As the Obama administration continues to direct attention to cybersecurity, The University of Texas at San Antonio (“UTSA”) recently won an $11 million dollar grant to develop standards for so-called “Information Sharing and Analysis Organizations” (“ISAOs”). ISAOs are voluntary organizations that collect cybersecurity threat information and share it among their members, with an eye towards preventing and responding to cybersecurity attacks. They are an extension of the sector-specific concept of Information Sharing and Analysis Centers (“ISACs”), which already exist in the aviation, communications, financial services, health, oil and gas, and other sectors of critical infrastructure. For example, the recently-formed Legal Services ISAO offers threat sharing services to law firms. The state of Virginia has also announced its intention to form the first state-level ISAO.
In February 2015 President Obama issued Executive Order 13691 to encourage the formation of ISAOs, and to open the process for the Department of Homeland Security (DHS) to select an organization to develop standards for ISAOs. How will ISAOs interact with their members, each other, and the government? As the selected organization, UTSA will develop standards for ISAOs’ contractual agreements, business processes, operating procedures, technical means, privacy protection, and more. These standards will provide groups who wish to form an ISAO with a model and best practices to follow. Additionally, ISAOs will be able to self-certify to these standards, allowing organizations who wish to join an ISAO the ability to assess its capabilities and trustworthiness.
The standards development process will be open to review and comment from both public and private stakeholders. In July 2015 PricewaterhouseCoopers (“PwC”) published a study that offers a preview of the issues that stakeholders will likely want the standards to address. PwC identifies six key issues that can be summarized as follows: (1) recognition of the need to share information, (2) trust among membership, (3) flexible governance, (4) timely and valid intelligence, (5) clearly-defined operational and technical processes, and (6) addressing, where possible, concerns that sharing information can create legal liability. (Notably, although liability concerns are not directly addressable through ISAO standards, they should be kept in mind because they are likely to remain a significant barrier to participation.)
It has been said that sharing accurate and timely cybersecurity threat information is a “necessity, rather than a ‘nice to have.’” UTSA’s work in developing standards will be very important to the use of ISAOs as a vehicle to help fill that need.