On April 20, Virginia Gov. Terry McAuliffe announced that the state is establishing the nation’s first state-level Information Sharing and Analysis Organization (“ISAO”), intended to enhance the voluntary sharing of critical cybersecurity threat information in order to confront and prevent potential cyberattacks.
In the face of recent high-profile data breaches affecting both private and public entities such as Target Corp. and the United States Postal Service, the need for an efficient and effective way for entities to share cybersecurity threat indicators and deter future attacks is increasing. Currently, much private-sector information sharing is conducted through Information Sharing and Analysis Centers (“ISACs”), which limit the sharing of information on cyber threats and analysis to a specific sector (e.g., financial services, retail, energy, aviation, etc.). By expanding the current model, ISAOs have the potential to encompass the needs of all industry groups, both public and private.
In a statement on April 20, Gov. McAuliffe said, “Virginia’s ISAO is our logical next step in building on the outstanding work of the Virginia Cyber Security Commission, Virginia Cyber Security Partnership, Virginia Information Technologies Agency, and the cybersecurity efforts of so many other public and private sector partners throughout the Commonwealth.”
The state’s announcement comes just months after President Obama issued an executive order, directing the Department of Homeland Security to encourage the creation of ISAOs for collaboration among public and private sector entities.
Many companies have been reluctant to share cybersecurity threat information with federal or state governments, because of concerns that it may draw civil litigation. Proposals before the United States Congress could, if passed, offer targeted liability protection to companies that participate in approved exchanges.
Virginia Secretary of Public Safety and Homeland Security Brian Moran will serve as advisor to Gov. McAuliffe, who will be working alongside federal, state and other cybersecurity partners to help develop standards and best practices for information sharing with the private sector, and abide by certain standards to protect privacy and civil liberties.