State of Information Sharing:
Critical Infrastructure Protection Awareness, Collaboration, and Challenges Post-9/11
Although work on the public-private partnership began prior to 9/11, the attacks created a sense of urgency and propelled action.
For the better part of a year before the terrorist attacks on September 11, 2001, I was part of a small team at the U.S. Chamber of Commerce trying to solve a problem. Most critical infrastructure is owned by private industry, but government has a national security interest in ensuring they are secure. So, how do we get industry and government to work together to secure it? The importance of this nascent project was made clear on 9-11.
Since then, I have been fortunate to have a center seat at the national effort to solve this riddle. From forging information relationships to share critical intelligence, to establishing the legal and governance framework that enables industry and government to set policy priorities, we have accomplished much since that dark day. But there is much work to be done.
Before looking at the work that is left, we should look at where we were on 9/11. The attacks drove home several key points relevant to Critical Infrastructure Protection. Among them were:
- – The Need for Industry-Government Collaboration: Prior to September 11, there was a group of industry leaders who understood the importance of “Critical Infrastructure Protection.” But there was not a well-articulated business case for industry-government collaboration. Industry viewed “Partnership” as better than regulation, and government knew it could not regulate the country into security, but we were struggling to define the partnership structures, priorities, roles, responsibilities, and outcomes. Although work on the public-private partnership began prior to 9/11, the attacks created a sense of urgency and propelled action.
- – The Importance of Understanding Cross Sector Interdependencies: As 9/11 approached, we collectively were still trying to understand sector-specific risks. In fact, we were trying to understand how to understand sector-specific risks. Evaluating cross–sector dependencies was a distant goal. We knew we needed to look at how an incident in one sector can impact another, but we had other priorities. This changed on September 11 when communications were lost, and our transportation system was crippled.
- – The Value of Achieving Situational Awareness: Once the second plane struck the World Trade Center, it was clear we had a major intelligence failure. But The 9-11 Commission Report revealed that elements of the national security apparatus had individual pieces of intelligence that on their own did not mean much. But these pieces were part of a larger puzzle that, when taken together, provided a more complete picture. We did not have the capacity to share information within government, let alone between government and industry. As a result, no one had overall situational awareness.
Progress to Date
The September 11 attacks led to a vast restructuring of government through the creation of the Department of Homeland Security and a renewed focus on industry-government engagement. Progress has not always been quick or easy. As in any partnership, the partners do not always agree. The truth is there have been times when government has not been a great partner. Some in government may hold the same view of industry. But progress nonetheless has been substantial. Of course, we need to do more, but we should take note of what has been achieved.
Establishing Legal and Operating Frameworks to Ensure Sustained, Scalable Collaboration Between Industry and Government. The Homeland Security Act of 2002 established the Critical Infrastructure Advisory Council (CIPAC). Normally, the establishment of a government committee is not a significant accomplishment. However, the CIPAC Framework formalized and gave legal protections to industry-government collaboration. CIPAC provided a much-needed boost to industry-government engagement and has had tangible results.
The biggest value of CIPAC is that it enables industry and government to collaborate on policy and strategy development. The IT Sector Baseline Risk Assessment, developed through CIPAC, released in 2009 developed a “functions” based approach, as opposed to an assets based approach, to risk assessments. This approach was adopted by DHS with its “National Critical Functions” approach to risk management announced by CISA 10 years later in April 2019. Essential planning and response documents such as the National Infrastructure Protection Plan and the National Incident Response Framework were built leveraging the CIPAC structure. CIPAC is being used to improve cyber threat information sharing, to secure the ICT supply chain through the work of the ICT Supply Chain Risk Management Task Force, to conduct interdependency analysis, and to identify and protect critical national functions. Engagement through CIPAC has not been flawless and implementing some of the actions in the various plans has been challenging. Nonetheless, CIPAC provides the necessary structure for consistent, scalable engagement between industry and government collaboration on pressing security and policy challenges.
Private Sector Information Sharing:
Since 9-11, we have built a network of mature, connected, and highly capable industry-specific Information Sharing and Analysis Centers that share threats and help enterprises manage risks. While several sectors such as the IT Sector had established an Information Sharing and Analysis Center prior to 9/11, the attacks propelled other sectors to form ISACs. By 2003, there were enough sector-specific ISACs to establish the ISAC Council. Today, there are 26 ISACs across the 16 critical infrastructure sectors encompassing thousands of companies coordinating through the National Council of ISACs (NCI). Some sectors, such as Communications, have two recognized ISACs, the Communications ISAC and CyberShare, the Small Broadband Provider ISAC. ISACs provide a trusted forum to help members respond to attacks. The success of ISACs and the value they provide are not fully appreciated.
We are also seeing innovative partnerships within and across information sharing communities. The CompTIA ISAO has partnered with the IT-ISAC for the IT-ISAC to provide curated intelligence and incident reporting for the MSP and the MSSP communities that are the core of the CompTIA ISAO membership. The IT-ISAC also established Special Interest Groups for sharing with companies in the Elections and Food and Agriculture industries, which otherwise do not have an industry only venue to share with peers. Innovation and collaborative partnerships such as these will continue to drive real operational value across industry.
Government Information Sharing:
Yes, government information sharing is not where it needs to be. But when you consider where information sharing stood on September 11, 2001, to today, there has been substantial progress. This owes a great deal to then Assistant Secretary for Cybersecurity Greg Garcia’s efforts in 2007 to integrate US CERT with the NCC Watch. This eventually became the National Cybersecurity and Communications Integration Center (NCCIC), which is now part of CISA. This center serves as a single point of engagement between industry and government and provides opportunities for industry and government to collaborate to identify, mitigate and recover from cyberattacks.
“ISACS PROVIDE A TRUSTED FORUM TO HELP MEMBERS RESPOND TO ATTACKS. THE SUCCESS OF ISACS AND THE VALUE THEY PROVIDE ARE NOT FULLY APPRECIATED.”
In addition, the development and use of automation to share cyber threat indicators at scale has made it easier to share and consume indicators at scale, which can be easily integrated into security tools. No more copying and pasting indicators from Excel sheets and PDFs. This does not solve all information sharing issues, of course. However, sharing indicators has improved so much that we have moved from one problem — nobody is sharing indicators — to another, in that there are so many indicators it is hard to tell which indicators are relevant. Thanks to advancement in security technologies and trusted relationships through various peer groups we are making great progress in turning information into actionable intelligence and analysis. This is not to say that the progress made to date is enough. It’s not, and we should be further along today than where we are. But an honest assessment must acknowledge this progress, even if the task is incomplete.
Despite this progress, there remains much to do. The Internet is vastly different today than it was 20 years ago. Consider that in August 2001, it is estimated that there were 513 million Internet users, or 8.6 percent of the world’s then-population. In March 2021, it is estimated that there were 5.168 billion Internet users, or 65.6 percent of the world’s population. Not surprisingly there are a lot of devices connected to the Internet. According to a March 2020 Cisco White Paper, there will be 29.3 billion devices connected to the Internet in 2023. This represents more than three times the global population!