Situational Awareness Will Inform Risk Management Decision Making
Cyber information sharing can emerge from existing private sector organizations.
Many people involved in the discussion about cyber information sharing fail to grasp the fact that the sharing is only part of what is required to achieve the true objective, which is to attain the timely and actionable situational awareness necessary to inform cyber risk management decision making. Without the attendant analysis and collaboration, information sharing is just that. Some seem to believe that is enough. It is not.
The Cybersecurity Information Sharing Act (CISA) passed last year is an important step. The provisions that attempt to improve bi-directional information exchange between government and industry while exerting privacy protections is valuable. However, much more remains to be done. Existing models provide a foundation for moving the needle in a positive direction.
Following the issuance of the Presidential Decision Directive 63 in 1998, the private sector critical infrastructure community organized and created industry-driven information sharing and analysis centers (ISACs) to establish and evolve operational capabilities across the various sectors, as well as to address the emerging cyber and physical risk to the nation’s critical infrastructure. Since then, the capabilities across the sectors continue to grow and evolve. Every day, they produce value in the national and global effort to improve detection, prevention, mitigation and response to the risk in cyberspace. Newly formed ISACs in the aviation and automotive sectors provide compelling evidence of the commitment by the private sector to establish, grow and maintain meaningful capabilities in information sharing, analysis and collaboration.
Given the growing attention to the cybersecurity challenge, one would think the government would embrace the capabilities developed in the private sector and seek to explore opportunities that further integrate those capabilities to achieve greater protection and resilience—especially for the nation’s critical infrastructure in the context of national and economic security in a globally connected world.
But regrettably, in recent years, many of the ISACs in sectors that interact most directly with the U.S. Department of Homeland Security (DHS) have seen reduced participation and support for their work by their government counterparts. Conversely, the sectors that interact with other federal departments—such as Treasury, Energy and Transportation—have seen their efforts result in an increase in collaboration and productivity. These capabilities include mature and robust threat intelligence elements that contribute to timely and actionable situational awareness. Improving detection, prevention, mitigation and response to increasingly sophisticated and nefarious cyber activity is essential. Accordingly, it raises questions: Why isn’t the government enthusiastically embracing the opportunity to engage such capabilities in a collaborative manner more broadly? Why are only five of the ISACs represented on the watch floor of the National Cybersecurity and Communications Integration Center (NCCIC) after more than six years of operation?
Instead, the government has set off on a course to create some new type of entity where people can gather to converse about cybersecurity, and it has committed $11 million in taxpayer dollars to this initiative.
Efforts by the DHS to engage consultants to identify steps and requirements for creating a different type of information sharing organization, in accordance with a presidential executive order, may be nice to do and satisfies the interest for a mechanism to discuss cybersecurity. However, no current evidence indicates the initiative will contribute to operational efforts to improve information sharing, analysis and collaboration.
Accordingly, the government should be taking this timely opportunity to both acknowledge and commit to further support of the existing, proven, industry-driven ISACs in a manner that accelerates the effectiveness and productivity of current operational capabilities, and leverages bi-directional information sharing, analysis and collaboration on behalf of the safety, security, protection and resilience of our nation’s critical infrastructure and the American people.
While a new information sharing and analysis organization (ISAO) someday may contribute to the mission, well established and even brand new ISACs are contributing to the mission every day. The risk of identity theft, criminal activity, economic espionage and even terrorism demand that we as a nation collectively and collaboratively improve our overall efforts to raise our cyber protection profile and make it more difficult for adversaries to succeed. Speculative future results that may or may not ever materialize may justify the investment in the current ISAO initiative, but ISACs such as the Financial Services Sector ISAC, Information Technology ISAC and Energy Sector ISAC, among others, are delivering measurable value every day and have been for some time. The DHS and other agencies should embrace, applaud and engage these capabilities fully.
Some in government argue that a sector-based model is not effective. I argue that sectors have unique characteristics and needs. These must be met by risk management programs to recognize critical requirements and tailor approaches to meet the ultimate objective of delivering actionable situational awareness that will inform risk management decision making. There is no one-size-fits-all solution, and the uniqueness of threats, vulnerabilities and consequences across sectors demands respect and support for capabilities that address those risks. Additionally, sectors are confronted by common characteristics of malicious and nefarious cyber activity. The National Council of ISACs, a cross-sector body established in 2003, facilitates communication, coordination and collaboration across ISACs daily to support cross-sector information sharing, analysis and collaboration. The government should applaud and support the 24/7/365 operational capability delivered every day by these important entities.
The formula for success in addressing the growing cybersecurity challenge in the United States and around the world includes a truly joint, integrated public/private operational capability fueled by information sharing, analysis and collaboration. This will improve detection, prevention, mitigation and response to cyber events that may have national or even global consequences.
Rather than wait on the establishment of a new type of organization, government should acknowledge and embrace those existing industry-driven information sharing and analysis centers that are delivering measurable value across the critical infrastructure community every day and productively contributing to the mission of improving safety, security, protection and resilience for our nation.
Robert B. Dix Jr., is vice president, Global Government Affairs and Public Policy for Juniper Networks