What would you do if you were stuck in one place
and every day was exactly the same…
— Groundhog Day
In some ways, a recent workshop in San Antonio for an information-sharing program directed by the White House had this déjà vu feel to it.
A Department of Homeland Security program spawned the Information Sharing and Analysis Organization Standards Organization. The ISAO SO held its second organizing meeting Feb. 9 with the intent to provide the structure and best practices to share information about cybersecurity threats across the country.
What would Colorado Springs and surrounding communities look like with multiple, even dozens of entities, all sharing cybersecurity threat information? That’s the federal government’s goal because information-sharing is now considered a core imperative for reducing data thefts — and so they formed ISAOs.
ISAOs will be the entities formed in communities with shared objectives that will facilitate improved cybersecurity resilience through activities and programs that are generally centered on sharing information. The strategy is to raise situational awareness and increase readiness, to reduce vulnerability to attack and to improve the community’s overall cybersecurity hygiene.
Our efforts in San Antonio served to share the initial work for the ISAO concepts. I have been asked to lead a group called “The Role of Government” within the broader ISAO SO. This group will help define what the mission space is for federal departments, state officials and local governments concerning their duties to support ISAOs.
Other groups are tackling privacy, regulatory constraints, and creation and capabilities issues, so that ISAOs have a blueprint to establish operations.
The déjà vu aspect of this workshop was that many attendees — myself included — already built the same kind of structures before the government labeled them “ISAOs.” Moreover, virtual communities and platform-based cybersecurity threat intelligence and information sharing have already emerged in the marketplace. Many tools, protocols and operational businesses currently exist — and don’t need to be invented.
Secondly, Information Sharing and Analysis Centers (ISACs) have been around for a decade. The notion that an extended government and industry project was needed to design a new model had some participants nonplussed.
Nevertheless, there are strong positives that will emerge from this effort — principally associated with legitimizing and spawning new marketplaces and public-private partnership operational models. Operationalizing the public-private partnership, or my preferred descriptor — “public-private marketplaces” — is the desired outcome of the ISAO national effort.
Here in Colorado, Gov. John Hickenlooper announced plans to establish the National Cyber Intelligence Center. As it evolves, it will become apparent whether the NCIC will be part of the emerging ISAO ecosystem, or whether it will chart a separate path.
In cybersecurity, there’s room for many initiatives.
The organizers of the NCIC will undoubtedly experience the growing pains that other cybersecurity initiatives have worked through. The most difficult challenge, according to David Powell, who cofounded Cyber Maryland, is establishing a deep understanding for the social enterprise dimensions of community cybersecurity initiatives. Powell, who is a board member of the Colorado-based Cyber Resilience Institute, has also helped launch Cyber Texas, Cyber Montgomery and the Cybersecurity Training and Technology Forum-Colorado. In these efforts across multiple states, he describes the social enterprise challenge and the risk of failure stemming from narrow business or organizational interests.
“The heart of the problem is the inability to see the solution from outside one’s self-interest,” he said.
As part of the overall ISAO process, I appreciate these challenges. The committee is developing best practices for designing, organizing and operating sustainable ISAO entities. In my view, we are building a construct that is a cross between a community fire department and Seattle’s Pike Place Market. In short, a social enterprise that benefits the community while also crystallizing market forces to ensure entity sustainability.
Here are some quick points about the Dos and Don’ts in ISAO formation. Keep in mind that at the outset of community building, there must be a shared vision and culture that is consistent with building for cybersecurity what had previously been built for fire prevention: “We’re building a fire department to put out community cyber fires.”
1. Avoid establishing the community initiative inside an entity’s profit center — it undermines trust and collaboration.
2. Trust-building mechanisms have to be core in the framework for the ISAO.
3. Transparency in leadership selection, major ISAO actions and stakeholder access is paramount.
4. Promote and support community champions and instill a common social enterprise ethic.
5. Establish governance systems that institutionalize trust, transparency and a social enterprise culture.
Doug DePeppe, cofounder of the Pikes Peak Cyber Champions forum, is a retired Army cyber law attorney. He has two master’s degrees in law and practices cyber law with eosEdge Legal to reduce risk of cyberattack.