What is an ISAC or ISAO? How these cyber threat information sharing organizations improve security

Information Sharing and Analysis Organizations were created to make cyber threat data and best practices more accessible than with Information Sharing and Analysis Centers, but results are mixed.

succession brain sharing intellectual knowledge sharing

ISAC and ISAO definition

An Information Sharing and Analysis Center (ISAC) is an industry-specific organization that gathers and shares information on cyber threats to critical infrastructure. ISACs also facilitate the sharing of data between public and private sector groups.

ISACs were established under a presidential directive in 1998 to enable critical infrastructure owners and operators to share cyber threat information and best practices. Besides being sector specific, most ISACs are comprised of large companies with a different set of priorities and challenges than a vast majority of smaller organizations and entities, according to Michael Echols, CEO of the International Association of Certified ISAO's (IACI) at the Kennedy Space Center.

Many ISACs are well resourced, come with membership fees and have infrastructure and full-fledged security operations centers for monitoring threats on a global scale. The National Council of ISACs currently lists 21 member ISACs including those for the financial, automotive, energy, aviation, communication and defense industrial base sectors.

Information Sharing and Analysis Organizations (ISAOs) are the result of a White House directive to promote voluntary cyber threat information sharing within industry sectors. In February 2015, President Obama signed an executive order directing the U.S. Department of Homeland Security (DHS) to encourage development of ISAOs for private companies, non-profits, government departments, and state, regional and local agencies.

The executive order established limited liability protections for organizations that voluntarily share threat intelligence with each other and the government via these venues. In October 2015, the University of Texas at San Antonio (UTSA) was tasked with identifying a set of standards and guidelines for creating and operating ISAOs under a grant.

Since the directive was signed, several organizations in multiple sectors have voluntarily created ISAOs for sharing information and best practices on cyber threats and mitigation. However, the broad and pervasive information sharing among organizations of all sizes and across all sectors that was originally envisioned has not quite happened yet for multiple reasons.

Why ISAOs are needed

The goal in promoting ISAOs was to make it easier for all organizations to share threat information and not just those belonging to ISACs, says Echols, who at the time was director of the Cyber Joint Program Management Office at the DHS and led the implementation of the executive order.

The evolution of IACS has been somewhat exclusionary, Echols says. "There were a lot of large organizations that participated in information sharing and who had access to government while many other companies didn't even know these practices existed," he says. "The idea behind ISAOs was to promote and allow any group of companies or organizations or entities to work together to share information."

Security experts have long noted that threat info sharing can enable better situational awareness and help organizations across sectors identify common threats and ways to deal with them more far more quickly. "On the other side, hackers in a very documented way are already teaming up and sharing information on new approaches and opportunities to bring more value," to their efforts, Echols says.

In the more than four years since the ISAO executive order was signed, some progress has been made towards broader information sharing among private companies. Several ISAOs have been established and are currently engaged in relatively robust information sharing activities akin to what is going on within ISACs, Echols says. Some examples of the more active groups include the Metal and Mining and Maritime and Port Security ISAOs, he says.

The ISAO Standards Organizations at UTSA, in collaboration with existing ISACs, critical infrastructure organizations, agencies and public and private stakeholders, has identified voluntary standards and guidelines for standing up and operating ISAOs. This includes examples of contractual agreements, business processes, technical specifications and operating procedures that any organization can use to establish an ISAO. The IACI offers what it calls ISAO in a Box that offers organization step-by-step guidance on planning, building and operating an IASO.

Some ISAOs see big wins

Christy Coffey, vice president of operations at the Maritime and Port Security ISAO (MPS-ISAO) says information sharing of the type enabled by the executive order is critical. "We need to accelerate private sector information sharing, and I believe that the ISAO is the vehicle," she says.

The MPS-ISAO itself was founded in 2016 and its cybersecurity intelligence and information sharing service launched in the summer of 2017. Members of the ISAO include ports, vessel operators, and rail operators along with organizations that provide services and products to the maritime industry. 

In the two years the ISAO has been operating, the focus has been on providing what Coffey describes as actionable intelligence and identification of malicious groups targeting ports and maritime activity. Information being shared in the group includes every thing from rogue email and IP addresses to best practices and equipment vulnerabilities.

"We've had some incredible wins which are the result of customer information sharing, backed by quality analytics," Coffey says. Some recent examples include identifying ransomware in a shared email and notifying others in the ISAO within minutes and developing a blocklist from customer-shared IPs that reduced unauthorized login attempts by over 99%. "Without information sharing there would be no insight," she says.

Activity levels among ISAOs varies

The ISAO Standards Organization currently lists more than 70 groups that it describes as being engaged in some level of information sharing activity. The list includes both sector-specific ISACs and the newer ISAOs that might be based on faith, geography or roles such as corporate directors and officers.

Greg White, executive director of the standards organization at UTSA, says the level of activity among these groups tends to vary. "Some of them are very capable and others that are minimally functioning in an information sharing capacity," he says. "What an ISAO does depends on its membership and what its purpose is.”

The liability protections available to members of ISAOs has gone a long way in helping private companies get over concerns about sharing information with others, White says. Some ISAOs share little more than email lists while at the other end of the spectrum there are some ISAOs that handle such sensitive information that have so-called traffic light protocols in place for ensuring the information is handled appropriately. "Information sharing is not sector specific anymore. Every city and community in the nation should have an ISAO," he notes.

Lack of trust, funding limit growth of ISAOs

Getting there could take a while. Many organizations that have tried to launch an ISAO have run into issues over how to fund it, how to continuously show value to executives, and knowing who to trust, Echols says. For organizations to engage in true information sharing, there needs to be a high degree of trust among them. They need to know that any threat information they share in an ISAO will be handled appropriately. That kind of trust can be hard to obtain when setting up a new ISAO.

When you start bringing together tens and hundreds of organizations where the people don't know each other, the information sharing organization has to act as that trusted broker, says Jonathan Couch, senior vice president of strategy at ThreatQuotient. "They have to protect the anonymity of each organization that is sharing information and they should be providing the filter by which the information being shared is specific and relevant to the industry sector."

The government has to play a leadership role in fostering trust among private companies, Echols notes. It could be something as simple as setting basic security requirements for vetting entities that want to join an ISAO or through requiring official registration of an ISAO body, he says

Another issue is a lack of awareness of ISAOs and the value they can bring in terms of improved cybersecurity. "We spend a lot of time educating a lot of companies and organizations," Echols notes. The government itself has done little to promote ISAOs at a national, state or regional level. The elimination of a cyber coordinator role within the White House has exacerbated the problem, he says. Most organizations have never heard of an ISAO. They seldom have even heard of an ISAC, he says. 

"If development of ISAOs doesn't happen now, at some point it is going to have to happen," he says. "All we are doing for the moment is wasting time."


Copyright © 2019 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.