Last week I attended a breakfast seminar in D.C. titled “Exploring Models of Cybersecurity Threat Information Sharing for Critical Infrastructure” that was sponsored by Hunton & Williams and MITRE. While I’ve attending numerous other talks on information sharing, this one had a number of interesting insights that are worth noting. The panel first highlighted some of the challenges and then noted opportunities for improvement. Among the improvements is to make the information more actionable. However, an interesting take on the phenomenon of numerous private sector entities collecting and selling threat data is the notion that the market should really be in the analysis of the data rather than the raw data. The analogy was to the weather, where anyone could look out the window and see the current weather, but the real value is being able to forecast the weather. Similarly, companies should be competing to see which one can best predict where hackers are going to strike next and the severity of the damage based on threat data that is freely shared. Moreover, making this data available is particularly valuable to small- and medium-sized entities that do not have lots of threat data by virtue of running a large organization. Large businesses have less need for the data because their internal operations already see it, and small companies frequently cannot afford it.
On the same lines, I also wanted to put out a plug for the Industrial Control Systems Information Sharing and Analysis Center (ICS-ISAC) being stood up by Chris and Brad Blask, Chris Shepherd, and several others. The goal is to be the private sector counterpart of the Department of Homeland Security Industrial Control Systems Computer Emergency Response Team (ICS-CERT). What has become clear is that sector-based ISACs covering electricity, water, oil and gas, and others have not completely met the needs of the larger industrial control system community where products span all these sectors. Moreover, the goal is to offer analysis and data on industrial control system vulnerabilities and threats in a manner that can be actionable by asset owners by providing machine-readable feeds that can be incorporated into security information and event management (SIEM) tools, intrusion detection systems (IDS) and other security protection devices. The hope is to foster a more dynamic community by clearly articulating the kinds of information that asset owners need and hopefully provide a markup language that can be used by all kinds of information-sharing organizations and even within organizations.
Stay tuned for more on this topic. We’re proposing a session for the RSA Conference in San Francisco next February. We hope to have lively discussion about all these issues.