When it comes to sharing cybersecurity information, it can get complicated fast.
Organizations have to navigate a tight workforce, conflicting laws and regulations, and prioritize protections within their organizations -- often on penny-pinching budgets. Public entities like the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) strive for better engagement with corporations to improve collaboration and communication but concerns over sharing sensitive information or giving competitors insight into business operations limit collaboration.
In 2015, the White House addressed those hurdles with Executive Order 13691: Promoting Private Sector Cybersecurity Information Sharing. While the security information sharing ecosystem in place in the US supported industries aligned with critical infrastructure and national security, EO 13691 was designed to help fill the need for security information sharing beyond federal agencies and to “encourage the voluntary formation of [information sharing organizations], to establish mechanisms to continually improve the capabilities and functions of these organizations, and to better allow these organizations to partner with the Federal Government on a voluntary basis.” Although the executive order provided a basis for DHS to support broadening the ecosystem, these “voluntary” sharing organizations added a layer of complexity that confused even the cybersecurity community. Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs) established by the executive order differ in role and benefits but both are critically important to successful collaboration. Below, we provide a short summary of how these types of information sharing organizations operate.
Security Information Sharing in the US: An Overview
DHS is the central hub of the US government cyber information-sharing ecosystem and is a conduit to the private sector for cyber information including threats and defensive measures. To effectively communicate with other government authorities, like law enforcement and intelligence agencies, DHS can use the US-CERT, the national computer emergency readiness team, to distribute critical information domestically and internationally in regards to infrastructure threats. The image below provides a good overview of the US security information sharing ecosystem, including the flow of information between DHS, ISACs, and ISAOs.
Source: The MITRE Corporation, “Building a National Cyber Information-Sharing Ecosystem, 2017”
ISACs: Sector-Specific Collaboration
To address the need for better sharing of information about cyber risks and preparedness, Presidential Decision Directive 63, signed in 1998, encouraged critical infrastructure sectors to establish information sharing organizations. The directive established clear responsibilities at the government level for building collaborations with organizations to “serve as the mechanism for gathering, analyzing, appropriately sanitizing and disseminating private sector information” to industry and the government. Therefore, the ISACs aligned specifically with each individually designated critical infrastructure sector. ISACs provide real-time threat and attack intelligence sharing, training and curated reporting to their members, who may pay an annual fee depending on the market sector. Information sharing through ISACs is usually protected by legal agreements that protect against non-disclosure and attribution back to the reporting organization, providing some protection for their members against inappropriate disclosure. In addition, the advent of automated sharing platforms hosted by some ISACs can allow for consistent collaboration between member organizations and some may be able to respond and share actionable threat intelligence more quickly than the government. Many have also grown to reach well beyond the US, building international membership opportunities.
ISAOs: Effective Practice Sharing Networks
While ISACs covered the emerging information sharing needs of critical infrastructure initially, the rapidly evolving cybersecurity landscape necessitated the need for Executive Order 13691 encouraging ISAO development. Intentionally, the directive was not specific - as compared to ISACs - to encourage innovative information sharing approaches, “ISAOs may be organized on the basis of sector, sub-sector, region, or any other affinity, including in response to particular emerging threats or vulnerabilities.” These new information sharing organizations were also envisioned to be sector-agnostic, allowing for membership to “be drawn from the public or private sectors, or consist of a combination of public and private sector organizations.” Like ISACs, information sharing through ISAOs may be protected by legal agreements that protect against non-disclosure and attribution back to the reporting organization.
The Executive Order also established a funding path for a new ISAO standards organization that aims to guide ISAO development over time, but the flexibility to meet the needs of their members offers ISAOs more adaptability than a prescribed reporting function. As such, ISAOs have evolved to focus beyond threat sharing and towards effective practice sharing within a more geography-centric local community. Their emergence thus provides an important support structure for building stronger cybersecurity communities. For deeper insight and analysis on ISAOs, we recommend reading “Building a National Cyber Information-Sharing Ecosystem,” published by The MITRE Corporation in 2017.
ACSC: The Original ISAO
The ACSC is an ISAO. An independent non-profit information sharing member consortium since 2011, the ACSC served as the model for ISAOs when Executive Order 13691 was implemented and promptly attached itself to the ISAO designation. An important architect of the modern security information sharing ecosystem, RADM (ret) Mike Brown, served as the Director, Cybersecurity Coordination at the National Programs and Protection Directorate (NPPD) within DHS at the time the ACSC was founded and supported the organization’s launch. He is now a member of the ACSC Board of Directors.
Now in its eighth year, the ACSC reaches across public, private and educational sectors to help build strong relationships among organizations who understand the business imperative of collaborative defense against common cybersecurity challenges. ACSC members agree to a robust confidentiality agreement so information sharing can be done in a protected forum. This allows its members to speak freely and in-depth about the opportunities and challenges they are seeing in their organizations and the cybersecurity community at large. In addition to providing the ability to engage with peers as well as subject matter experts on a regular basis as the threat landscape continues to evolve, the ACSC also delivers direct value through an emerging research and analysis capability that identifies common problem areas and examines ways to reduce duplication of effort by harnessing the power of collaborative resources.
Collaboration Drives Cyber Resilience
In 2018, the ACSC’s focus on collaborative defence resulted in a research study, Collaborative Cyber Defense: Barriers and Best Practices for Strengthening Cyber Defense by Collaborating Within and Across Organizations, conducted with assistance from Mass Insight Global Partnerships and in conjunction with research partner McKinsey & Company. Researchers worked with ACSC members and other experts, to interview CISOs, CIOs, analysts, business leaders and others in a range of sectors. These interviews measured “digital resilience,”. Overall, the study found there is a strong correlation between collaboration and cyber security maturity. Five primary areas emerged as areas to explore for effective collaboration:
- Cybersecurity Governance Requires C-Suite Leadership
- Information Sharing: Expanding, but Barriers Remain
- Third-Party Security Evaluations: A Collaborative Opportunity
- Workforce Development: A Major Challenge and Collaborative Opportunity
- Simulations: An Increasingly Important Training Opportunity
The ACSC believes that information sharing and simulations are natural intersection points for organizations to identify ways their organizations can improve cyber resiliency through collaboration. As a result, the ACSC conducted a simulation workshop in collaboration with DHS designed for our members to develop cyber simulations that test our ability to respond collectively to community-level cyberattacks. This exercise was the first of our initiatives in our three year plan with DHS to develop an exercise framework that will enable others to conduct the same simulations. But when community-level challenges are addressed by industry alone, solutions tend to favor those organizations with greater resources. While sophisticated companies are generally able to defend themselves from attacks, other organizations that we depend on, including vendors, business partners, municipal offices, public officials, law enforcement, etc. face a widening accessibility to security gap that can be best addressed by state and federal agencies. As an ISAO, the ACSC is designed to enable strong relationships between the public and private sectors to improve regional and national cyber capabilities.
For an organization to be fully engaged and on the front lines of cyber resilience, senior management and boards of directors must be an integral part of the governance process. To better understand the evolving role of corporate boards in cybersecurity governance, the ACSC and Mass Insight Global Partnerships conducted interviews with ACSC member CISOs and CSOs, from multiple sectors represented by the ACSC, along with experts on board and cybersecurity issues. Given the rapidly evolving nature of cybersecurity, boards need timely and relevant training to better equip them for strategic decision making in measuring risk before cyber incidents occur. CISO’s now have a captive audience for cyber metrics that reflect both business measures and technology metrics. Building better partnerships between CISOs and corporate boards is an essential first step in building a “top down” culture of cyber preparedness.
You can learn more about what the ACSC does by reading our latest newsletter, which details recent events and areas of research. If you’re interested in your organization becoming a member, you can reach out to firstname.lastname@example.org and request more information.