Collective Security Mission
“Combining technology, public policy, and economics to create a sustainable system of security” – ISA Mission
“the mission of this paper is to combine advanced technology with business economics and public policy to create a shared and sustainable cyber ecosystem that shifts the advantage to cyber defenders.”
|ISA Policy on Risk Management
|Collective Security on Risk Management
|“Neither companies nor government operating on their own can adequately secure themselves. A new system needs to be developed. That new system needs not just standards and practices but also economic support for their universal application and continued rapid innovation and adjustment in the face of the ever-evolving cyber threat.” – ISA Social Contract (p. 16)
|“This paper argues that the private sector should, and generally does, make investments to meet commercial security needs, consistent with their legal obligations to their shareholders, while it is the government’s responsibility, under the Constitution, supported by taxes, to ‘provide for the common defense.’”
|ISA Policy on Incentives
|Collective Security on Incentives
“Simply altering the assessment and compliance process by moving it away from the “pass-fail” audit model to a more useful maturity model can create incentives without any demonstrable increase in government spending. And
if incentives do require increased funds, the government needs to realistically assess whether it is more appropriate to spend taxpayer money to promote the common cyber defense as opposed to hiding and off-loading costs on consumers.
There is adequate precedent for an incentive approach. We have market incentives deployed in multiple industry sectors—agriculture, aviation, ground transport, environment, and even physical security—to assist the private sector in reaching public-policy goals. We simply need to apply this creativity and will to cybersecurity.
For the incentives to be of value, they must be targeted to specific goals as economic models differ substantially from sector to sector. Incentives must also be powerful enough to affect investment decisions. This is another reason why the research such as pilot testing the NIST framework to develop metrics cost-effectiveness data advocated above are so important.
Although there may be some useful generic incentives (e.g., liability benefits or insurance discounts), a menu of incentives also needs to be developed as different incentives will be attractive to different industry sectors. – ISA Social Contract (p. 41)
|“While the government believes that the market offers the most effective incentive for the private sector to adopt strong cybersecurity practices, government also recognizes that it must be willing to step-in to incentivize best practices when the marketplace alone proves insufficient to achieve national security levels of cybersecurity.”
“The broader economy and U.S. history have plenty of examples of, non-regulatory market incentives, many of which are at a low cost to government and have promoted important outcomes that would have been challenging on a purely commercial basis. Incentive models in varying forms exist in many industries and sectors including: agriculture, aviation, pharmaceuticals, transportation, and even physical security. Industry requests, that together with the help of the Federal Government, other creative, non-regulatory and cost-effective incentive concepts that may help close the gap between commercial and national security, be explored.”
|ISA Policy on Cyber Law Enforcement
|Collective Security on Cyber Law Enforcement
|FOCUS MORE ON CYBERSECURITY FROM A LAW ENFORCEMENT PERSPECTIVE
“The new administration should engage in a multitiered program to bolster cyber law enforcement. More broadly, a review of legacy law-enforcement spending with an eye toward properly resourcing efforts to stop cybercrime is needed.
– ISA Social Contract (p. 29)
“Cybercrime (which research suggests costs up to $1 trillion annually) has a tremendous impact on our shared cybersecurity. While the government’s initial prioritization of national-level attention toward critical infrastructure protection was warranted to address existential risks, a substantially increased focus on other forms of cybercrime should now supplement those efforts.”
|ISA Policy on Cost-Effectiveness of the NIST Framework
|Collective Security on Cost-Effectiveness of the NIST Framework
“Similarly, research on framework use could be modeled to demonstrate cost effectiveness. Being able to define what elements of the framework are cost effective for defined industry segments would provide a major boost for the voluntary nature of the framework. Companies will naturally deploy cost-effective measures. Being able to demonstrate such is in the public interest.
Finally, such research could identify framework elements that are effective in enhancing security but are perhaps not cost effective. These too would be valuable data as they would provide the president and Congress with an empirical guide for what needs to be incentivized (as is also called for in Executive Order 13636) and how strong the incentive must be to achieve implementation of proven successful security practice.” – ISA Social Contract (p. 31)
“Small organizations with limited funds and expertise find it difficult to use the National Institute of Standards and Technology (NIST) Cybersecurity Framework (the Framework), because of its lack of cost effectiveness and prioritization. Fortunately, the market has responded and several competing models have been developed (e.g., FAIR, X-Analytics, and BSI) that assist smaller entities in tailoring use of the Framework to their unique needs. The USG should build on the progress made by developing the Framework in a consensus effort focused on measuring its effectiveness and cost effectiveness.”
|ISA Policy on Regulatory Streamlining
|Collective Security on Regulatory Streamlining
|“The new president ought to develop a cross-government program for streamlining regulations. Congress should aggressively require federal agencies to reduce duplicative regulations and eliminate those that have not been proven to be cost effective as a condition of their annual appropriations… and eliminate regulations that are duplicative or not cost effective.
Money saved by these reductions can be rechanneled into future cost-benefit analysis of cybersecurity regulations so that funding from the agency perspective will be neutral.” – ISA Social Contract (p. 40)
“Regulatory Streamlining: Research undertaken by the USG found that existing regulatory requirements, when complemented with strong voluntary partnerships, are capable of mitigating cyber risk to critical systems and information. With support of its industry partners, the USG is open to identifying federal regulations that are excessively burdensome, conflicting, or ineffective.”
“One critical issue industry and government have in common is the scarcity of cybersecurity resources. Especially while facing a vastly expanding threat, it is critical that industry and government use their scarce resources efficiently.”
|ISA Policy on Educating and Involving Corporate Boards in Cybersecurity
|Collective Security on Educating and Involving Corporate Boards in Cybersecurity
“These competing pressures on corporate staff and business leaders mean that conscientious and comprehensive oversight at the board level is essential. As a result, managing and mitigating the impact of these aspects of cyber risk requires strategic thinking that goes beyond the IT department.” – NACD-ISA Director’s Handbook on Cyber-Risk Oversight (p. 4)
“Board members can and should play an active role in ensuring that their companies’ cybersecurity processes, policies, and practices stay fit-for-purpose as the nature of the threat continues to evolve. This requires directors to stay informed about cyber risks, integrate cyber issues into a wide range of boardroom discussions, set clear expectations with management, and ask tough questions when necessary. The director community is rising to that challenge.” – ISA Social Contract (p. 186)
“Innovations should expand beyond simply technological developments to include tools for training boards of directors, such as the National Association of Corporate Director’s Handbook on Cyber-Risk Oversight, an example of a successful partnership between industry and government. Guidance documents can be adapted for training on cybersecurity for government agency leaders and general counsels, among others. A more collaborative partnership on technology development can foster implementation of more reliable tools for cyber defense and attribution.”
|ISA Policy on Workforce Development
|Collective Security on Workforce Development
|“Instead we need an integrated, multifaceted, and targeted program with research-based messaging, just as the private sector would do when marketing any product or service.
We need to reach kids where they are and integrate cybersecurity into what they want to do, not teach them what they ought to do. One neglected vehicle is the gaming community. Much as the government has reached out to IT companies in Silicon Valley, a similar collaboration should commence with game developers. Cybersecurity principles and techniques could be integrated into an activity young people easily gravitate toward.” – ISA Social Contract (p. 37)
“Further opportunities exist to promote cyber curriculums in environments that incentivize students to pursue and support national interests. We need an integrated, multifaceted and targeted program with research-based messaging to promote joining the cyber workforce. Efforts should be cognizant of the overall perception of the career field and undertake creative approaches to incentivize new members to join the workforce.”
|ISA Policy on Public-Private Partnerships
|Collective Security on Public-Private Partnerships
|“Ideally, partnerships would continue to evolve to share leadership, appreciate differing perspectives, and develop shared goals and priorities. The digital economy increasingly requires this kind of collaborative environment to continue to flourish, encouraged by the meaningful cybersecurity accomplishments of public-private partnerships.” – ISA Social Contract (p. 262)
Fully utilizing these partnerships, but also identifying the gaps in needed collaboration to achieve our goals will be necessary to protect critical assets and to build creative new ideas. It is also imperative we enhance the existing frameworks and policies government and industry have established, by honing the most effective ways to work in partnership. All partnership entities should also leverage the best practices for public-private partnerships as agreed upon by DHS and the IT SCC, which were endorsed by the Partnership for Critical Infrastructure Security (PCIS).
|ISA Policy on the Cybersecurity Problem
|Collective Security on the Cybersecurity Problem
|“The Internet was designed in the ’70s and ’80s to be an “open” system, not a secure system. The core protocols that the Internet is based on are insecure by design. In addition, new software services and applications tend to be built on these core protocols (virtually no one builds from scratch), and so modern innovative products inherit the original vulnerabilities.” – ISA Social Contract (p. 4)
“The interconnectedness of our society and our reliance on critical infrastructure to maintain our way of life has led to the formation of systemic risks within our country. We must be more aware of single points of failure, concentrated dependencies, and cross-cutting underlying functions.”