Cybersecurity information sharing and collaboration can help organizations and governments protect against cyber attack; such sharing and collaboration increasingly are expected elements of cyber risk management programs. Recently enacted law and guidance in the United States will help to mature and progress information sharing and collaboration, including through automated means. These developments are important for organizations to understand and develop strategies to address.

Where we are today

To date, cybersecurity information sharing and collaboration, whether occurring within the private sector or via private-public arrangements, has been relatively limited. Technical resources and skills to gather indicators for timely, relevant, and actionable analysis are in high demand. The private sector entities that have such resources and skills are motivated to marshal them for their own use given competitive advantage and risk considerations. Legal uncertainty associated with sharing and collaboration has included worries over potential liability for antitrust violations, for sharing inaccurately, for sharing too slowly, and even for sharing at all. And the fact that sharing and collaboration require investments of time, personnel, and technical resources adds to the reasons many organizations approach these information sharing initiatives with caution.

Some information sharing and collaboration among organizations and with government – let’s call it “version 1.0” – has nonetheless been happening. At the national level, the United States has a number of programs through various government agencies: the Department of Homeland Security’s Cyber Information Sharing and Collaboration Program, Cybersecurity Information Sharing Act (CISA) program, and related Automated Indicator Sharing Initiative; the Federal Bureau of Investigation’s Infragard program; the Department of Energy’s Cybersecurity Risk Information Sharing Program for the electric utility sector; and Information Sharing and Analysis Councils, supported by a government agency for each of the 16 “critical infrastructure” sectors. And within the private sector, a number of companies often share information, frequently informally or through closed-access networks.

In the United States, the adoption of the CISA in December 2015, the issuance of implementing guidance by the Departments of Homeland Security and Justice in February 2016, and complementary efforts under Executive Order 13691, are likely to bring about a significant change in the way information sharing and collaboration works. Under CISA, a company following specific procedures and guidelines issued by the DHS and Department of Justice can receive some protection against liability associated with the act of sharing and receipt of cyber-threat indicators and defensive measures. Within the U.S. government, new guidelines will help cyber threat indicators and defensive measures received from the private sector to be more widely and consistently shared, subject to limitations that protect the confidentiality of the submitter and the privacy and civil liberties of individuals who may be identified in the shared information.

The changes put in motion by CISA and related executive branch actions are expected to reverberate internationally. As mandated by Executive Order 13691, efforts are already underway by the DHS to set up a non-governmental entity to set standards for information sharing and analysis organizations. These efforts will include international groups of experts who can help craft and refine standards and best practices for standing up and organizing an ISAO, facilitating information sharing and collaboration among its members and between other organizations, and defining state-of-the-art technical approaches to information sharing. The international nature of these standards-setting activities means that these approaches will likely be influential in more than just the United States.

Internationally, national computer security incident response teams and computer emergency response teams have proliferated. CSIRTs and CERTs are usually national-level organizations that provide a coordination and response function that may be governmental, quasi-governmental, or entirely private-sector based. The Forum of Incident Response and Security Teams (FIRST) provides a multilateral framework for collaboration and sharing between incident response teams. Many CSIRTs and CERTs also maintain bilateral relationships of varying levels of cooperation.

In addition, technical standards that promise to enable efficient information sharing at scale are emerging. For example, DHS-led efforts to develop the Structured Threat Information eXpression language and the Trusted Automated eXchange of Indicator Information exchange framework were transitioned in 2015 to an international standards body, the Organization for the Advancement of Structured Information Standards, which is expected to help promote the development and adoption of these standards.

What’s next?

“Version 2.0” of cyber-information sharing and collaboration is already arriving. As the recent changes described above start to remove technical, business, and legal barriers. Basic cyber-threat intelligence is poised to transition from a revenue-generating resource to a public good. However, with these changes come new technical challenges, market opportunities, and new legal risks. From a technical perspective, for example, expanded sharing will require bigger “pipes” to move data efficiently, more storage to hold data, and more sophisticated algorithms to detect cyber threats. For organizations, there will be questions about how to take advantage of liability protections afforded under CISA to protect the sharing and receipt of threat information.

The evolution in cyber information sharing and collaboration, enabled by CISA and related actions by the executive branch, is the next step in the maturation and evolution of the United States’ cybersecurity strategy. We will see continued change. In the meantime, businesses and governments at all levels now have ample reason to recalibrate their information-sharing and collaboration relationships to take advantage of the liability protection and other benefits the recent changes provided.

Image credit: Adam Harvey