Dual Retail Cyberthreat Intelligence-Sharing Efforts Emerge

First, there was no official intelligence-sharing mechanism for the retail industry, and now there are two. The Retail Industry Leaders Association (RILA) announced the launch yesterday of the Retail Cyber Intelligence Sharing Center (R-CISC), an information sharing and analysis center (ISAC) with the backing of Target and other major retailers. The center is akin to what the financial services, defense, and other industries have in place today to help their members share and learn about the latest attacks and threats.

Last month, the National Retail Federation officially revealed its plans for establishing an intelligence-sharing mechanism to help the industry fight cyberthreats. David French, senior vice president for government relations for the NRF, told Dark Reading earlier this year that establishing a retail industry ISAC was on the table as an option.

In a second interview with Dark Reading last month, French said the NRF was sharing protocols and procedures that could be "transformed into an ISAC," though the organization was "not all in with an ISAC yet." The plan was for a sharing platform that would start out as a portal for the industry, he said.

Today the NRF praised the R-CISC announced by the RILA but said it has no plans to drop its own intelligence-sharing initiative, which it developed in consultation with the financial services industry's FS-ISAC.

"The National Retail Federation applauds the announcement made by the Retail Industry Leaders Association regarding the establishment of a Retail Cyber Intelligence Sharing Center," said Bill Thorne, senior vice president for communications and public affairs for the NRF. "For a number of years, NRF has been working with all of the stakeholders to ensure that the broad spectrum of our industry -- large and small, online, grocery and restaurants -- have access to the tools and information they need to combat and stop these crimes."

Thorne told Dark Reading there won't be two retail ISACs, but there may well be multiple intelligence-sharing platforms. "Where it makes sense, we will integrate efforts, but at this time I do not see two retail ISACs. That does not mean, however, that there could not be multiple information sharing platforms, education, and training programs or research needs," he said. "To make it work requires a high degree of collaboration and communication between all parties engaged in this space. Please keep in mind, RILA and NRF share an industry but have a very different membership base. With those differences comes levels of sophistication, resources, need, and category of retail. Cyber security is not a 'one size fits all' proposition.

"This is a complex problem for which there is no single answer. The important thing is to insure the widest access to information by the broadest cross section of the retail industry. The effort by RILA enhances that mission, adding to the greater arsenal of tools," Thorne said. "It does not in way diminish our commitment to creating programs and opportunities that provide additional value to retailers."

The NRF has contracted the Chertoff Group "to ensure that this effort maximizes current tools and technologies that meets the needs for the full range of retailers," he said. "We support any effort that will help protect our members and their customers, and as an industry we look forward to working together to reach our shared goals."

Calls for an official intel-sharing mechanism for the retail industry intensified in the wake of Target's epic data breach late last year. The retail industry to date has not had a formal threat and attack intelligence-sharing mechanism, like other major industries do.

In addition to Target, the retailers participating in the RILA's new R-CISC include American Eagle Outfitter, Gap, JC Penney, Lowe's, Nike, Safeway, VF, and Walgreens. The R-CISC will share threat information with the US Department of Homeland Security, the US Secret Service, and the Federal Bureau of Investigation. It will also provide training and education to the industry on cyberthreats.

"Retailers place extremely high priority on finding solutions to combat cyberattacks and protect customers. In the face of persistent cyber criminals with increasingly sophisticated methods of attack, the R-CISC is a comprehensive resource for retailers to receive and share threat information, advance leading practices and develop research relevant to fighting cybercrimes," said RILA president Sandy Kennedy.

It's unclear why the two associations initially came at this initiative separately. The retail industry, unlike the defense contractor or financial services industries, is relatively new to being victimized by targeted attacks. So it could be more a result of growing pains as the industry rushes to get up to speed, experts say. Targeted threats "have not traditionally been a huge concern for them," says Chris Strand, senior director of compliance for Bit9.

There also are natural worries among competing companies about sharing attack information with your competitor, but experts say that worry ultimately fades as the advantages of staying abreast of new threats to your industry begins to pay off.

"Some don't want to share information with one another," says Strand, who has been on both sides of the fence as a retailer and a QSA. "It's both a good and bad thing that several [retail organizations] stepped forward" on the intel-sharing initiative. "But if you were to have two separate ones not talking to one another, that would probably not be the best" situation.

The NRF and RILA had been working together under an official alliance of retail trade associations to explore information-sharing options. That alliance includes the the Financial Services Roundtable, the American Bankers Association, the American Hotel & Lodging Association, Independent Community Bankers of America, the National Grocers Association, and the National Restaurant Association.

A recent Ponemon Institute study found that, for most organizations in general, intel-sharing is informal and ad hoc, and therefore not necessarily always useful. More than half of organizations get this information via phone calls, emails, or in-person meetings. The information then must be converted into some sort of rule or security measure, and time is of the essence: Nearly 70% of organizations say this information expires within seconds or minutes.

"Hearing from leaders and experts that have experienced such attacks first hand and stepped up to modernize their data security strategy to turn the tables on the attackers can be a fast track for others to follow with big pay-offs," says Mark Bower, vice president of of product management and solution architecture for Voltage Security.

Target, meanwhile, said it is playing "an active role" in RILA's R-CISC. "Target believes that protecting consumers from cyber threats is a shared responsibility. We applaud the efforts of RILA to help coordinate industry efforts around cyber security and data privacy," a Target spokesperson said.