retail Information Sharing and Analysis Center (Retail-ISAC) for identifying real-time threats and sharing actionable information to lessen the impact and risk of cyber attacks. Another component, covers education and training for the retail community on the best practices for sharing information sharing and guarding against cyber criminals. The final prong is research, which includes collaborating with academia to generate research on potential threats and emerging technologies to mitigate and thwart them.
Saying he was “extremely impressed” by the commitment of RILA and its members to best practices as well as the thoroughness of their information-gathering, Steven Chabinsky, general counsel and chief risk officer of CrowdStrike and former deputy assistant director of the FBI's Cyber Division, told SCMagazine in Thursday email correspondence, the group took the “most important first step” months ago by “getting a critical mass of the retail industry to commit to spending valuable time and resources on confronting this problem.”
Equally as important, the retailers were able to overcome any concerns that they may have had about revealing competitive information.
“Some [companies] don't want their competitors to know that they have vulnerabilities, unless they have a sense that everyone has the same vulnerabilities, because they don't want to look weak,” Chabinsky said. “Other companies might not want to share a solution if they think it gives them an advantage as being the strongest.”
In addition, “there is always a trust aspect regarding what is shared and how confidentiality will be maintained. All of these things lead to sharing, but the question is to what level of detail?” added James Mobley, president and CEO of Neohapsis, in a statement sent to SCMagazine.com in a Thursday email correspondence. But he noted that sharing “ given the potential impact of cascading cyber-attacks, is much more important than staying a half step ahead of a competitor by limiting the flow of critical security information.”
And, once companies acclimate to working together and “have good protocols in place to anonymize the sources of certain information and when appropriate to give credit to those who provide helpful information, those barriers break down,” Chabinsky said.
The Federal Trade Commission (FTC) and Justice Department recently made it much easier for companies to share threat information, without raising antitrust concerns. “So that's not a stumbling block here,” Chabinsky said.
[An earlier version of this story incorrectly stated Steven Chabinsky's title and misattributed a quote from him].