Cybersecurity is a Shared Responsibility

Published on October 30, 2018 by

Peder Jungck, Vice President / General Manager IntelligenceSolutions at BAE Systems, Inc.
For link to article


TLP: White – October is National Cybersecurity Awareness Month. The annual event serves as a very public reminder about the threats we all face due to the constant cyberattacks targeted at our critical infrastructure, including the U.S. energy grid and utilities, and our country’s financial, healthcare, and transportation systems. Although the U.S. government has a stake in the security of these critical infrastructures, most are owned or operated by private industry.  This dichotomy—how to secure nationally critical assets and functions that are owned by the private sector—has been a key policy challenge for more than two decades.

In 1998, Presidential Decision Directive 63 (PDD-63) was issued to promote the voluntary establishment of information sharing within the critical infrastructure community – with the goal of improving the cybersecurity of all parties. To foster this collaboration, the critical infrastructure community established Information Sharing and Analysis Centers (ISACs) to provide trusted sector specific forums for active information sharing and collaborative analysis around cyber and physical threats, vulnerabilities, and incidents. The ISAC model, which has grown and matured over the past 20 years, has been an instrumental part of advancing cybersecurity not just within the U.S., but around the world.

ISACs bring together analysts from companies of all sizes to share information on how to identify and defend against active attacks. In this way, companies with more robust capabilities assist each other and those with less robust programs.

The ISACs provide a force-multiplying effect that enables companies to do more collectively than they are able to individually. For example, information about destructive attacks such as Wannacry and Petya/NotPetya are shared among companies within ISACs so that all members can understand and defend against attacks. ISACs are also used to share information about public vulnerabilities such as SPECTRE/Meltdown and the WPA “CRACK Attack” vulnerability and effective security practices among members.

The ability to have a single point of outreach to each critical infrastructure community is an important tool for national cyber incident response. ISACs can quickly and effectively share information from government to their members and can provide an important source of company-neutral analysis as to how a threat or incident affects their particular sector. ISACs may also provide members with tools to mitigate risks and enhance resiliency. The overall goal of each ISAC is to help its fellow critical infrastructure owners and operators in protecting their respective facilities, personnel, and customers from cyber and physical security threats.

In 2003, the ISACs aligned together to establish an overarching council under which all ISACs could collaborate. Today, the National Council of ISACs (NCI) has 24 members, with ISACs serving the transportation, communications, defense, energy, health, financial sectors, and retail sectors. While each ISAC oversees sharing for their unique market, the NCI leverages the information shared by each to collectively protect physical and cyber systems so vital to the U.S. that their incapacity or destruction would have a debilitating impact on our physical or economic security, or the health and safety of our public.

The NCI has provided a framework under which analysts from each ISAC communicate with each other daily, sharing information about attacks and threats targeting each sector. Although there is no requirement for ISACs to share with each other, the daily flow of information across the ISACs is robust. This serves as an early warning system that enables ISAC analysts and members to identify attacks before they are public, but also to perform threat analysis of attacker tactics, techniques, and procedures. The community is now working to leverage technology to automate the sharing of indicators across sectors.

A key success driver of the ISAC model can be traced to the fact that ISACs are voluntary forums driven by the needs of their members. While the 24 ISACs that participate in the NCI all share a common mission, no two ISACs are the same. The ISACs are focused on meeting the unique needs of their members, not on a set of mandatory standards developed by a disinterested third party. Being member-driven rather than compliance-driven, enables the leadership of each ISAC to identify, understand and develop programs and capabilities to meet member needs.

Another reason for success is the responsiveness from federal policymakers to create an environment conducive to information sharing. From anti-trust and liability protections, to providing legal protections on information that is shared with Department of Homeland Security, policymakers have taken serious steps to remove actual and perceived barriers to information sharing.

The success of the ISAC model has caught the attention of government policymakers throughout the world. ISAC leaders are constantly being invited to industry and government forums around the world to share lessons learned in order to facilitate further information sharing in their countries. Helping our allies advance cybersecurity benefits the global community as cyber-attacks have no borders.

Certainly, there is more to do in voluntary industry information sharing. The job of securing the critical infrastructure is never finished and always evolving. ISACs must build and adjust their services accordingly. Those attacking our infrastructure are also becoming more capable, thanks in part to their ability to share information with each other. As such, more than two decades after their founding, the ISACs remain a critical and effective component of the national effort to defend against cyberattacks. In the coming years I expect the importance of each ISAC and the larger NCI to increase further, as more industries and international partners understand the benefits of sharing cyber threat intelligence globally. If we can find a way to leverage the lessons of our past ISACs internationally, we will take a significant step forward to building a safer, more secure cyber world.

As we wrap up National Cybersecurity Awareness Month, I urge all organizations to reassess their cyber responsibilities and consider if they could benefit by being a member of the ISAC community as cybersecurity is a shared responsibility.

Health-ISAC membership information