There is a lot of focus these days in the US Congress and in the Administration on the topic of cyber information sharing. While it is important to elevate the dialogue about cybersecurity preparedness, protection, and resilience to a sustained national level, we must also not fall into the trap of thinking that the work is done by simply improving the exchange of cyber threat and vulnerability information.
An important objective must be to create a national operational capability that is able to achieve true information sharing, analysis and collaboration to deliver timely, reliable and actionable situational awareness to inform risk management decision making and improve our ability to detect, prevent, mitigate and respond to cyber events that may become incidents of national or even global consequence.
Consider how the National Weather Service has evolved a capability of receiving and correlating various data streams, and through technology and analytics is able to identify patterns and trends of weather behavior that prompt alerts and warnings in communities and regions around the country. This capability has proven to be effective in better predicting hurricanes and other weather events that may present a risk to people and property. Such early warnings help reduce damage, injury and even loss of life.
The National Cybersecurity and Communications Integration Center (NCCIC) was established more than five years ago at the Department of Homeland Security (DHS) to become the operational nerve center for cybersecurity. While progress has been made, the current organizational construct of the NCCIC has not produced a national operational capability that facilitates effective bi-directional information sharing that will scale across the stakeholder community and still lacks a mature analytic capability that is able to deliver early warnings to improve detection, prevention, mitigation and response to significant cyber events.
Simply pushing out threat indicators without the attendant analysis that will identify what protective measures would prevent or reduce the impact of the most common attacks fails to meet the full potential of what was contemplated when the NCCIC stood up. It is therefore time to re-examine the approach that features a series of one-off agreements between DHS and a small group of invited companies and organizations and instead move to a model that is joint, integrated, public – private, cross sector, and collaborative as recommended by the President’s National Security and Telecommunications Advisory Committee (NSTAC) in 2009. It is about a capability, not a facility. It is about a National Weather Service-like capability that improves detection, prevention, mitigation and response. It’s a capability that is able to deliver early warnings of pending or emerging cyber events that may become incidents of national or even global consequence. Such a capability is essential to improving our national cyber preparedness, security, and resilience.
A number of current legislative initiatives seek to address some of the barriers and impediments to bi-directional information sharing between industry and government. This is long overdue and an integral component to a more productive approach to cyber risk management. Industry access to timely, reliable and actionable threat intelligence is a critical element of informing the risk management decision making process for all stakeholders. As is the case in the world of physical security, it is not possible to protect everything all of the time in cyberspace. Knowledge of pending or emerging threat is a key to decision making and much of that information resides within the government. Most is classified and currently not available in a timely manner to cyber practitioners. Removing those barriers and establishing methods of providing access to such information will improve our national cyber protection profile. Understanding tactics, techniques and procedures pursued by the adversary is more important than who the perpetrator is at the time a cyber event is emerging in order to prevent or reduce the impact.
In addition, providing liability protection to private sector entities that share cyber threat and vulnerability information with the government is also a necessary step that can only be accomplished through legislation. There is bi-partisan support in both the Senate and House of Representatives for legislation that will begin to address those barriers while preserving privacy and civil liberties protection.
The ability to automate the electronic exchange of threat indicators between government and industry to achieve near real time situational awareness is progressing. While it will not eliminate the need for human participation and analysis, current efforts are promising and a step in the right direction. However, the standards and protocols utilized must be accepted by the international standards community in order to realize the greatest potential and broad utilization by government and industry, particularly for global organizations.
Finally, rather than creating some new type of information sharing entity that is likely to create more confusion across the stakeholder community and do little to move the needle of cybersecurity protection and resilience, it is important to embrace the long-standing and productive private sector created, organized and governed Information Sharing and Analysis Centers (ISACs), and fully integrate those capabilities into the NCCIC as partners and contributors to evolving our national cyber operational capability.
It is important to broaden the outreach and integration of stakeholders. This includes small and medium sized business, regional bodies, and others with a capability to contribute. However, this will not be effectively accomplished by creating some new type of entity that is required to adhere to a set of standards established by the government in order to be recognized and engage in the process of information sharing, analysis, and collaboration.
The immediate focus should be on fortifying the nation’s capability to protect and foster resilience with the critical infrastructure providers that we rely on for our daily needs, including public health, public safety, national and economic security. Maturing a national operational capability for cyber preparedness, protection and resilience that is joint, integrated, public – private, cross sector, and collaborative is critical to helping make our nation safer and more secure at a time when the cyber threat environment is evolving and becoming even more dangerous.
Focusing on the outcomes and not who is in charge will help move the needle on security and resilience. There is much we can do today… let’s get to it!