ISAO Challenges

November 12, 2015

Earlier this week on 9 November at a public location outside Washington DC, a U.S. Department of Homeland Security sponsored Initial Public Meeting was held for establishing Information Sharing and Analysis Organization (ISAO) Standards.  After some initial speeches by DHS officials, the contractor host of the meeting described the efforts and sought to gather information and ideas from the approximately 50+ attendees.

At the outset, the organizers conveyed a schedule of multiple meetings for newly formed working groups over the next several months leading up to September 2016 when an initial set of “ISAO Standards” would be published.  The terminology here as well as the process are odd ones that are found in the White House Executive Order 13691that that was enacted last February and form the basis of the initiative.

“[DHS will] enter into an agreement with a nongovernmental organization to serve as the ISAO Standards Organization (SO), which shall identify a common set of voluntary standards or guidelines for the creation and functioning of ISAOs.”

An academic centre at the University of Texas at San Antonio was awarded the contract.  It in turn partnered with a Washington area government contractor, LMI, and a new startup Retail Cyber Intelligence Sharing Center (R-CISC) to undertake the activity.  The meeting yesterday – to begin exploring the most basic elements of the Executive Order based initiative – was occurring nine months after it was signed, and even the most basic mechanisms such as a website and email lists are not yet functional.  The substantive challenges became obvious from the outset.

Jurisdiction, Authority, and Purpose

Before the initial speakers finished, someone from the audience intervened and raised a key issue that resonated in subsequent dialogue throughout the day.  She asked why the meeting and its activities were not published in the Federal Register because it constituted public policy making under the Administrative Procedure Act (APA) which requires such notice.  There was no answer given, although an implied answer was that the standards being published were voluntary.  Indeed, the word “voluntary” was repeated profusely by the speakers.

The answer, however, led to further dialogue in the breakout sessions concerning a rather fundamental question – what was the purpose of ISAOs and of the “standards” development activity being pursued under the initiative.  Only two answers seemed to exist – liability protection potentially being conferred by the Federal Government, and the ability to interconnect with the unified U.S. government ISAO known as the NCCIC (National Cybersecurity and Communications Integration Center).  However, the liability protection is “potential” at this time because it is contingent on presently draft legislation before the U.S. Congress known as the Cybersecurity Information Sharing Act of 2015 providing it.

The conundrum is that the Congressional Act exists entirely independent from the White House directed ISAO formation activity under the Executive Order.  That Act does confer liability protection, but as presently drafted, Sec. 108(f) of the Act declares that “nothing in [the Act] shall be construed…to require the use of the capability and process within the Department of Homeland Security developed under section 105(c)…by which the Federal Government receives cyber threat indicators and defensive measures.”  Furthermore, the Act would require extensive “public notice of, and access to the capability and process developed and implemented.”

So the initial threshold challenge being faced in establishing any “standards” for the formation of ISAOs is the rather unclear jurisdiction and authority for doing so when based on an Executive Order to a Federal Agency that is outsourced under a contract to a private organization.  Some precedent for such action exists, for example in the form of the Communications Assistance for Law Enforcement Act (CALEA), but the authority is found in Statutory Law rather than an Executive Order, and a designated regulatory agency (FCC) undertakes an APA compliant regulatory proceeding.  Indeed, once the Cybersecurity Information Sharing Act of 2015 is passed, a new standards making activity seems likely to ensue, and the need for the Executive Order based “ISAO standards” activity would be moot.  Noteworthy is a Congressional Research Service Report was released a few days ago on 6 Nov 2015 on Cybersecurity and Information Sharing: Comparison of House and Senate Bills, also raised this issue.

Lastly and additionally significant is that no exterritorial jurisdiction exists here, so anything developed has force and effect only in the United States.  Thus, the orientation of the initiative at present is entirely focused on U.S. ISAOs in a world where the cyber threat intelligence sharing needs are global.

Diversity and extent of existing “ISAO” activity

Diverse organized threat sharing and analysis activity has existed for many decades – especially in the electronic communication and related IT sectors.  That activity increased significantly in the 1980s as the threats scaled when telecommunication operators converted to connectionless protocol signaling networks, and the TCP/IP Internet failed because of the Morris Worm propagation in 1988.  It also became apparent that the increasing complexity and production dynamics of IT devices and systems resulted in inevitable proliferation of exploitable vulnerabilities.

The 1990s were marked by the emergence of diverse ISAOs that ranged from the FCC’s creation of its Network Outage Reporting System (NORS), the Department of Energy’s CIAC, and Computer Emergency Response Teams (CERTs) of all kinds, including an international mechanism, (formerly known as Forum of Incident Response and Security Teams).  Over the next 25 years, an extensive ecosystem of diverse, autonomous ISAOs has emerged.   These range from formal structured industry bodies and government agency centers, to private sector commercial third parties, to vendor product development groups, to structured hacking communities and conferences.  The latter are now occurring very frequently and typically attended by many thousands of people with hundreds of presenters competing for visibility and fame in sharing some elusive new threat to exploit. Major commercial software vendors receive dozens if not hundreds of reported threats per day.  Organizations such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) span the globe and collaborate internationally.  ISAOs also exist in many of the 193 nations of the world as several score now have promulgated national cybersecurity strategies and have engaged in global collaboration.

All of this activity also begat the development of standards for acquiring, structuring, analyzing, and exchanging threat intelligence among numerous global industry standards development fora such as the IETF, MITRE, Council on Cybersecurity-CIS, FIRST, NATO, ITU‑T, OASIS, 3GPP, CCDB, NIST, and ETSI, among others.  Indeed, an international standard for ISAO identification and discovery in the form of Rec. ITU-T X.1570 was adopted four years ago.  Today, as the information threat sharing standards activity has proliferated, one of the most significant sources of concepts and specifications arguably derives from considerable MITRE collaborative standards development work over the decades.

It is into this vast and dynamic existing ISAO ecosystem that the DHS initiative under EO 13691 now treads in an effort to develop “standards.”  An obvious key question is exactly how is it possible – given what exists today – to develop a “common set of voluntary standards or guidelines for the creation and functioning of ISAOs.”  An equally obvious answer is that this task is not really possible or perhaps even relevant.  Furthermore, if the Cybersecurity Information Sharing Act of 2015 becomes law – which may well occur soon – the predicate for this ISAO standards initiative essentially disappears.

Still, there is some useful work that could be accomplished.  For example, developing a structured articulation of the diverse ISAO ecosystem and their attributes is needed.  At present, the only published material approximating such an overview is found in ETSI Technical Report 103306, CYBER; Global Cyber Security Ecosystem.  It could benefit from a focus explicitly on ISAOs.  Further development and expansion of the material together with a global means to discover ISAOs and their attributes seems valuable.

As it was discovered among the principal communities developing ISAO standards over the years, most successful and effective avenues to achieving the sharing of threat intelligence existed in the development of structured models, interfaces, and expressions for sharing the information rather than promulgating organization requirements and certifications.  Toward this end, what are best-of-breed specifications and even running code developed by the DHS US-CERT and MITRE together with the threat sharing industry seem worth special note.  That activity and the initial STIX, TAXII, and CybOX products have now found a home in the OASIS Cyber Threat Intelligence Technical Committee (TC CTI), and are experiencing a scaling of involvement.