In today’s world of cyber attacks against companies, the idea of sharing information between companies on cyber developments and incidents is becoming more critical.  However, there are some barriers in place, both from a legal perspective and from company perspectives, to sharing information.   

Companies know that information sharing about the latest cyber developments or cyber incidents in their industry needs to be disseminated to as many industry members as possible and as quickly as possible.  By doing this, a company is not dealing with cybersecurity alone, but with their partners in industry.    

Information Sharing and Analysis Centers (ISACs) help critical infrastructure owners and operators protect their facilities from cybersecurity threats and other hazards. ISACs collect, analyze and disseminate actionable threat information to their members and provide members with tools to mitigate risks and enhance resiliency.  While most ISACs have been established since 2005, there are some ISACs dating back to 1999.   

ISACs are concentrated around critical infrastructure.  There are ISACs for the financial services industry, water, electricity and more.  A number of AFPM members belong to the Oil & Natural Gas ISAC

Most ISACs have 24/7 threat warning and incident reporting capabilities, and may also set the threat level for their sectors. And many ISACs have a track record of responding to and sharing actionable and relevant information in a timely manner.   

Last year, a new group for sharing cybersecurity information was started, the Information Sharing and Analysis Organizations or ISAOs.  Unlike the ISACs, ISAOs allow any entity or collaboration created or employed by public or private-sector organizations, for purposes of information sharing.  ISAO’s are of great interest to academia, local government, and those companies who are in more than one critical infrastructure.   

But if there are still barriers in place, both given and perceived, how can ISACs and ISAOs operate?   That’s a question that has been around for some time.  In my next blog, I will discuss the Cybersecurity Information Sharing Act of 2015, otherwise known as CISA and how that legislation faced a bumpy road to passage but brings down many of the barriers to information sharing.