Information sharing requirements and framework needed for community cyber incident detection and response

Communities, and the critical infrastructure that they rely upon, are becoming ever increasingly integrated into cyberspace. At the same time, communities are experiencing increasing activity and sophistication from a variety of threat agents. The effect of cyber attacks on communities has been observed, and the frequency and devastation of these attacks can only increase in the foreseeable future. Early detection of these attacks is critical for a fast and effective response. We propose detecting community cyber incidents by comparing indicators from community members across space and time. Performing spatiotemporal differentiation on these indicators requires that community members, such as private and governmental organizations, share information about these indicators. However, community members are, for good reasons, reluctant to share sensitive security related information. Additionally, sharing large amounts of information with a trusted, centralized location introduces scalability and reliability problems. In this paper we define the information sharing requirements necessary for fast, effective community cyber incident detection and response, while addressing both privacy and scalability concerns. Furthermore, we introduce a framework to meet these requirements, and analyze a proof of concept implementation.