This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here
Sadly, a quarter century after the cybersecurity information sharing model was created the vast majority of private companies – and government agencies — do not fully engage in any of these programs and many of those that do find the information shared to not be timely or actionable.
This is not to say that there are not examples where information sharing has worked or provided significant benefit – there are. However, one of the deficiencies in the information sharing model is that it is hide-bound to the increasingly outdated sector specific structure. Traditionally even if more sophisticated sectors like defense or financial services evolved more effective information sharing programs, less sophisticated sectors like education, retail and health were left to reinvent their own wheels and flounder along much to the delight of the attack community.
Fortunately, that decades’ long model is beginning to break down. This is an excellent opportunity for government to provide a needed assist by evaluating programs, identifying empirically successful cybersecurity programs (not just information sharing) and adapting them to other sectors.
One of the fundamental tenets of ISA’s “Rethinking Cybersecurity” campaign is that empirically successful programs in one critical sector should be systematically assessed, adapted, and expanded to other critical sectors. This process needs to be adopted as formal government cyber policy.
Cybersecurity information sharing, having not lived up to expectations in many incarnations, is a prime example of where we can benefit from the examination of successful programs to overcome barriers and disincentives to success within other similar programs. We outlined many of those barriers and disincentives to information sharing as well as several successful programs in our previous blog.
Here we are going to go a step further and explore innovative information sharing programs in need of systemic assessment. For example, the Indigo and subsequent Pathfinder program involving the financial services sector, offered a welcome increase in involvement of traditional military entities in information sharing. These initiatives include participation from DHS, DOD, and even Cyber Command. While these programs are limited in scope, they are encouraging. They would be ideal models to be systematically evaluated so that they can be modified to suit changing environments and expanded systemically to other critical industry sectors.
Project Indigo, an information sharing program between key players in the financial sector and the government launched in 2017, involved direct coordination between eight major banks and U.S. Cyber Command. The program allowed Cyber Command to receive valuable information from private banks which allowed them to analyze, understand, and work to mitigate the risk of cyberattacks on financial institutions. Project Indigo was not highly publicized or well known, but it did provide the groundwork for the Pathfinder Program in the financial sector.
The Pathfinder Program took Project Indigo to a new level by involving coordination between multiple government agencies (DoD, NSA, and DHS) and large financial services companies. This collaboration allowed the government agencies to work hand in hand with the private sector to address the growing cybersecurity challenges facing some of the largest financial institutions in the world.
The success of the Pathfinder program in the financial sector led to the same program being rolled out for the energy sector in early 2020. The energy sector program brought together the DoD, DHS, NSA, and the Department of Energy with private sector players to advance information sharing based on systemic evaluation. Cyber Command will also be involved with the energy sector’s Pathfinder program by sharing threat and risk information.
The Pathfinder program is a step in the right direction because it facilitates not only collaboration between key government agencies, but also partnership with industry. The Cyberspace Solarium Commission referred to the Pathfinder initiative(s) as “a key proof of concept of collaboration between the private sector and critical infrastructure in support of the U.S. cyber defense and security mission,” in their March 2020 report. In that same report, the Solarium Commission identified rich participation by the DoD in these collaborative programs as a key to success.
Utilities in particular can benefit from the resources and expertise that the DoD and other agencies bring to the table. Conversely, government agencies can benefit greatly from the private sector sharing information about security needs and strategies to address key vulnerabilities. Further, integrating agency personnel with private sector partners will build a longer-term foundation for these collaborative efforts.
ISA recommends that collaborative cybersecurity information sharing programs, such as the Pathfinder Initiative, be prioritized in the energy sector (as well as being analyzed and potentially adapted for other sectors). Assessments of existing collaborative programs should determine how they can be strengthened and what needs to be done to ensure long-term participation by both government agencies and the private sector. These assessments fit squarely under the responsibilities of the National Cyber Director (NCD) office in the White House established by the 2021 National Defense Authorization Act. The NCD should conduct these assessments and provide recommendations to the President and Congress on successful information sharing programs. These recommendations cannot come soon enough as Congress and the Administration consider expanding cybersecurity information sharing in the wake of the SolarWinds attack and Microsoft Exchange compromise.
Join the Rethink Cybersecurity Community click here