By Scott C. Algeier, IT-ISAC Executive Director
The IT-ISAC appreciates the seriousness of the cyberthreat facing the United States and companies across the globe. Our members are on the front lines defending the digital infrastructure that propels today’s global economy. IT-ISAC members and the customers they serve are attacked every day.
In 2000, a small number of leading technology companies established the IT-ISAC to help the industry defend against these threats. Today, IT-ISAC membership includes well over 100 companies from three critical infrastructures—IT, Food and Agriculture, and Elections. The collaboration within the IT-ISAC is strong and effective.
The IT-ISAC is a tried-and-true mechanism for information sharing, serving as a force multiplier by providing members access to information, analysis, and expertise from peers within the IT-ISAC. Our global partnerships and engagement with the National Council of ISACs also provides us with access to analysts and insights from throughout the critical infrastructure community. There is no set of companies more aware about the complex nature of cyberthreats than IT-ISAC members.
The IT-ISAC supplements this collaboration by producing and delivering curated intelligence and incident reporting. Our threat analysts upload high-quality indicators into TruSTAR, our intelligence management platform. Members share information through TruSTAR and can easily integrate intelligence from TruSTAR into their internal security tools. Taken together, the resources and tools provided through the IT-ISAC are an essential, cost-effective supplement to members’ corporate security teams. Because of the effectiveness of information sharing forums, to the extent possible, the Federal Government, through public policy and the procurement process, should encourage and reward companies that participate in information sharing forums such as the IT-ISAC.
The IT-ISAC has a long history of providing thought leadership in pressing critical infrastructure public policy issues. We look forward to engaging with the relevant government agencies in developing the details to implement the Executive Order on Improving The Nation’s Cybersecurity. To do this, we established a member working group to collect feedback, insights, and analysis. Given the scope of the Executive Order, we focused our discussion primarily on the information Sharing components.
While recognizing mandatory reporting requirements will be limited to IT and OT providers who have contracts with U.S. Federal Government departments and agencies, the EO nonetheless creates a mandatory cyber reporting framework. This represents a significant shift from previous long-standing policy which had encouraged voluntary sharing. The implications for this shift are not yet fully understood. Some specific questions we have include:
● How is the shared information protected from public disclosure? Under current law, sensitive information voluntarily shared by industry with the U.S. Federal Government is protected from public disclosures under certain conditions. However, to receive this protection, information must be shared voluntarily. Information that a company is required to report is generally excluded from these protections. It is important to clarify whether information that a company is required to share under the EO be protected from public disclosure?
· How is the information secured? In addition to concerns about the public release of this information noted above, this information would be of high interest to criminal groups and nation states. The information would be highly sensitive and could reveal information about vulnerabilities within specific software or enterprises that might not be publicly known. Many government agencies are ill-prepared to defend such information from being accessed through a cyberattack. There also is concern about the intentional and unintentional unauthorized disclosure of this information. It is important that Federal departments and agencies be issued guidance on how to defend this information from unauthorized access.
● How will information be shared/used within the government? The Executive Order envisions the sharing of submitted information throughout the Federal Government. It is unclear as to what limitations, if any, there will be on this sharing within the Federal Government. Will every federal agency have access to incident reports? We suggest that there be guardrails to prevent the government from imposing or developing regulations based on the information that is shared. Provisions exist under the current information sharing framework that prevent shared information from being used to develop regulations, and we encourage the government to extend these protections to information shared under this framework as well.
● What is the scope of required reporting? The Executive Order requires government agencies to develop rules that require contractors to “share such data, information, and reporting, as they relate to cyber incidents or potential incidents relevant to any agency with which they have contracted . . .” Since companies experience attacks every day, it is important to better define and scope these requirements so that they do not overwhelm agencies or industry with unnecessary reporting. Will companies be required to report all attacks on their networks, even if they are routinely blocked? Will a company be required to report to the government confirmed or unconfirmed vulnerabilities that have no fix? Providing clarity on what constitutes a potential cyber incident will be extremely beneficial.
● What are penalties for non-compliance? IT-ISAC members always intend to adhere to terms of their contracts and legal obligations. However, complying with regulatory regimes can be complicated. This is especially the case for new programs. As such, it is important for these requirements to be rolled out to give companies time to develop internal compliance structures and that the penalties for non-compliance are reasonable and clearly articulated.
In addition to the above questions, we offer some additional thoughts for consideration as the process for implementing the Executive Order moves forward.
Currently, most cyber threat information sharing with DHS is through CISA. Whether information is shared directly by a company or through an ISAC, the national framework has been that CISA collects, analyzes, and shares information throughout the federal enterprise and with stakeholders. Having this focal point provides numerous efficiencies. Under the new model, however, companies would be required to share with all potentially impacted government agencies in addition to CISA.
This has the potential to be costly and burdensome to both industry and government. Most federal agencies, including CISA, are ill-prepared and lack resources to intake, process, and evaluate information that is shared with them. Resources (time, money, qualified people) are always constrained. The implementing regulations should consider this and account for both the economic cost of the reporting requirements as well as the potential that these costs divert funding from other security investments.
For example, there are costs for government agencies to set up processes and procedures to intake, analyze and share submissions. Likewise, the costs to companies of establishing internal compliance structures will not be insignificant and could be substantial. Without clearly defined and scalable reporting requirements, there is a risk of overloading federal agencies with more information than they can process. If this is the case, then this would not represent an efficient use of limited resources. To the extent possible, there should be a common, efficient process for reporting to government agencies, and clearly defined triggers for what needs to be reported.
Another area of concern is that the information sharing requirements of the EO are one-way—industry reporting to government. If government will impose a requirement that industry share incident information, which requires industry to re-allocate scarce resources for compliance-- then government has an obligation to share valuable information in return. The lack of guidance on how government will provide useful analytic products in return is concerning. As one example, IT-ISAC members have been impacted by experiences in which information that was not shared with them was leaked, creating potential zero-day issues that put end users at risk.
Finally, given our own role in incident response and collaboration, the development of a NTSB-like Board for reviewing cyber incidents is intriguing. Identifying lessons learned and implementing corrective actions is a sound practice after any incident that responsible companies follow. However, it is unclear as to what would trigger the activation of the NTSB-like review. Fortunately, catastrophic airline accidents are rare. However, cyber incidents occur on every network every day. It is important that this board only be activated for the most serious incidents with national level consequences. In addition, unlike the traditional NTSB which has a slow, deliberative process, to be effective this cyber-Board must be fast and actionable. We also suggest the Board institute rules that protect confidential corporate information of companies who might be victims of the attack that is being investigated.
The IT-ISAC has been committed to engaging with our members and government for the common purpose of enhancing global cybersecurity. We remain committed to this mission and look forward to our continued engagement on these important matters.