Legislation has been proposed to provide incentives in the form of a tax credit to organizations who share cyber threat intelligence. The Chairman of the Senate Commerce Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security is leading the Cyber Information Sharing Tax Credit Act, which proposes “to amend the Internal Revenue Code to provide a refundable credit for costs associated with Information Sharing and Analysis Organizations” (ISAOs). While CIO’s, CISO’s and their threat intelligence and response teams are proponents of sharing threat intelligence data, this legislation speaks directly to private sector management teams by providing financial incentives.
An important aspect of this bill is that it stipulates the sharing medium is via an ISAO. Some argue that there isn’t much difference between and ISAO and an ISAC (Information Sharing and Analysis Center). However, notice that the Department of Homeland Security (DHS) is developing an ISAO standards organization that will “identify a set of voluntary guidelines for the creation and functioning of ISAOs”.
Until ISAOs have the ability to self-certify against guidelines, there will probably be some confusion around how to qualify for ISAO-based tax incentives. Also, many private sector cyber defenders are already participating in collaborative communities and on private listservs — sometimes without corporate backing. It will be interesting to see if these existing sharing circles can transition to ISAOs, so that corporations could benefit from the prospective tax credits.
The bill identifies three sharing costs that may qualify for credit:
- ISAO membership dues;
- Participation costs; and
- Products and services related to sharing information with the ISAO.
While I am encouraged to see cyber threat intelligence (CTI) sharing being addressed by legislation, and know that greater threat awareness is the result of organizations working together, this legislation seems to assume that private sector companies are already producing and consuming effective CTI. I think this might be a fallacy. While I believe the tax credit incentive may help drive sharing of threat intelligence and might even offset some cyber threat intelligence costs, organizations can’t share what they don’t have. Most private sector companies including small to medium sized businesses and Fortune 1000 companies struggle with resources to adequately address compliance and/or basic Internet security hygiene, so sharing CTI is a stretch. That said, incentives should increase awareness and encourage the adoption of threat intelligence platforms that enforce CTI development best practices and simplify sharing.
There are many examples that illustrate gains associated with “Crowd Power”. Our hope is that this legislation along with other incentives will produce widespread CTI sharing. After all, without a shared understanding of a threat, we will not be fully prepared for its advances. If we come together as a community and combine our strengths, we can collectively stop sophisticated cyber threats.
Is sharing legislation needed? I strongly believe that any incentive that encourages organizations to join and participate in ISAOs and/or provides cyber defenders with services and products to work together is a great step forward. However, additional legislation is needed, perhaps, to address risk (real or perceived) to organizations that share CTI. Standards need to be developed that address ISAO qualifications, and metrics will be needed to quantify sharing contributions for monetary-based rewards.
I will anxiously follow this threat intelligence sharing bill and other emerging cyber security legislation, along with forthcoming cyber security insurance initiatives. I am excited to take an active role in a series of ISAO workshops being held by DHS over the coming months. I hope to see you there!
ThreatConnect offers no cost Community accounts for both individual researchers and organizations who want to develop or enhance their cyber threat intelligence. Our aim is to empower the entire business community, from less resourced organizations to enterprise sized SOCs across globe, and ISACs and ISAOs, with cyber threat intelligence production and collaboration capabilities.
If you are interested in learning more about ThreatConnect Communities or our ISAC/ISAO Edition, please go to our Communities page or sign up for an account today. Current users can request to join a Community directly within the ThreatConnect Marketplace.
Christy Coffey is the Director of Business Development and Communities Evangelist for ThreatConnect. Christy has worked in the information technology industry for 25 years. After spending 15 years with EDS (now HP) designing and building systems for Fortune 100 customers, Christy applied her technical background to business relationship management across the telecom, defense, and security industries. She has served as a Client Services Director for a start-up and the Security Management Program Director for a large not-for-profit industry association. Christy holds a degree in Computer Science, and is working toward an MBA with a concentration in Cyber Security from the University of Dallas. Professional achievements include two Computerworld Honors Laureate Awards, a General Motors President’s Award, and has been awarded a patent for software developed while at Verizon. She has been married to her high school sweetheart for 25 years, has a son, daughter, two dogs and calls Texas home.