Cyber Threat Intelligence Information Sharing Exchange Ecosystem

The cyber threat intelligence information sharing exchange ecosystem program (CyberISE) consists of a number of related projects, all with the goal of enhancing America's and the world's network security posture through the accelerated adoption of automated threat intelligence sharing.

Participation in the program draws from interrelated, yet autonomous, entities:

  • Enterprises and end users that may or may not be under attack or notice unusual host or network behavior and wish to keep their own networks safe and operational;
  • Organizations responsible for operating secure networks and systems, both in the public and private sector, that have a mandate (public sector) or contract (private sector) to keep other’s networks safe and operational;
  • Information-sharing organizations that produce, collect, analyze, vet and distribute cyber threat intelligence on behalf of their stakeholders, both as a proprietary business and as a community resource, such as the ISAC’s; and
  • Vendors of cybersecurity products and services

We look throughout the entire cyber threat intelligence sharing ecosystem to understand what is needed and feasible to obtain that would enable the efficient exchange of actionable intelligence. There are multiple technology efforts going on in the IETF, ITU-T, IEEE, and OASIS. These efforts are interrelated but have already resulted in incompatibilities. Many of these efforts are overlapping. There is confusion and some resistance on the part of vendors, enterprises, and others about what to implement and how to move forward.

The ultimate goal is for automation and standardization in this area to transform how we monitor, detect, share, react, and remediate cyber threats. It also needs to be acknowledged this transformation could be unsettling to enterprises that may need to change how they operate and to vendors whose business models may need to change. In order to ensure adoption, we need an understanding of the parties’ incentives and market positions, to best help the ecosystem as a whole adopt this transformational technology.

A common ecosystem is within grasp, but all stakeholders need to be comfortable that it supports their policies, even if they are not willing to be completely forthcoming about the policy details. Moreover, cyber security crosses enterprise, network, and national boundaries. Thus, solutions to the cyber threat intelligence sharing issue need to be mindful of different policies and laws on information sharing within industries as well as across national boundaries. Thus, exploration of international norms for the sharing of data, as well as the technical means to make that happen, is necessary. As important as all of the technology and standardization is, this is an inter-jurisdictional policy problem, which eliminates most standards bodies as a venue. Not only does this problem span agencies, it spans governments and industry verticals. This key reality is the driver of this work effort.

The Security and Software Engineering Research Center (S2ERC) at Georgetown has a track record of aligning industry and policy, interconnecting diverse stakeholders, with strong government and international engagement. The S2ERC is a vehicle for performing the necessary technology, policy, legal, and economic research to realize cyber threat intelligence information sharing.

Government mandates for this work include the President’s Executive Order 13636, Improving Critical Infrastructure Cybersecurity; Presidential Policy Directive 21, Critical Infrastructure Security and Resilience; Public Law 114-113, Consolidated Appropriations Act, 2016; and the President’s Executive Order 13691, Promoting Private Sector Cybersecurity Information Sharing.

S2ERC project affiliates participate in the formulation of requirements for the intelligence exchange technology. Today, we have RID/IODEF, TAXII/STIX, OpenIOC, ITU-T, and IEEE efforts for information exchange. However, we do not have requirements. Without requirements, we cannot evaluate the different technical directions. Moreover, we cannot determine the starting point and venue to rally industry behind a single technology for cyber threat intelligence sharing. To formulate the requirements, we need to understand the legal, policy, and economic issues. Georgetown is providing the venue and subject matter experts to work on these tasks. Members are expected to participate in the process by contributing their expertise and experience as well. There is no minimum expectation for ‘wetware’ contribution. A member can pay for participation and simply monitor our progress. However, the most value for the members and the community comes from member participation. S2ERC membership entitles the member to fund other projects as well as the projects in this program.

NOTE TO AFFILIATES

To access the program wiki, you will need a Georgetown University NetID. See the process described at the SUA Web page. [For the security minded, do note that page is hosted at google.com, not georgetown.edu]

PROJECTS

  • Taxonomy for CyberISE (complete - results presented at WISCS)
  • Thesaurus for CyberISE (underway)
  • Legal Issues in CyberISE, US (complete)
  • Legal Issues in CyberISE, global (underway)
  • Intelligence Exchange Economic Study (complete - results published at S2ERC)
  • Intelligence Exchange Requirements
  • Intelligence Exchange Survey
  • Intelligence Exchange Gap Analysis - technology