Worried US retailers battle cyber-attacks through new intelligence-sharing body

Target, Nike, Safeway circle the wagons

Stung into action by a wave of devastating data breaches, US retailers have taken the historic decision to share data on cyber-threats for the first time through a new initiative, the Retail Cyber Intelligence Sharing Center (R-CISC).

Developed after input from 50 retailers and the Retail Industry Leaders Association (RILA), R-CISC will operate as an independent body collecting anonymised data on the attacks detected by firms, hopefully allowing them to spot common patterns. This will include malware strains, software vulnerabilities, forum activity and real-time information on attacks.

Other elements of its brief will be to educate members on defence using training and develop research capabilities by forging lnks within the security world.

Prominent launch names include J. C. Penney, the Gap American Eagle Outfitters, Nike, Lowe's Companies, Safeway, VF Corporation, Walgreen Company and the most famous victim of retail attacks to data, Target Corporation. Other firms are said to be joining in the coming weeks and months.

On the law enforcement side, the FBI, the US Secret Service, the Department of Homeland Security will also participate.

"In the face of persistent cyber criminals with increasingly sophisticated methods of attack, the R-CISC is a comprehensive resource for retailers to receive and share threat information, advance leading practices and develop research relevant to fighting cyber-crimes,"said RILA president, Sandy Kennedy, a sentiment backed up by stakeholders.

"We are confident that by sharing with our peers and industry stakeholders through the R-CISC, our industry will collectively strengthen its ability to protect critical customer information," said, vice president of information security at Lowe's Companies, Warren Steytler.

The industry is responding to the sudden rise in cyber-attacks during 2013 which many of its members seemed unprepared for. A list of well-known brands were compromised, including Target, Neiman Marcus, White Lodging, Harbor Freight Tools, Easton-Bell Sports, and Michaels Stores. Events at Target contributed to the resignation of the firm's CIO and, more recently, its CEO.

This kind of intelligencensharing could represent a model for how other industry sectors might circle the wagons against attacks that target them in quite specific ways. The banking sector has longer experience of cyber-attacks and has to some extent piggybacked data sharing on the back of fraud prevention but many other sectors continue to behave as if attacks are a problem for each organisation. This now looks like a major mistake.

Meanwhile, government and regulators in the US are losing patience with the apparent inability of organisations to defend themselves using the most obvious defence mechanism of simply 'spreading the word'. The arrival of R-CISC is politically necessary as well as technically wise.

"This is a good move, as other industry groups - like the financial services industry with the FS-ISAC - have proven the value of threat sharing across and between organisations. Especially given the retail industry needs to work that much harder to rebuild consumer trust," said AlienVault's Barmak Meftah.

"But I do question whether it is enough to simply limit threat sharing to specific players within specific vertical industries," he said. "The determination of the retail industry to share threat data is all fine and good, but the technology at the heart of all this sharing needs to be within reach of all organisations, and it needs to help facilitate this sharing easily."