Retail Industry Mulls Forming Its Own ISAC For Intel-SharingBreaches at Target and other retailers sound the alarm for retail industry to establish a cyber-threat Information-Sharing and Analysis Center
The massive data breach at Target, along with a wave of other attacks on retailers that has come to light in the past few months, has turned up the heat on the retail sector to formalize intelligence-sharing on threats and attacks on the industry.
Retail industry officials say their sector now is considering several ways to better prepare for and defend against the increasing wave of targeted attacks on its members, including the formation of a Merchant and Retail Industry Information Sharing and Analysis Center (ISAC).
ISACs provide an official mechanism for sharing information about the latest malware and cybercrime activity spotted targeting specific industries and others. They also include databases of those threats and vulnerabilities for their members. There are some 16 ISACs to date for specific industries, including the financial industry's FS-ISAC, as well as ISACs in the electricity, water, supply chain, and research and education sectors. The goal is to help the industries better team in the face of cybercrime and cyberespionage.
"The retail industry is considering many different proposals and options aimed at identifying, preventing, and combating coordinated cyberattacks, including the establishment of a retail industry Information Sharing and Analysis Center, or ISAC. ISACs are a valuable resource with a proven track record," says David French, senior vice president of the National Retail Federation (NRF).
NRF earlier this year asked the Senate Banking, Housing, and Urban Affairs Committee to look at recent breaches at retailers, government agencies, and universities in a "holistic" way such that breaches will become less profitable to the bad guys. That would entail converting to chip-based payment cards using PINs, for example. In addition to better intel-sharing, the retail organization also supports legislation for better protecting consumers' debit card transactions and a federal breach notification law.
Meanwhile, Congressional leaders are pushing the Federal Trade Commission (FTC) to request the creation of a Merchant and Retail Industry ISAC. U.S. Sens. Mark Kirk, R-Ill., and Mark Warner, D-Va., last month asked FTC chair Edith Ramirez to do so in order for retailers to have a platform for sharing threat and vulnerability information so they can better prepare for cyberattacks and protect their customers' payment card data and other information.
"Establishing an ISAC will enable the retail industry to share information that can help prevent the types of widespread consumer data theft we have seen in recent months," Warner said. "The private sector should work together to be more responsive to the serious threats consumers face from data breaches."
Sam Visner, vice president and general manager of global cybersecurity at CSC, says establishing an ISAC would be ideal. He noted that the FTC's lawsuit filed against Wyndham Worldwide Corp. in 2012 after the hospitality company suffered three major breaches in two years was a wake-up call. "That was significant," Visner says. "If the FTC is willing to fine these companies [that are breached], it can also do things to improve information-sharing and responses ... You need to get information-sharing" among industries up and running as quickly as possible, he says.
A big challenge for retail is not just detecting a breach, says Raj Ramanand, founder and CEO of Signifyd, but discovering that payment card data was stolen before it gets resold in the underground markets. "How can you detect when those cards are flooding the market?" rather than learning about it once the stolen cards are used by fraudsters, he says.
An ISAC could help retailers get a jump on that type of intelligence, security experts say.
[The departure of Target's CIO and the creation of a dedicated chief information security officer position (CISO) and a new compliance officer (CCO) begins a new chapter in the retailer's post-breach security posture. See Target Begins Security And Compliance Makeover.]
Meanwhile, the NRF and other retail trade associations have teamed with key financial associations to explore more information-sharing, as well as the adoption of more secure payment cards. Among the organizations in this new alliance are the Retail Industry Leaders Association (RILA), the Financial Services Roundtable (FSR), the American Bankers Association (ABA), the American Hotel & Lodging Association (AH&LA), The Clearing House (TCH), the Consumer Bankers Association (CBA), the Food Marketing Institute (FMI), Independent Community Bankers of America (ICBA), the International Council of Shopping Centers (ICSC), the National Associations of Convenience Stores (NACS), the National Grocers Association (NGA), and the National Restaurant Association (NRA).
"We are committed to working together to ensure customer personal and financial information is secure and protected," said Tim Pawlenty, CEO of FSR. "Exploring avenues for increased information sharing and collaborating on innovative technologies and safeguarding data will be critical in defending
against common enemies."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio