ISAOs: Private Corporations' Mutually Beneficial Relationship with DHS
For the past decade the Department of Homeland Security (“DHS”) has had domestic private corporations at the crux of their national security agendas. In April 2005, DHS announced their “Homeland Security Intelligence & Information Fusion” initiative. This reaffirmed the goal of identifying immediate and long-term threats in the form of either cyber attacks or cyber espionage, the former being the catalyst for developing the private sector Information Sharing and Analysis Organizations (“ISAO”).
These ISAOs are made up of a variety of different private sector companies with the intention of sharing information regarding attempted and/or successful cyber attacks on the members’ businesses. These groups are formed voluntarily by its members and operate with the sole purpose of improving the government and private sector’s awareness to growing cyber threats and implement software to combat it. The ability to form and regulate these ISAOs are rooted in 6 U.S.C. § 121; however, additional legislation and, most recently, executive orders have firmly defined DHS’s capabilities.
The 2015 Executive Order, which expanded off of Executive Order 13636 that was implemented in 2013, expand DHS’s authority to organize, monitor, and directly act within both the ISAOs and the corporations that comprise them. Through this law, DHS is able establish a non-governmental organization to set guidelines for establishing ISAOs. This non-governmental organization will also be able to provide clearance to corporations who are under a designated critical infrastructure.
Once granted clearance, DHS will then has the capability to directly interact with the private corporation’s computer systems to implement new safety features to protect the business and gather network breadcrumbs regarding the attack.
By extending DHS’s capabilities to now directly interact with these critical infrastructure networks, the intent is to reduce to concern about having DHS employees coming into these networks by outlining what can and cannot be done. However, with FISMA, the two executive orders, and additional legislation presently being discussed, it seems that the beneficial nature of these ISAOs have yet to be realized. This is true both on DHS’s side as well as the corporate entities’ side. The Acts specifically state that this is a voluntary organization and solidify DHS as a regulating entity to monitor and measure civilian and government cyber security matters.
Therefore, any benefit resulting from these cannot be achieved with out concerted efforts of private corporations acknowledging the growing risk to cyber security infrastructure and participating in their industry’s ISAO.
In addition to the benefit to the national security cyber infrastructure that is achieved by identifying key threats presently attacking the corporate world, FISMA and the February Executive Order also serve the purpose of holding these corporations accountable. While this may seem like a disincentive for a corporation, in so far as they would be voluntarily subjecting themselves to further checks on their systems, DHS’s authority now extends to the degree that they can actively improve these flawed corporate systems.
Furthermore, DHS’s authority has been extended to provide these corporations with the tools needed to actively determine the security levels of their systems by running frequent diagnostic tests. DHS may now provide software that relays how different areas of the company are doing, which then rolls up into a larger dashboard configuration that DHS utilizes to monitor multiple areas of the industry.
All of these new authorities are partly designed to address the concern raised by some of the corporate entities who wished to join and ISAO but existed in an industry not deemed to be a “critical infrastructure,” such as large law firms, but still suffered risk of cyber attacks. Another issue the legislation was meant to address was the problem of DHS having their hands tied when it came to improving the ISAO members’ cyber systems. Now they are able to create guidelines of best practices for these industries, monitor systems for potential risk, implement changes/improvements in these corporations, and then subsequently utilize the implemented improvements to benefit cyber security government wide.
Lastly, the fear of corporations about releasing information to these ISAO groups is settled by the February Executive Order because it mandates that any information shared within these ISAOs must remain confidential and not released to the public. This now solidified requirement and also reduced the private sector’s concern regarding the possibility of appearing as though they are ill prepared to defend their clients from cyber theft. A fear partly inflated by the most recent Sony and Target hacks making cyber security a looming threat on a large number of consumers.
All that being said, these ISAOs can potentially do great things for the country as well as corporate business, but additional legislation seems to be inevitable to expand the incentives and authority of DHS further to enforce these guidelines and best practices. Especially when considering that these system measurements are only confined to those companies that voluntarily join these regulatory-esk organizations.