Five Takeaways From the ISAO Conference

Thursday, February 18, 2016 - 1:30pm

For those of you who missed the ISAO (information sharing and analysis organization) conference in San Antonio, here’s a quick look at what you missed and the challenges and opportunities that lie ahead.

About a year ago, President Obama issued Executive Order (EO) 13961, which urges private-public cybersecurity collaboration through the development of ISAOs. The EO directed the Department of Homeland Security (DHS) to fund a standards organization (SO) to create a set of voluntary standards for ISAOs. Last fall, DHS awarded a five-year grant to a group from the University of Texas–San Antonio, LMI, and the Retail Cyber Intelligence Sharing Center to lead the ISAO-standard effort.

Here five key takeaways from the conference:

First, does the ISAO initiative track with CISA implementation? This is a crucial question for the U.S. Chamber and members of the Protecting America’s Cyber Networks Coalition to consider. ISAO development and CISA implementation are progressing side by side but questions about the two work streams remain. How are these efforts integrated? Are they pushing the same message to industry about information sharing? Will work products complement each other? It would be helpful if DHS leadership addressed the next public meeting.

Second, an ISAC is an ISAO, but an ISAO isn’t an ISAC. The EO was meant to encourage the development of ISAOs that would complement the existing ISAC structure by extending information sharing across a region or in response to a specific, emerging cyber threat. The ISAO development effort needs to answer the following questions: What is an ISAO? How do ISAOs differentiate themselves from a growing ISAC network? How will ISAOs create a low barrier for participation so that small and medium-size businesses are incentivized to engage? The continued participation of ISAC’s (e.g., FS-ISAC, ES-ISAC, and NH-ISAC) in the ISAO development process could be pivotal.

Third, timelines for work products were announced. SO leaders announced that a written document will be released for public comment in September 2016, with the first drafts available for comment in July. Working groups are likely to produce their own products for review, some as early as next month.

Fourth, working groups and working group leaders were announced. Attendees were introduced to the six working groups and their leaders (click here for more).

During small group sessions, working group leaders described how the groups would function (e.g., committees, potential products, timelines, and future meetings).

How to get involved: If you are interested in signing up for one of the working groups, the SO encourages you to visit its website and submit an application. If you have already done this, and haven’t heard from your working group, email the SO at isao@lmi.org.

Fifth, could waning industry participation imperil the ISAO effort? The conference drew approximately 75 attendees, down from 150 at the first meeting. Increasing participation remains a challenge.

The SO should make it easier for industry participation by sharing dates, times, and locations of working group meetings. The next ISAO conference is expected to be on the West Coast in April or May.

Despite lower attendance, there was general consensus among attendees that the second public meeting was better than the first—in terms of substance and conversation. Organizations looking to promote information sharing in their sector or supply chain should be encouraged with the progress being made and commit resources to supporting the ISAO development process. Creation of voluntary, industry-led information-sharing organizations may help raise the nation’s defenses and create more resilient networks.

-- Vincent Voci