ISA History
The ISA History of Thought Leadership, Advocacy, Programs and Success
Since our founding in 2001 by Carnegie Mellon University and others, ISA has stayed in the forefront of thought leadership, creating and operating programs designed to enhance our nation’s cybersecurity. How can we do it? We have the best people as out members. ISA members represent the wisdom and the experience of the best cybersecurity professionals. Together, we have written the books, the papers and initiated the programs that are the ground-breaking edge of cyber security.
The Internet Security Alliance, or ISA, is a diverse trade association with a focus on thought leadership, policy advocacy, and developing cyber security practices. By combining technology, public policy, and economics, ISA has worked to try to create a sustainable system of cyber security for over 20 years. Founded in 2001, the ISA has worked to build a collaborative public/private partnership with some of the world’s largest companies and small businesses.
ISA has three primary goals: “To demonstrate thought leadership in advancing the development of a sustainable system of cyber security, to advocate for public policy that will advance the interest of cyber security; and to create increased awareness and programs that will result in more rapid adoption of cybersecurity standard, practices, and technologies.” Just like the internet, however, the tactics the ISA implemented toward their goal evolved swiftly to sustain their fight for cybersecurity.
In the midsts of the 2000 election, Republicans in the congress initiated the K-Street project to remove democrats from their positions from K-Street in an attempt to prevent them from providing funding for democratic candidates through political action committees. Dave McCurdy, a high profile former democratic congressman and then head of the Electronic Industries Alliance (EIA), was also targeted by the K-Street project; however, he was able to maintain his position. While presentent of EIA McCurdy is appointed to the Board of Directors of Carnegie Mellon. This is where he would gain his inspiration for creating the ISA. At a meeting at Carnegie Mellon, he sees a presentation with the central theme of the insecurity of the internet. At the time, this was groundbreaking news for most people at that time, the general consensus was that the internet was generally secure much like traditional telephones.
Originally designed for national defense, the internet was created as a defense mechanism to withstand nuclear weapons, not to assure and maintain user online safety. Due to the limited scope of what the internet could be, one primary use was to transfer massive amounts of research data between labs; however, limited thought was given to the security of the information being transferred. The man giving this presentation, Rich Pethia, would go on to have a future position in the ISA, but his impact on McCurdy at that moment was the true birth of the ISA.
McCurdy and Pethia, who was the Director of the Computer Emergency Response Team (CERT/CC) at CMU, negotiated an exclusive contract to provide threat, vulnerability, and mitigation information, previously amiable only to the Department of Defense, to member companies of the ISA. In return, CERT at Carnegie Mellon will receive a vast majority of the membership dues revenue ISA generated from its membership. This was the primary business model for the new born ISA.
ISA operated as a trade association with member companies receiving information from CERT at CMU through the ISA. Essentially, ISA functioned as a middle man, but its goals were similar to what they are in 2022. As the internet became more extensively used by the private sector, McCurdy and the ISA attempted to get the information out to the business community that the internet was not as secure as initially thought.
Based largely on McCurdy’s marketing ability and the power of the information available through CERT, EIA achieved success at an initial meeting in April 2001, McCurdy reports ISA has 30 members and prospects for expansion are good.
Through his connections with the EIA, McCurdy convinces the EIA board to float a loan of several hundred thousand dollars to ISA in order to begin operations. Shortly however, ISA discovered their spending exceeds their funding, primarily due to the large royalty payments to CERT. These economic troubles are layered with interpersonal conflict between multiple ISA staff members. Members don’t pay their dues or start dripping out. EIA believes they have made a bad investment and threatens to call the ISA loan. Internal political pressure is also being placed on McCurdy making it difficult to run both EIA and ISA (where he is officially the Executive Director).
McCurdy had hireed 2 people: Kaitlyn Derkavichk, Don Skillman, to run ISA These new ISA employees were disorganized and argumentative, leading to interpersonal conflict within ISA. By spring of 2002 the company hired Larry Clinton, AS a consultant, to bring order to the ISA as Chief Operating Officer (COO). As an example of the 2001 ISA’s disorganization, when asked by Clinton for a list of ISA board members, Skillman and Dorevitch realized they had no written list of board members and their contact information. When Skillman provided the list of paying sponsors to Clinton in July 2001, there were only 20, not 30, members and the numbers are dropping quickly. By the end of the year there are 14 supposed sponsors and by the time Clinton presents a revised business plan to the ISA board in Winter 2003, there are only 8 member companies left. Clinton reorganizes the staff, renegotiates the agreement with CERT and works out a payment plan – with tight requirements with EIA. Clinton AND MCCURDY Convince a few ISA member companies to stay on, and pay their dues early in the year to overcome a massive cash problem . ISA had about 1 month’s operating budget in January 2003 when Clinton became ISA’s full time Operations Officer. Clinton also recruits a new sponsor and fullgets a contract with Microsoft to do a series of conferences with the funds coming to ISA. ISA survives.
IN THE original business structure of the ISA THERE were three levels of membership: Sponsor companies, Member companies, and Associate Member companies. However, ISA was basically still a middleman. Most of the profits from memberships went to Carnegie Mellon and now multiple salaries for ISA employees.
Simultaneously with the growing pressure to begin a payment plan to repay the debt of the EIA, A GROUP OF TECH COMPANIES ARRANGE A meeting AT THE WHIITE HOUSE to discuss the potential of disbanding the ISA. Included in this meeting was Carl Rove, President Bush Chief of Staff. Companies like Microsoft URGED THE GOVERNMENT TO to shut down the ISA BECAUSE IT WAS PUBLICIZING NATIONAL SECURITY RISKS ON THEIR PRODUCTS. Fortunately, Carnegie Mellon was also present at the meeting and successfully fought to keep the ISA alive BY ARGUING THAT THE ATTACKERS AND CRIMINALS ALREADY KNEW ABOUT THE INTERNET’S VULNERABILITIES AND IT WAS ONLY THE PRIVATE COMPANIES WHO WERE IN THE DARK AND NEEDED ISAS INFORMATION TO BETTER TO PROTECT THEMSELVES.
In the aftermath of 9/11, security became a major issue for the government which responded by creating the Homeland Security Department (DHS). Although not a major concern, cybersecurity is broadly part of the DHS responsibility and DHS shortly pressures CERT to abandon its arrangement with ISA and replaces ISA with US CERT which provides a limited amount of the material CERT was previously providing to ISA.
This is a mixed blessing for ISA as it no longer has an obligation to pay a portion of its dues to CMU, but it also doesn’t have its most powerful service to market and it still has to repay the debt to EIA. Recruitment is also hampered by the fact that the “Tech Bubble” of the 1990s has now busted and less money is being spent on IT in general. The Y2K non-event of 2000 undermines the argument that there is a major security issue with the internet
Inside the ISA, Larry Clinton moved from a consultant position to full time in January 2003 to be the successor to McCurdy. At this time, McCurdy was facing enormous political pressure, pressure from the EIA, and the fact ISA no longer had any information to middleman to its members from the CERT at CMU. At this time, he tells Clinton he expects the ISA will close down in the next six months due to the decrease in members. In response, Clinton took on his full time work for the company while continuing to consult clients. At this time, ISA went from the original xxx members, down to xxxx member companies. His first objective was to pressure existing members to pay their dues. Clinton obtained Verizon as a member company and settled a deal with Microsoft. At the end, ISA had $30000 in the bank, a payment plan for the EIA. Finances were so tight, Clinton had to write down every transaction to see if ISA could make it through the month.
In addition to Clinton, another big player in the recovery of the Alliance was Bill Hancock, then Chairman and future CSO on the ISAlliance Board of Directors. Hancock, simply put, had an enormous presence and respect. Hancock appointed a new Membership Development Committee and created the Hancock Challenge: A challenge for each board member to obtain five new member companies by the end of the year.
After treading water for the better part of two years, Clinton was the first to finally institute a business plan in the wake of losing the information from CMU. The first business plan in 2003 included: quarterly meetings, specific objectives for the company, and a mandatory revamp every three years; all things still present in the business plans in the modern day ISA. McCurdy and Clinton, with their experience in the government, started going to capitol hill. For ISA, this was revolutionary; there were previously no members of congress or government officials in contact with the ISA and the ISA had no congressional association operation. In addition to this, ISA also began production of “Common Sense Guides” to be released over the next few years. These guides were titled: “Common Sense Guide for Senior Managers” (2002), “Common Sense Guide to Cyber Security for Small Business” (2004), and “Contracting for Information Security in Commercial Transactions: An Introductory Guide” (2005). Production of these common sense guides – especially the first guide for Senior Executives, was a new idea. The general consensus was the “IT guys” had the sole responsibility of protecting the entire company from security breaches and other cybersecurity attacks. ISA preached that, rather than starting from the bottom level management of a company and working up, the staff at the top, the senior executives, must be knowledgeable about cyber threats and carry that knowledge down the company hierarchy. This concept will be present in multiple future ISA projects.
Right at what seemed to be ISA’s eventual recovery, another crisis reared its head – the Tech Bubble Burst. Multiple massive companies such as NRON and Worldcom go bankrupt. This results in the public to pull out of tech company investments, causing tech companies to lay off workers. Unsurprisingly, the first staff to go are the tech security teams. These tech branches were then run by the CIOs, whose job was to figure out how technology can improve their respective business. The CISOs, who had the task of regulating the CIOs, assuring their decisions were safe, were the first to be fired. For the Alliance, this proved to be a big issue, as the board member at the ISA from a specific company would tend to be that company’s CISO. This caused ISA to lose many board members.
Just as the Alliance was surviving the Tech Bubble Burst, Dave McCurdy leaves EIA and takes a job leading a different trade association. ISA’s future is again uncertain as it has now lost both of its major attractions – the Exclusive CERT contract and former Intel Committee Chairman McCurdy. In response, ISA finalizes its first business plan, featuring:four quarterly meetings, two by conference call and two in person, the three year plan, wherein the board would meet to rediscuss a new business
Plan every three years, and Clinton’s recurring board member outreach.
Now appointed President and CEO of ISA, Clinton immediately instituted a crucial part of what made ISA a success, the Board Review. Clinton believed that the board members had the most valuable opinions when it came to what the ISA should be, therefore, set up a five-point scale for the board to rate the ISA in multiple categories and opened a candid line of communication between the member companies and ISA’s CEO. From this point on, ISA is no longer similar to how a regular trade association is run (members pay dues – staff runs the company). ISA involves the board directly by working together to develop plans. Clinton attributes the success of this system to the board, as its their ideas on the front lines of cyber battles, he states the “power of the ISA is not Larry Clinton, the power of the ISA is the Board of Directors”. In addition to this heavy involvement between board and company, ISA also created a strict “No Marketing” rule, which gave the board space and time to discuss important issues at hand. This structure is why multiple members chose to stay, which allows ISA to survive their two greatest losses – McCurdy and CMU. To commemorate this recovery, Clinton bought a box of pens with ISA money, celebrating that ISA could finally afford it. This was the beginning of the success ISA would have in the future.
While the company itself was as stable as it had ever been, the loss of McCurdy rang farther than just the ISA office. McCurdy’s presence provided political value to the company. While he was not a primary lobbyist for the ISA, McCurdy’s name attached to the company provided a stronger platform for ISA in the political world. EIA’s future is also uncertain. Prior to McCurdy leaving he had engaged in acquisition discussions with another major tech association which would have made EIA a much larger and more powerful organization. These talks are now stopped as EIA decides on its future. Eventually EIA, which is a consortium of several different tech related associations, decides to disband and sell its major asset – the EIA building. Proceeds of the sale estimated between 30 and 60 million – would be divided among the EIA trade associations, notably, ISA was excluded from that list.
As EIA prepares to sell the building and divide the proceeds it allows ISA to sign a new lease to remain in the building even with new owners, however EIA is adamant that it will get no revenue from the sale of the building.
The ISA board decides this is unjust and suggests it will sue EIA for a rightful share of the proceeds. EIA, which by now has sold the building and is flush with cash counter-sues ISA. EIA also refuses to recognize the contract McCurdy, as head of EIA, had signed Clinton to. Clinton and EIA sue and counter sue. Eventually a three-week jury trial is held in Arlington Courthouse. In the end it’s a split decision. EIA fails on all its claims against ISA and Clinton, but is required to pay ISA only court costs and Clinton gets the equivalent of one year’s full salary. ISA remains in the building, the EIA tenants leave and ISA hires Clinton as its President and CEO.
While managing the organizational issues with EIA, ISA begins to formulate its own unique approach to cybersecurity.
The social contract is a marker for important critical infrastructure growth in the history of democracies. The most modern example of this in the last century is widespread access to telephones and electricity. In 1900 there were around 600.000 phones, but that number quickly rose to 2.2 million by 1905, and 5.8 million by 1910. Eventually, AT&T had a near monopoly on the phone and telegraph service but the company soon thereafter split. AT&T grew quickly due to government partnership with the private sector. The government gives incentives, usually in the forms of guaranteed return rate on bonds in exchange for widespread coverage of basic infrastructure, especially to non-profitable regions like rural America. Clinton first heard about the public policy interpretation of the social contract. When he was working on capitol hill for rick baucher of the US telephone association. A major piece of legislation was to free the telephone companies to allow them to provide cable service. AT&T was huge, a natural monopoly, it got regulated by the first social contract, which was to have them expand their area of providing service in exchange for giving them a guarantee of return on bonds, making everyone happy. This was huge for the United States as part of the era of good feeling and jump started the US into a first world, superpower level country.
As the 2008 Presidential Election is coming, ISA decides for the first time to publish a coherent set of recommendations for the incoming administration specifically on cybersecurity. Building on a series of earlier publications such as “50 Questions Every CFO should Ask About Cybersecurity and The Financial Management of Cyber Risk” In early fall of 2008 ISA publishes its first edition of the Cybersecurity Social Contact which integrates two of ISA’s principle cybersecurity insights namely that cybersecurity is not simply an IT issue, but an enterprise wide risk management issue, and also that the core of the cybersecurity problem is not the technical vulnerabilities but the economic incentives that drive attacks. Similarly to telephones in the early 1900s, it is ISA’s view that the same theory can be applied to cybersecurity. Akin to the telephone industry, there are obvious blind spots in cyber security coverage. The concentration of cybersecurity coverage has moved towards companies who realize the importance of maintaining security, such as banks, and has greatly missed the mark of other companies, like small businesses. Because of the nature of interconnection, intrinsic in cyber systems, we need an economic deal to make cyber security successful and available. Even in the early days, ISA disagreed with the dominant theory of cyber security: that the problems with the technology, therefore we need better systems and that will solve the cyber security problem. This idea was manifested in Ty Sagalow, a member of ISA staff who joined the team in 2002. He ventilated these ideas across the country trying to figure out how they can cast this problem more efficiently from a financial perspective. This was not the only cornerstone of the ISA social contract. Also vital to the social contract was the need for companies to view cyber security as a theory, something that not just the IT staff were concerned with, but that the executives of each company were in an active war against. To truly maintain security in the cyber age, companies must work from the top down, not the bottom up.
This model worked, getting modern technology to everyone. The other strand of thinking which combined with this to become what ISA produced was that Cyber is not a IT problem, it is a problem such as not having electricity. There is a core group of people who have this idea or thing, but the problem was you needed everybody to have this type of protection. Core definition of the internet is interconnection, so you need to have everything covered. Same idea as electricity. At this point in time and largely to this day, there is no theory of cyber security. No set of principles that guide our way through cybersecurity. This is an idea that guides and creates coherent policy. This can explain to others the reason we need to do it this way. THIS BEGINS ECONOMICS. Not just patching broken IT systems. What we did with the utilities, is we found a way to make technological expansion more affordable in years where it was not previously possible to provide those utilities. Similarly, we had the same problem, but we could not use the same terms as utilities. We had to find a way to provide economic incentives for enhanced cyber security.
Translating these ideas is more difficult than previous social contracts because we are dealing with multiple industries. It is important to determine what the need is per industry and find a financial incentive to fill that need. For example, we do not have enough workers in cybersecurity. This is an economic problem. We inject a new incentive in : free tuition for students studying fields relating to cyber security, providing an economic incentive to get workers. Because all the economics are different, the incentives are different. An affordable menu of incentives the government could provide to get companies to invest in cybersecurity.
A majority of the early work is to identify incentives on a company by company basis. In defense, it is a procurement incentive. So you would get a leg up if you had better security. In utilities, it might be a permitting incentive, to find a fast track to streamline permitting in return for better cybersecurity. ISA tries to find models where the government had previously used models to provide creative incentive to the private sector. An example of this is air pollution. Used to be a big problem for industry, where excess fumes resulted in acid rain. The government had to get the utilities to install better technology to burn their goal and then clean before they emitted it in the atmosphere. Some bigger companies could do it, but smaller companies really couldn’t afford it. The scrubbers used to clean the air were too expensive in upfront cost to the smaller companies. As a result Cap and trade came up with a solution: big utilities lowered their emissions as low as possible, and you can sell the excess air cleaning to the smaller companies. This provides both companies profit and clearer air.
Another example is the pharmaceutical industry. The FDA must approve drugs as safe, but they are notoriously lengthy processes. To discourage companies from inundating the FDA with drugs that may or may not be totally safe, the FDA provides an economic incentive in the form of priority for companies who routinely submit safe drugs.
When President Obama is elected he charges his top cybersecurity aide, Melissa Hathaway (who had held the same position in the Bush WH) with doing a 60 day review of the nation’s cybersecurity policy. In spring of 2009 the WHO had a major televised event releasing the report The CyberSpace Policy Review. The ISA’s Social Contact publication is the first and most often quoted source in President’ Obama’s Cyberspace Policy Review. Subsequently ISA leads a collection of DC trade Associations in a series of meetings with the new WH Cyber Czar Howard Schmidt. Following these meetings the 6 trade associations collaborate on the Pan-Industry White Paper on Cybersecurity which embraces much of ISA’s thinking. When the GOP takes over the House of Representatives after the 2010 midterm elections the Speaker creates its own GOP Cybersecurity Task Force (the Thornberry Commission) ISA is the first witness called to testify before the Commission which adopts ISA’s major policy proposals as its number one priority recommendation.
ISA’s social contract reverberates the ideas from The Wealth of Nations written by Adam Smith in 1776: Modern economies involve the government and the government should work to create modern incentives. Now in the digital age, ISA’s Social Contract works to make cybersecurity a more economical and universal theory in the minds of company executives and other higher-ups.
As concerns over cybersecurity were growing there were regular calls to get the corporate boards of directors more involved in the issue. By 2012 there were various publications ostensibly targeting the board of
Directors to educate them on the subject but the response from the director community was lackluster.The major thrust of the publications was to teach the directors about “IT” which left most of the directors cold and also concerned some cyber practitioners which were afraid directors would dabble in areas they know little about and make things worse.
AIG which was a long time ISA sponsor and a long time supporter of the National Association of Corporate Directors brought ISA and NACD. The ISA approach was starkly different. Instead of trying to get the directors to learn the IT language, ISA decided it would be best to use the directors areas of comfort and embed cybersecurity issues into the things directors care about –innovation, mergers/acquisitions, strategic partnerships etc. In 2014 ISA and NACD published the first of the Cyber Risk Oversight handbooks. The handbooks quickly became a favorite among the Director community, becoming NACDs most popular publication.
ISA then broadened the project and produced adapted versions in Germany, Europe in general, Latin American Japan, and SouthEast Asia. ISA now has a dozen adapted versions of the handbooks in publication on 4 continents and 5 different languages.
Beginning in the 2010-13 era,cyber security has become more understood as an actual issue. Attacks on large companies like target and sony had been well covered, large corporate attacks. The government and the public began to take cyber security seriously, which lead them to ISA, who had been not just fighting against cybersecurity, but defining what it is we need to do to fix the problem. This led ISA to be called upon in the most important and significant deal ISA has ever been a part of, the Liberman-Collins cybersecurity bill. President Obama approved of this bill as the first big technology-aware president. He went on TV after the Sony attack and talked about cyber security, which had never been done before. This is the 2009 era, full control democrat government. During Obama’s presidency the North Korean government had broken into highly sensitive gov documents because the leader of the North Korean government was portrayed mockingly in a movie. The government had become highly aware of the danger coming from a lack of a secure internet. ISA argued back that this was not an issue to be solved with SOX or the Serbians-oxley model. SOX is primary financial regulatory legislation that came into being around 98-2000. The government had to protect the consumer, companies were being attacked and the public was still blaming the companies. The data is being lost because they were being attacked not because they were blowing themselves up like worldcom or nron. ISA had to persuade president Obama that the lieberman was bad policy because it would greatly increase spending for the government into cybersecurity, but it was putting those resources into inefficient places. A lot of the ISA member companies would be profited greatly, but also did not support the bill. Due to the backlash, the bill never got to the floor for a vote
Larry Clinton, CEO of ISA, was on TV a lot during that era and became the spokesperson advocating for a greater government involvement in cybersecurity as a matter of national defense. Andy Osmont reached out and Larry took early copies of the social contract to the White House situationation room to create  executive order 16136 with ISA verbiage.
ISA preached: what we really need is a joint process where an industry and government get together and define a series of standards that would be good for cybersecurity but voluntarily adopted and then show that they are cost effective. If there were things that were effective but cost ineffective then the government could step in (this is the ideal but the government had no pressure to step in at all). NIST national institute for standard and technology, would have a year-long process at national events to develop the NIST framework which was called for in the executive order. It also caused it to be privatized and given incentives. This never happened. The NIST framework was never evaluated for its cost effectiveness. What it did do was fundamentally change the orientation for the government in terms of cyber security. The executive order called for the development of a framework. NIST developed it. It is a voluntary framework, not mandatory/regulation, available for the private sector if they see fit. There is no organization based on industry. There has been no new cybersecurity legislation passed since Lieberman Collins.
Around this time there were new, advanced cyber threats being developed such as APTs (advanced persistent threats). Instead of viruses, They stay on your computer hiding until they collect data or figure out what anti-malware you have. There were multiple attacks believed to be China around this time. The attacks targeted the office of personnel management and stole all the personal information of the entire federal government’s employees.
Gaining government cooperation for something as new and different as cybersecurity is an ongoing battle to this day. ISA has been fighting for decades to lobby congress with no financial incentives. To the government, cybersecurity is an issue to which they can apply SOX. Like how companies that blew up like worldcom didn’t take care of financial data, these companies are not taking proper precautions for security. This is the first big time companies besides ISA really thought about this on the big stage as a board issue. Therefore, many different groups are willing to accept the idea brought forth by the fist ISA social contract. Around 2011, Lieberman Collins dies; however, Framework comes out in 2012 taking ideas from the social contract. As this is happening, there is pressure on the corporate boards because the CEOs are still not taking cybersecurity as an issue serious enough. That’s where ISA enters again.
ISA gets involved through a close relationship with AIG. A chairman of ISA, Ty Sagalow, VP for innovation at AIG. AIG from the very beginning has been interested in ISA. AIG is a company that has been selling cyber insurance since 2001. They are a risk management operation. It is their thinking that influences lots of ISA’s thinking such as the notion that cyber security is an enterprise wide risk management issue and the economics are a huge part of that concept. The mainstream tendency of thought in this era and even still is that this is a technology issue. However, Sagalow is very involved in many of the early ISA publications.
This is a different side of the same ISA coin. One side is White House and public and government, this side is the private side about companies and industry. AIG is also a major player in the National Association of Corporate Directors. NACD is at the top of the food chain. AIG connects ISA and NACD. NACD is thrilled with iSAs perspective. They have been getting major material from consulting firms. But those booklets were all about the technology side, which is way too narrow of a view for boards, therefore were poorly received.
ISA had a solution for the poor commutation between companies and NACD. These companies were trying to teach the NACD about technology, which was difficult to understand and ineffective practically speaking. Instead of insisting that they learn our language, we will learn their language. ISA will then create materials that talk about what boards are interested and fill in the gaps in communication for NACD and further ISA mission to integrate economics with business.
The way people were doing cyber assessments is they would go to a framework, like NIST. Go through their checklist of items, which at this point had no indication of a thought about the economics of individual industry. There were many questions left unanswered like: Which is the most cost effective? What do they cost? How many do you have to check off to be secure? There is inherent tension with digital transformation. All sorts of things that can digitize which change the business model for an organization. Most of the technological advancements actually undermine security to streamline production and increase profits, security was low on the priority list. An example of this is standard copper wiring to VoIP, or Voice over IP.
As time has gone on, many of the ISA novel ideas increasingly have become mainstream. Among these are the conception that cybersecurity needs to be addressed as more
Than an IT issue and more from an enterprise wide perspective. Similarly the idea – first championed by the Board Handbooks that boards need to treat cyber issues in a strategic, not simply operational , context and as well as the import of economics not just technical vulnerabilities as though impacting cyber events.As calls for dramatic regulatory systems ebbed in the light of the NIST voluntary framework the notion of defining a cyber social contract began to become more commonplace. In 2016 the Republican National Committee brought ISA to their National Convention to brief the delegates on the third edition of the ISA Social Contract. In 2019 the House Armed Services Commission convention the Cybersecurity Solarium Commission which also called for the development of a Cyber security Social Contract, In 2022 the first ever White Hoe Cybersecurity Director published an article in Foreign Affairs magazine also calling for a cybersecurity social contract.
When ISA talks about ideas going mainstream, we mean that they are captured and adopted, not an overnight process. These ideas begin with some of the early ISA articles. In the early days of the idea of cybersecurity, when the focus was on technical elements, ISA was promoting things like the acute cyber problem and not the chronic cyber problem. The general public fixates on specific interactions, such as the Sony hack, asking what Sony did wrong individually and seeing if they can improve that area of vulnerability. With that sentiment, in 2003 Bush came out with a national strategy to security cyberspace. There was misplaced trust in the notion that cybersecurity would take care of itself because the market would naturally evolve to the point where business reasons would cause businesses to enhance their security as a natural force of economics. This is a popular idea with the private sector as it is non-regulatory. ISAs revolutionary ideas from 2002-03 like that cybersecurity isn’t an IT issue, cybersecurity is a company wide problem, and other issues from publications and solutions are starting to be adopted. The social contract era of 2012 causes people to start to accept these ideas but the regulatory conversation opens again. This led to the first CyberSpace policy review: Obama chief cybersecurity counsel Malisa Hathaway heavily references the ISA social contract as the most cited in the document, soon to be followed by a house republican task force. This operationalizes ISA Missions. ISA published Social Contract 2008, and there was a positive response. ISA puts together pan-industry white paper. Included lots of non-ISA players, and Howard Shmitt who took over from Hathaway, encouraged a second social contract. Chairman of the house put together a cyber security task force in 2010 and got the ISA with their pan-industry white paper as a baseline. The #1 recommendation coming out of that is the need for a menu of market incentives to address cyber security. Because people are realizing the true serious danger caused by the lack of attention to cyber security, people start really promoting regulatory bills like Lieberman Collins, the thinking behind them being wrong because the traditional regulatory model does not fit into the digital age. The bill essentially adapted the Sarbanes Oxley model which is that a group of policymakers establishes broad policy and turns over to their expert agency the implementation of that policy. Based on the notion that the technologies have deficits, that is not the problem with cyber security, sure they have deficits, but the fundamental problem is that the technology is under attack. It is a really different problem, it is under attack because the economic incentives favor the attackers. The attack changes too quickly, it is too vulnerable for SOX to help it. The death of the regulatory model of cyber security was at our hands. This is when exec order 16136 takes the language from the ISA social contract. Then we need to be promoting this on a voluntary basis supported by cost benefit analysis. NiST has a series of nationwide workshops. They come out with the NIST framework comes out as public policy in 2013, but they do not provide the data companies need to use the framework efficiently, such as a cost-benefit analysis. This is an example of one of our ideas that didn’t become mainstream.
One question left to be answered is: How do we do industry specific incentives? 2015/2016 gets a bill through congress which establishes incentive relief to encourage information sharing. It is very difficult to get passed because of a lot of opposition from the privacy committee. The government are scared of giving corporations encouragement to share any information . Eventually the bill is signed by Obama and becomes the Last major cybersecurity based bill passed by congress, but to get passed it loses much of its real regulation. The key element for ISA is to speak to the undersecretary at DHS, who is in charge of writing the plan. We try to get her to understand that in the digital age we have the private sector growing traditional government defense responsibility they are unprepared for. This is because they fund security at a commercial level not a national level. It is a given that private industry invests in security until it is not profitable. Nation states are also now attacking private companies, which is a fight which private companies will always lose. The federal government does not have this luxury. There is this gap between how security is traditionally viewed (risk-tolerant) and how the government wants security to be (risk-avoidant). It is unsustainable for the private company to do that without government intervention.
Arguably late to social media platforms, ISA was forced to use them when its publisher Georgetown University Press twice delayed publication of ISA’s policy recommendations for the incoming Biden Administration
(This would have been the 4th Social Contract book by G-Town forced ISA to change the name to Fixing American Cybersecurity). Completed in August of 2020 with an expected publication date of spring 2021 – as the new Administration was coming in — the book has been delayed to February 2023.With timely material ISA wanted to get into policy makers hands ISA highbred a socially media company to partner with on a program called Re-Thinking Cybersecurity. ISA turned its book into a series of hundreds of blogs and tweets. The impact was greater than expected. Policy makers including the chairs of the House and Senate Homeland Security Committees started using the slogan rethink cyber as did the Chairs of the Cyber subcommittees, the head of CISA and many others in the press and community. The ISA social media campaign won three “Reed” Awards for campaign of the year.
ISA, unlike most trade associations, wrote and published many of its ideas. From the beginning publications such as the Common Sense Guides to each of the social contracts, ISA believed writing down its ideas was valuable due to the lack of concrete theory around cybersecurity, especially towards the beginning of its life. However, that was not the only reason ISA published. It was important to us that we have text to reference for incoming presidents and have taken the responsibility of publishing new documentation in the interim between elections. Some examples are the 2007 social contract book, a second similar contract book requested by Howard Shmitt, the social contract book in 2016, and in 2020 we intend to publish Fixing American Cybersecurity. This publication was unfortunately delayed, it will be published in 2023. In place of this publication ISA has gone digital with content from the book, moving some of that content into several hundred blog posts made frequently on ISA’s website. In modern times, cybersecurity has only gotten more clever and devastating. This is the era of solar winds, which is a new genre of cyber security. Cyber attackers attacked Orion Software created by Solar Winds (the company) but the Orion Software was used by thousands of companies. Including 1000s of companies but also DHS. This is a systemic attack. We have not thought through the economics of things like the smart grid. Which is all digital technology spread out all over the place which increases the surface for cyber attacks. This information is included in Fixing American Cybersecurity. ISAs online venture turned out to be very successful. We acquired plenty of cybersecurity elements into the covid relief bill, culminating in winning three awards. In the world of political campaigns, there are the veir cybersecurity awards, of which we won three.
Although ISA has a long history of self-publishing in 2022 and 2023 ISA will be producing its first two independently published books Cybersecurity For Business: Ensuring Cyber Risk Is Not Just and IT Issue (Kogan-Page 2022) and Fixing American Cybersecurity:
Creating a Strategic Public Private partnership (Georgetown University Press, 2023). Cybersecurity for Business was Amazon’s Number 1 Hot New Release for 8 consecutive weeks.
Important part of being published gives a lot of heft to and permanence to the ideas the ISA preaches. We weren’t just lobbying and meeting with congress, it was shared with the community. This constitutes outreach to the cybersecurity community. This includes all the articles and early publications as well as the full public policy books: fixing american cyber security, social contract, coalition white paper, house task report, 50 questions everyone should be asking, financial risk, initial handbook NAC, and leading to the world economic forum work.
Historic Highlights Through The Years
In 2008, ISA’s influence on policy was notably recognized in President Obama’s “Cyberspace Policy Review” following the publication of the “Cyber Security Social Contract.” This document advocated for a market-driven partnership approach to cybersecurity, marking ISA as a key thought leader in the field.
Larry Clinton, President and CEO of the ISA, emphasizes the importance of bridging the gap between industry and government to enhance cybersecurity. Clinton highlights the strategic and economic dimensions of cybersecurity, noting that addressing these issues requires an enterprise-wide risk management approach. He expresses concern that despite understanding how to secure digital systems, there is a lack of coordinated action against cyber threats.
ISA’s influence extends beyond these foundational activities, as it has engaged in significant advocacy and publication efforts to guide the industry and policymakers alike. For example, ISA’s response to the National Institute of Standards and Technology’s Request for Information in 2013 exemplifies its active participation in shaping cybersecurity frameworks and standards
Recognizing the growing need for skilled cybersecurity professionals, ISA supported the creation of the National Cyber Services Academy. This initiative proposed to combine economic incentives like free tuition with advanced educational technologies to prepare individuals for the evolving demands of the cybersecurity sector. The model was inspired by the rigorous training and development seen in military and merchant marine academies.
In addition to regulatory reform, the ISA has launched a national dialogue to encourage a re-examination of cybersecurity challenges. This initiative seeks to engage the broader cybersecurity community in discussions about the evolving cyber landscape and the need for comprehensive strategies to address these issues. The dialogue underscores the importance of broad community engagement to effectively tackle the persistent challenges in cyberspace that threaten the U.S.’s leading economic, technological, and military position .
Furthermore, the ISA supports the creation of a National Cyber Services Academy to address the growing cybersecurity workforce gap. This initiative proposes integrating economic incentives, such as free tuition, with modern educational technology to prepare the future workforce to meet the sector’s demands. The academy is envisioned to follow the model of military and merchant marine academies, focusing on developing the necessary skills and knowledge for cybersecurity professionals .
In partnership with the National Association of Corporate Directors (NACD), ISA released the 2023 edition of the Cyber-Risk Oversight Handbook. This publication has become a seminal resource for directors across public, private, and nonprofit sectors, navigating the complexities of cyber-risk oversight. The handbook emphasizes the need for strong corporate governance and is recognized globally for its comprehensive approach to managing cyber risks.
One key area of focus for ISA has been advocating for a more streamlined approach to federal cybersecurity regulation. The organization argues for a simpler requirement from the Office of Management and Budget (OMB) that any agency proposing a cyber rule should ensure it is not duplicative or contradictory to existing regulations. This proposal aims to halt the proliferation of redundant and conflicting regulations, which can complicate compliance efforts for organizations .
