Initiatives from the private sector and even a new program from the Department of Homeland Security are outpacing the legislative process on the urgent matter of cybersecurity information sharing.
Improved sharing of “threat indicators” between government and industry has been identified by major business groups and some — though not all — security experts as the top priority right now for cybersecurity policymakers.
It’s a good thing someone is taking action, because information sharing and other cybersecurity issues are stuck on pause in Congress.
It’s possible that a cybersecurity information-sharing bill will find its way to the Senate floor in June, but that’s far from certain. Congress continues to struggle with government surveillance reform, an issue blocking the path forward for unrelated cyber legislation.
The Senate was to return Sunday to take up the surveillance issue, and the House is back today following the week-long Memorial Day recess.
The House approved bipartisan info-sharing legislation in April, but the issue has been trapped in the Senate behind the unrelated battle over National Security Agency surveillance activities. The Senate Intelligence Committee passed an information-sharing bill in March on a 14-1 vote, earning rare White House praise in the process.
Alas, that bill has been buried ever since.
“Unfortunately, information sharing is taking a back seat to NSA reform,” commented Josh Magri of the Financial Services Roundtable. “Information sharing is a really critical piece of legislation.”
The pending cybersecurity legislation, with liability protection for companies that share threat data among themselves and with government, is seen as an important first step. Industry groups warn that info-sharing won’t reach its full potential absent a proper legal framework.
“It’s a step we can rally around and build on,” said Juniper Networks vice president Robert Dix, a former Hill aide on security and technology issues. “It doesn’t do much to address government sharing with industry, but it does recognize that steps need to be taken and it’s a start.”
In the meantime, industry groups are making their own moves to improve exchanges of threat data. Such collaboration is seen as essential to identifying cyber threats that could conceivably black out entire regions or explode gas lines.
The Justice Department and Federal Trade Commission have issued guidance saying that such sharing is in the national interest and does not run afoul of antitrust law.
In the energy sector, the natural gas industry recently launched a cybersecurity “information sharing and analysis center,” known as an ISAC.
The electricity sector is engaged in a deep-dive examination of its existing ISAC, with an eye on significant enhancements.
Among other initiatives, the financial sector has assisted retailers in standing up an info-sharing body to help block an unremitting stream of attacks against some of the best-known businesses in the United States.
Cyber info-sharing, in fact, is widely seen as a growth industry.
An ISAC established years ago to help defend industrial control systems — the devices that run factories and all kinds of plants and facilities — is branching out and launching info-sharing bodies for the insurance and legal sectors.
These would be established under the “Information Sharing and Analysis Organization” structure promoted by President Obama’s February executive order on information sharing, according to Chris Blask, the group’s executive director.
Blask engineered a merger between his industrial-based ISAC and Webster University’s Cyberspace Research Institute expressly to capitalize on opportunities in the info-sharing area.
Within this bowl of alphabet soup, ISAOs could be developed along flexible lines, covering regions, supply chains or even lawyers, while ISACs cover specific industry sectors.
“The Sony Pictures hack may indicate the need for the ‘ISAO’ structure,” noted an industry source, who observed that ISACs are designed to protect critical infrastructure like power grids, not movie studios.
The Department of Homeland Security last week issued a solicitation for bids for a private-sector body to develop “best practices” and manage standards for the ISAOs, a process likely to draw plenty of energetic bidders.
The winning bid will receive an $11 million grant to run the body for five years.
Industry standards organizations, universities and nonprofit groups are among the possible bidders, along with an assortment of private-sector entities.
“Our hope is the ISAO structure is a complement to the traditional ISAC system,” said Magri. “To the extent that it stays complementary, I’m very supportive of the ISAOs.”
Others, including Dix, worry that the ISAOs are something of a distraction.
“I hope in the conversation around ISAOs we can step back and look at the model,” Dix said, noting that ISACs evolved from a 1998 presidential policy directive. “Does the model still work? Are there gaps, and how can we fill them? Can these affinity groups [ISAOs] help? That’s the conversation I’d like to see.”
The question, Dix said, is: “What do we need to do to raise the bar across the community?” Dix would like to see more resources devoted to improving existing info-sharing structures and bolstering the nation’s “operational capacity” to detect and thwart cyber attacks.
Another question: When will Congress step up and fulfill its role in this process?
Eventually, the 114th Congress may catch up and pass information-sharing legislation, just as the 113th Congress rallied in December to pass a few cybersecurity bills.
But time is not an ally when it comes to improving cybersecurity.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
