The Need for a Cybersecurity Neighborhood Watch

As we closed the ISAO SO’s first full year of existence, I was inspired to revisit a theme taken from a thought piece I wrote for United States Cybersecurity Magazine on the need for a cybersecurity neighborhood watch.  It’s an analogy I first heard expressed by Brigadier General Greg Touhill (the first Federal CISO), and a topic I often talk about while on the road speaking to groups within the information sharing community across the country. I’m interested in hearing your take on the information sharing landscape and how communities of interest across sectors are voluntarily coming together to create deeper and broader networks of information sharing nationally.

As crime rates rose in the early 1970s, Americans began coming together to improve the security of their neighborhoods; they established stronger communities, and built trust that brought members together to deter would-be criminals. Neighbors exchanged ideas and best practices for securing their homes and protecting themselves, keeping an eye out for unusual or suspicious activity in their streets and parks. They shared information with one another and the local police. When crimes did occur, they leaned on one another for support and shared the lessons these incidents taught so that every neighborhood household would be better prepared.

The challenges facing the internet today are similar to those first tackled in our 1970s neighborhoods. As businesses and government agencies struggle to confront an increasingly challenging cybersecurity environment, adversaries continue to reap regular (and often spectacular and public) successes. The cybersecurity problem is becoming more pervasive and complex, resulting in an urgent need to establish flexible, collaborative security mechanisms for our common defense. We need an effective cybersecurity neighborhood watch program.  The good news is that we’ve been working hard to roll out such a program.

Following the directive issued by the president in Executive Order (EO) 13691 to promote broader cybersecurity information sharing, the University of Texas at San Antonio, LMI, and the Retail Cyber Intelligence Sharing Center (R-CISC) have been working together as the ISAO Standards Organization (ISAO SO).  As a non-governmental organization, the ISAO SO has actively engaged in an open, public dialogue to develop voluntary standards and guidelines for the formation and functioning of ISAOs. ISAOs are strictly voluntary organizations that are conceptually similar to Information Sharing Analysis Centers (ISACs), but differ in that they are not tied to critical infrastructure and may reflect a broader range of capabilities.  Additionally, each ISAO may determine for itself whether it will share information with the government.  Any group with a shared interest in collaborating to improve its members’ individual and collective cybersecurity posture can form an ISAO.

What makes the ISAO construct so powerful is its potential to widely and rapidly propagate critical cybersecurity threat and incident response information across numerous communities of interest that are currently underserved from a cybersecurity perspective. By establishing a scalable model, ISAOs can be constructed to meet the modest needs of a niche local market or the challenging demands of an 8,000-company software trade association. The Cannabis Retailers of Colorado may choose to share within a small, relatively closed group, while the National Association of Defense Manufacturers may elect to routinely exchange information between members and the federal government.

We are now in a position to create a national network of ISAOs that could rapidly share information about threats at a pace and scale that would dramatically reduce the effective lifespan of an adversary exploit and alter the balance between offense and defense. We’ve been in touch with 40 ISAOs and ISACs that are actively sharing information to support their constituents, and new ISAOs are continuously forming. With the help of over 160 volunteer experts from industry, government, and academia, we published our initial voluntary guidelines at the end of September and are beginning work on the next series of documents that will help evolve our community body of knowledge by exploring topics such as automated information sharing, FAQs on ISAO governance and legal issues, an introduction to analysis, and an examination of state and local issues impacting information sharing. In addition to our monthly public meetings, we’re conducting monthly roundtable discussions for ISAO leaders and are making plans for an inaugural International Information Sharing Conference.

Our economic and national security is at stake, but the ISAO SO and the information sharing community are committed to changing the landscape by creating a more secure and resilient Nation that is connected, informed, and empowered. Please share your successes and challenges, and join us in building a strong and vibrant cybersecurity neighborhood watch.