Skip to content ↓ | Skip to navigation ↓

A while back, I wrote about the value of information sharing, and the role of ISACs (Information Sharing and Analysis Centers) – see “The Bad Guys Are Winning: Information Sharing And Asymmetric Advantage.” I’m a huge fan of this model for sharing information about cyber threats.

A shining example of an effective ISAC is the Financial Services ISAC (FS-ISAC), but one of the lurking questions about their work is whether they are violating any anti-trust regulations in the US. Having worked with them, it was my opinion that they weren’t doing anything that felt like anti-trust, but I’m not a legal expert.  By the way – the ICS-ISAC, which deals with Industrial Control Systems, recently showed its value in an attack on the US Utility Control System infrastructure.

Carry On Sharing

Thankfully, the US Department of Justice (DOJ) and the Federal Trade Commission (FTC) weighed in on the topic of information sharing earlier this year in a joint statement on cyber security information sharing (emphasis is mine).

“Through this Statement, the Department of Justice’s Antitrust Division (the “Division”) and the Federal Trade Commission (the “Commission” or “FTC”) (collectively, the “Agencies”) explain their analytical framework for information sharing and make it clear that they do not believe that antitrust is – or should be – a roadblock to legitimate cybersecurity information sharing. Cyber threat information typically is very technical in nature and very different from the sharing of competitively sensitive information such as current or future prices and output or business plans.”

This is good news, as it addresses a common fear amongst organizations that wanted to share threat data with other companies in their business sectors.

ISACs are Taking Off

In addition to the FS-ISAC, and other “general-purpose” ISACs such as the multi-state ISAC and the IT-ISAC, we’re seeing additional industry-specific ISACs forming. These include a couple of competing initiatives to establish a Retail ISAC, and an Oil & Natural Gas ISAC (ONG-ISAC).

I believe that ISACs will become part of “the expected” in today’s climate of threats, standards of care, and “we’re all in this together” attitudes around security.  This kind of peer-led information sharing will become vital in the threat environment we are facing today. Given that many organizations rely on the same or similar electronic infrastructure, sharing information about how to effectively secure that infrastructure helps advance the state of practice for information security much more quickly.

What do you think? Are you part of an ISAC, or thinking about joining one? I’d be interested in your thoughts and lessons learned on this topic – particularly regarding the value you’re receiving (or seeking to receive) from these organizations.

Also, in my next update here, I’ll share something else I learned about applying the concepts from ISACs in a different way.


Related Articles:



picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].


Title image courtesy of ShutterStock