New guidelines for information sharing and analysis organizations highlight the need for these institutions to have plans in place to fund themselves, but offer little advice about how to generate revenue.
The guidelines were published Friday by the ISAO Standards Organization, led by the University of Texas—Austin. They’re the result of “collaboration by more than 160 experts from industry, government, and academia, combined with the input and feedback of the public,” according to the organization’s Executive Director Greg White.
In a blog post, Deputy Director Rick Lipsey calls the guidelines a “critical milestone” in the Obama administration’s push to extend cyberthreat information-sharing beyond the 1990’s-era machinery for a limited number of vital national industries and into the private sector economy as a whole.
“ISAOs are structured to adopt this concept of collaborative cybersecurity and scale it beyond critical infrastructure sectors to meet the needs of any community of interest: private or public, large or small, geographic or sector-based,” Lipsey wrote.
The push for ISAOs started after the high-profile hack of Sony Pictures Entertainment in 2014. Officials realized that although the attack — as an attempt to stop the release of a movie making fun of North Korean dictator Kim Jong-Un — struck at what President Obama called “core American values,” there was no mechanism by which the company might have shared or received information about the attack’s methodology.
A few months later, the president signed Executive Order 13691 — Promoting Private Sector Cybersecurity Information Sharing — kicking off the push to build ISAOs.
Long-standing questions remain about the viability of the cyberthreat “information sharing ecosystem” that ISAO boosters hope to establish.
The Guidelines for Establishing an ISAO suggest that founders consider whether an informal structure might be best to start with.
“It is important to recognize that the vision, goals, and membership of the ISAO may change considerably over time, which may support consideration of starting … with a smaller, less formal organization and making changes to the governance structure as the ISAO evolves and matures.”
But should the ISAO want to collect fees or enter into contracts, the guidelines say a more formal structure might be appropriate — and counsel that founders might want to seek legal advice. “The ISAO and its stakeholders should consider consulting legal counsel to assist in choosing the most appropriate type of legal structure … Decisions on governance structures such as incorporation, boards, and not-for-profit status require knowledge of local, state, and federal laws.”
The guidelines also discuss the need to “demonstrate membership return on investment,” and to “carefully evaluate their assets, expenditures and revenue.”
“Today’s publications provide the cornerstones to build out an information sharing ecosystem at unprecedented scale,” said Lipsey, “However, they are just the beginning … We anticipate updating and expanding these guidelines based on feedback from their implementation.”
Last week, the Standards Organization launched two other initiatives on isao.org to support the growth of a cyberthreat ecosystem. The National Registry of ISAOs aims to get the organizations to list themselves for fellow ISAOs and members of the public; and the Resource Library is an online repository for a curated set of relevant documents and other resources.