2013 Annual Highlights

July 16, 2013

2013

  • ISA Summer Board Meeting begins consideration of new three year plan for ISA including discussion of the following new projects:
    • International ISA
    • Cost study on framework implementation and incentives under the EO
    • Best Practices for Boards of Directors
    • Writing a cyber security bill for industry/Congress
    • Model Contracts based on NIST Framework
    • Supply Chain management framework for federal government
  • ISA Board has its second private meeting with NIST drafting team to discuses framework for cyber security under President Obama’s Executive Order.
  • ISA meets with President Obama’s “Cyber Czar” Michael Daniel to discuss potential legislation implementing the Executive Order. ISA receives assurance that the Obama administration will not be seeking new regulatory authority under any measure.
  • World Economic Forum requests ISA to convene group of international players in cyber security to discuss NIST draft framework at conference in Berlin Sept. 25-27.
  • ISA announces it will host an organizing meeting in London to consider proposals to create an ISA-EU office.
  • CMAI a major Indian trade association requests ISA partner in India on an ISA -I branch.
  • Fidelity Investments announces it will use the ISA Guide on the Financial Management of Cyber Risk to build their fall conference for CISOS’s and CEOs around.
  • ISA asked to represent industry at kick-off event for cyber security framework Oct 11 at National Press club.  ISA is only entity asked to give a keynote as was the case in June when ISA was the sole keynote at DHS conference on market incentives.
  • ISA President Clinton is invited to White House to meet with President Obama’s top cyber security advisor, Michael Daniel. ISA receives assurance that President’s legislative package will not contain calls for any new regulatory authority over the private sector for cyber security.
  • ISA Board has its second private meeting with the team drafting the cyber security framework pursuant to President Obama’s Executive Order on cyber security. In addition to soliciting specific feedback on a range of issues relative to the construction of the framework the drafting team requests ISA help in 2 specific areas:
    • ISA is asked to find a group of senior exes who will be responsible for deciding if their enterprise will adopt the framework and assure the framework addresses the issues senior exes will need to make this decision (N.B. a group of ISA Board members have volunteered for this task).
    • Given the need to globalize the US based framework, and lack involvement from the international business community in its development, ISA is asked to use its international contacts and solicit feedback from the international business community (ISA has initiated plans for 2 conferences on this topic in September led by sponsors Vodafone and AVG).
  • ISA Chairs the Information Technology Sector Coordinating Council Quarterly (ITSCC) meeting. Accomplishments include:
    • ISA will chair regular monthly meetings with DHS Acting Deputy Secretary for Cyber Security to remain coordinated on ongoing cyber security issues and programs.
    • A new “Acquisition Group” interfacing with DoD and GSA will be established under the IT SCC which ISA Chairs.
    • Reports from DHS, Treasury and Commerce on the use of market incentives to promote cyber security have been delivered to the White House.
    • DHS will be recommending a very narrow list of “most critical infrastructure” to be covered under the President’s Executive Order following ISA recommended “risk based” as opposed to “consequence based” model.
  • ISA participates in NIST framework workshop in SD.
  • ISA presents at GMU conference on supply chain.
  • As directed by President Obama’s Executive Order on cyber security, the National Institute of Standards (NIST) published its draft outline of a framework of cyber security standards and practices for the private sector.  The very first source cited in the draft report was the Internet Security Alliance’s “Financial Management of Cyber Risk” and the foundational chapter of the NIST framework is set to follow this model.
  • The Integrated Task Force workgroup on “Planning and Goals” established to implement the President’s Executive Order published its draft report on how the public-private partnership for security ought to develop. Half of the report’s recommendations can be tied directly to the joint government/industry study on how to improve the effectiveness of the partnership, which ISA co-chaired and presented at the fall 2012 “Quad Meeting” of telecommunications and IT sectors and later adopted by all 18 critical sectors through the Partnership for Critical Infrastructure Security (PCIS), where ISA also holds a Board seat.
  • Five different government departments (DHS, Commerce, Treasury, and DoD/GSA) submitted reports to the President on how to use incentives to stimulate enhanced cyber security practices for critical infrastructure. While the reports are not public yet, ISA has been told they are consistent with the ISA social contract for cyber security and the President’s Executive Order.
  • ISA is featured on Fox Business News commenting on the NSA controversy.
  • ISA participates in Council on Foreign Relations workshop on cyber security.
  • House Energy and Commerce Committee Vice-Chair Marsha Blackburn (R-TN) meets with ISA Board to review her recent cyber security legislation and announces bi-partisan task force on supply chain cyber issues.
  • ISA, acting as Chair of IT Sector Coordinating Council, coordinates multi-association responses to GSA/DoD inquiry on cyber security supply chain report to President Obama.
  • ISA participates in workshop at Carnegie Mellon University on proposed new cyber security framework for the private sector.
  • ISA keynotes three conferences in Boston, Houston and New Jersey sponsored by AIG, which were based largely on the output of the 2012-2013 workshops on sophisticated practices for cyber security in the DIB, IT, and Financial Services industries.
  • ISA keynotes conference on the Economics of Cyber Security held at the Javits Convention Center in New York City.
  • House Passes ISA Supported Legislation on Information Sharing The so-called “CISPA” legislation, which provides liability incentives for the private sector to share information with the government and other companies, was approved by the U.S. House of Representatives.  ISA endorsed this legislation because it was the first to embrace the ISA model of using market incentives, as opposed to regulatory mandates, to spur pro-security behavior. The approach taken in this bill is also the only one that has received any significant measure of bi-partisan support.
  • ISA Submits Comments on National Framework for Cyber Security President Obama’s Executive Order on cyber security calls for the Department of Commerce to develop a baseline “Cyber Security Framework” through the National Institute of Standards and Technology (NIST).  ISA polled its membership and combined the practices used by sophisticated companies, such as ISA sponsors, with the empirically proven methods available to the community and suggested that these be the core of the national framework. NIST’s Director, Dr. Gallagher, will meet with the ISA Board shortly to discuss the ISA proposal in depth.
  • ISA Leads Critical Infrastructure Efforts on Cyber Incentives ISA is the recognized industry leader on how and why market incentives are preferable to government regulations for promoting cyber security.  ISA was, therefore, designated by the Partnership for Critical Infrastructure Security, acting under authority in the National Infrastructure Protection Plan, to lead government-industry efforts on the 4 cyber incentive reports required under the President’s Executive Order on cyber security.  ISA served as the industry keynote speaker at the joint industry-government conference on the subject and coordinated input from all designated critical industry sectors on the issue.  In addition to coordinating input to Treasury, DoD, DHS, Commerce, & GSA from aligned industry groups such as PCIS & the IT SCC, ISA filed its own extensive comments on the government’s incentive Notice of Inquiry.
  • ISA Assists Members’ Efforts on Presidential Order on Cyber The Executive Order (EO) on cyber solicits private sector input on a wide range of critical topics operating on a very short time line. ISA is assisting member companies in becoming directly and increasingly involved in the eight task forces established to implement the EO.
  • ISA Board of Directors  approves multi-point strategy for responding to President Obama’s Executive Order on cyber security,  including:
    • developing ISA framework based on empirical measures of success and ISA member’s security practices;
    • integrating member companies into new information sharing regimes;
    • coordinating ISA activities with other interested entities, including SCCs, PCIS, CSCSWG, and others, to reduce member burden; and
    • coordinating Executive Order activities with Capitol Hill by meeting with both the Chairman and Chief Minority Staff of the Homeland Security Committee.
  • ISA assists member companies in becoming directly involved in the eight task forces established to implement the President’s Executive Order, namely the Stakeholder Engagement, Cyber-Dependent Infrastructure Identification, Planning and Evaluation, Situational Awareness and Information Exchange, Incentives, NIST Framework, Civil Liberties, and R&D Working Groups.
  • Working in its capacity as Chair of the IT SCC, ISA works with DHS to develop a visual list and dashboard of Executive Order programs and meetings to make membership involvement easier to track and participate in (ISA intends to update this tool on a weekly basis).
  • ISA is selected by the Partnership for Critical Infrastructure Security as the lead coordinating entity for all 18 critical industry sectors in addressing incentives for voluntary adoption of the security Framework described in the President’s Executive Order.
  • ISA drafts response to Notice of Inquiry on developing a baseline cyber security framework issued by the Department of Commerce.
  • ISA, acting as Chair of the IT Sector Coordinating Council, presents study on best practices for public-private partnerships at meeting of the Obama Administration’s Integrated Task Force on Presidential Policy Directive 21.
  • ISA participates in the Cyber-Dependent Infrastructure Identification Working Group (CDIIWG) “kick-off” meeting, which is tasked with identifying critical infrastructure at the greatest risk as directed in the Presidential Executive Order.
  • ISA leads PCIS delegation at DHS, Treasury, and Commerce’s Integrated Task Force Incentives Working Group “kick-off” meeting.
  • DHS’s Executive Order Integrated Task Force singles out ISA reports on infrastructure protection in publicly circulated materials; ISA is the only private sector entity with its own category of materials cited in these review materials.
  • ISA appointed Chair of IT Sector Coordinating Council Policy Committee.
  • Acting as IT SCC Chair, ISA participates in joint industry-government Task Force on Supply Chain Management.
  • ISA President keynotes ACAMS & International Financial Crime Conference in Hollywood, Florida.
  • ISA President Keynotes Alliance to Secure Protected Health Information Conference in Boston, Massachusetts.
  • ISA addresses insurance industry on security best practices in Stowe, Vermont.
  • White House releases Executive Order on Cyber Security. Order includes multiple processes and policies advocated by ISA, including instructions to DHS, Commerce and Treasury to develop a set of incentives for voluntary adoption of pro-security behavior, a requirement that any “actions” taken by regulatory agencies follow ISA endorsed tests of cost-effectiveness, and preference for incentives over traditional regulation (see separate attachment for details of ISA policies in Presidential Executive Order).
  • ISA endorses reintroduction of Rogers-Ruppersberger “CISPA” legislation, which includes liability incentives for information sharing.
  • ISA invited to briefings on Executive Order with White House “Cyber Czar” Michael Daniel, Gen. Keith Alexander, NIST Director Dr. Patrick Gallagher, DHS Dep. Sec Jane Lute, DHS Dep. Sec. Mark Weatherford and others.
  • ISA circulates to the Board of Directors a 10-point plan for member company activity in connection with the implementation of the Executive Order.
  • ISA featured on CNBC “Power Lunch” to discuss impact of the Executive Order on the private sector.
  • C-SPAN devotes 45 minutes to ISA to discuss the Presidential Executive Order and its interface with potential Congressional legislation.
  • ISA President Larry Clinton is lead speaker for Brookings Institution conference on Supply Chain management.
  • ISA President Clinton is featured speaker at joint DHS – DOD Software Assurance Forum.
  • ISA, in cooperation with Financial Services ISAC hosts the final of 3 workshops on management of cyber risk. The first two, in DC and Silicon Valley, covered DIB & IT.
  • ISA President Larry Clinton officiates, as Chairman, at annual meeting of the IT Sector Coordinating Council (IT SCC) including briefings by NAS, DHS, Commerce, Treasury as well as House and Senate staff.
  • ISA President Clinton is re-elected Chairman of IT SCC.

Tags: