AIAA

The World's Forum for Aerospace Leadership

  • MY AIAA
  • Donate
  • Press Room
  • Renew
  • View Cart
The American Institute of Aeronautics and Astronautics (AIAA)

is the world's largest technical society dedicated to the global aerospace profession.

    • AIAA Governance
    • ARC
    • AIAA Foundation
    • Industry Guide
    Cross-Industry Information Sharing

    Cross-Industry Information Sharing

    Industry information sharing and coordination as a boon to security.

    Information sharing has been one of the most discussed means of improving security within and across industries. Security professionals and policymakers have long called for increased sharing both within industry and between the private sector and government.  Dating back to the creation of Information Sharing and Analysis Centers (ISACs) in the 1990s, the sharing of threat and vulnerability information within sectors has been one of the key means of creating better situational awareness within critical infrastructure verticals. Certain sectors have long had deep, collaborative sharing relationships through their ISAC, specifically the financial services sector, while others are only beginning to develop the institutions, procedures, and trust necessary for fruitful information-sharing relationships.

     

    In the aviation sector, the Aviation ISAC (A-ISAC) has grown from its creation in 2014 to a robust organization with domestic and international members today. One unique component of the A-ISAC is that its membership includes organizations from multiple industries (manufacturing, logistics, software, airlines) due to the nature of aviation, where the organizations that manage and fly aircraft are different than those that build aircraft.

     

    Within government, coordinating bodies have helped streamline sharing between security agencies and specific sectors, but challenges remain in ensuring that relevant and valuable information is passed in a timely and secure manner. While intra-sector sharing is critically important given the shared threats faced by peer companies, inter-sector sharing is also of value. Inter-sector sharing allows sharing without competitive pressures and new collaborative relationships to be built. Technical and institutional tools are emerging that can help create new and innovative means of intra- and inter-sector information exchange that can help create a more secure ecosystem.

    The Aviation Sector


    The aviation sector has an advantage because some of its member organizations are also members of the defense-industrial base (DIB), which has more sophisticated sharing tools and relationships. While this creates some asymmetry between members of the A-ISAC, this also benefits the ISAC by providing additional perspective to some members.


    Issues of anonymization, who can receive information, and how that information is secured have been challenges in creating strong information-sharing relationships. Early forms of information sharing, many of which persist today, were built around regular conference calls and email lists. Some Information Sharing and Analysis Centers would act as a repository for threat information, ingesting it from members and then pushing it out to the larger community. Traditional methods of sharing have some drawbacks. In more direct forms, the sharing entity needed to identify themselves, which can be problematic, especially when dealing with competitors and highly sensitive information. More institution-based approaches can limit who information can be sent to in a timely fashion, potentially hampering data getting into the hands of non-members who need it most. Both approaches do have value in building trust between group members.

     

    While these trust and relationship-based methods have worked well in some cases and institutions, specifically those where personal relationships have been well established, such methods have difficulty scaling to sharing between large numbers of organizations and diverse members. It may also be difficult to quickly bring organizations in and out of these more manual methods of sharing. In response, technology providers have begun to look at how to make the sharing process faster, controllable, secure, and scaleable. Both open source and proprietary threat information sharing platforms have emerged that allow security analysts the ability to choose who they are sharing information with, exchange machine-readable indicators and other threat information, redact sensitive data that is not relevant to the threat being discussed, and encrypt sensitive communications about the data. These platforms allow sharing to be scaled to the needs of a grouping of organizations or an institution. These platforms also allow the identity of the sharing entity to be anonymized, which may make organizations more likely to share. Technical innovation in the threat sharing market can help drive faster, deeper, and wider sharing than likely would have been possible through more manual or institution-driven methods. It can also act as a platform for existing sharing organizations.


    SHARING Advances in Technology

    While technical advances are allowing more dynamic sharing, institutions are also shifting to meet the sharing needs of organizations. Sharing within critical infrastructure sectors has traditionally been centralized through industry-specific ISACs. While a centralized, industry-based approach is reasonable and important given the shared threats industries face, and these relationships should be strengthened, other sharing institutions that are not necessarily based on industry have begun to emerge. Executive Order 13691 in February 2015, which hoped to promote industry and government sharing, created Information Sharing and Analysis Organizations (ISAOs). ISAOs are a less structured, more flexible institutional format, allowing any group of organizations to form a nonprofit to enhance information sharing. Some ISAOs are regional in nature, including the Maryland ISAO, the California Cybersecurity Information Sharing Center, and the Northeast Ohio CyberConsortium. Some ISAOs are subsets of certain sectors that already have ISACs, including the National Credit Union ISAO and Medical Device ISAO. Other ISAOs are more open, general membership sharing organizations. These flexible institutions allow organizations to choose the right forums for sharing given their goals. Regional rather than sector-based sharing can help improve trust and alleviate potential competitive pressures.

     

    Finally, information sharing is being push down supply chains within industry sectors. The importance of securing the ecosystem of an industry has become clear, and ISACs are increasingly integrating both central players in the industry as well as suppliers to create sharing up and down supply chains. Within critical infrastructure sectors, complex supply chains involving a multitude of both domestic and international suppliers create complex and intertwined pools of cybersecurity risk. A breach or cybersecurity incident within one part of the supply chain can impact others throughout the ecosystem. In many cases, larger companies are utilizing suppliers and contractors from much smaller organizations, which often don’t have the same level of technical sophistication or the same level of resources to devote to cybersecurity. ISACs are increasingly opening to organizations from throughout their respective supply chains and involving smaller companies within those sectors. Companies individually are also beginning to think about how they can better share directly with vendors, suppliers, and clients.

     

    Information sharing is often presented by policymakers as a panacea for security because it is an area where there is wide agreement on its importance across government and industry. While the benefits of information sharing may be overstated, it is still an important means of creating stronger situational awareness across industry. The technical and institutional trends in information sharing are moving toward more flexible, dynamic structures, allowing organizations to quickly push information to those organizations that can act on it in a fast, anonymous, and secure manner. While private threat intelligence providers are now a ubiquitous part of most enterprise security programs, information sharing across industry remains an important means of improving coordination. AIAA members’ organizations could benefit by reviewing what information-sharing organizations they participate in or could enter.