Promoting Private Sector Cybersecurity Information Sharing

Sharing information about cyber threats is an essential element of our nation’s approach to cybersecurity.  Rapidly sharing threat information allows organizations to take action to discover ongoing cyber-attacks and prevent new incidents.  It also enables the entire community to work together to defend against and counter threats.  While information sharing alone will not solve our cybersecurity problems, we cannot effectively meet this challenge without it. 

On February 13 of this year, President Obama signed Executive Order (EO) 13691 at the White House Summit on Cybersecurity and Consumer Protection on the campus of Stanford University.  The EO proposed a structure for organizations to engage in greater information sharing.  Through the EO, the President has encouraged communities of interest, whether based on geography, business sector, or a particular event, to form Information Sharing and Analysis Organizations (ISAO).  These ISAOs can serve as hubs through which a community can distribute information.  As more communities develop their own hubs, they can communicate efficiently between hubs and create a prosperous cycle of information sharing. 

As called for in the EO, DHS today named a Standards Organization to establish a common set of voluntary, consensus based standards related to forming and operating ISAOs.  As ISAOs adopt these standards it will empower communities to share information faster and more easily, while reducing the time, cost, and uncertainty for communities who wish to begin sharing information with each other.  By empowering easier and faster information sharing, we hope to encourage this practice across and among all sectors, which boosts our collective cyber defenses.

The Standards Organization will engage in an open public review and comment process to develop these standards.  This process will take into account the experiences and opinions of those already active in information sharing and those who have been exploring the possibility.  Existing information sharing organizations, owners and operators of critical infrastructure, Federal agencies, and other public and private sector stakeholders should all contribute to the standards that the Standards Organization produces.  As we learned from developing the Cybersecurity Framework of Standards and Best Practices, the end result is much stronger when we have robust participation from a wide variety of individuals and organizations. 

The continued development of the information sharing ecosystem highlights what can be achieved under current law.  However, to fully mature this environment, we need Congress to update the laws governing cybersecurity information sharing.  We are very encouraged that the Senate has agreed to a path forward to consider this important cybersecurity legislation and we will continue to work with Congress to ensure passage of information sharing legislation that incentivizes sharing while preserving the long-standing, respective roles and missions of civilian and intelligence agencies and contains appropriate privacy protections. Cybersecurity is an important national security issue and we call on the Senate to continue its work on this measure as soon as it returns in September so that it can pass the bill expeditiously.

By naming the Standards Organization and getting the standards development process underway, we are taking another significant step towards enhancing the country’s resilience to cyber-attacks.  I look forward to seeing the Standards Organization’s output and the growth of ISAOs as a key component in our Nation’s cybersecurity. 

Michael Daniel is Special Assistant to the President and Cybersecurity Coordinator