ISA is a cross-sector organization and practices an aggressive and bipartisan public policy. It is the leader in articulating how pro-market policy based on the use of incentives can lead to a more effective and sustainable system of cybersecurity than would a traditional regulatory model.
Cybersecurity Act of 2015
In December 2015, President Obama signed a spending bill containing the Cybersecurity Act of 2015, a very close version of the Cybersecurity Information Sharing Act of 2015, which passed the Senate a few months earlier. Both proposals contained key ISA policies, including conserving the voluntary nature of information sharing between industry and the government. The final law also created an incentive, liability protection, for the sharing of information amongst industry, while shielding information shared with the government from use by regulatory enforcement and form disclosure under the Freedom of Information Act.
House Republican Cybersecurity Task Force
In the 112th Congress, a high-level House task force (pdf) endorsed the approach laid out by ISA favoring market-based principals as the pathway toward improved cybersecurity.
When the House Republican Cybersecurity Task Force convened, ISA was the first witness called to provide recommendations. The final report, published in October 2011, mirrored ISA recommendations and lifted language virtually identical to ISA Cybersecurity Social Contract publications.
The very first of the GOP recommendations was for Congress to create a “menu of market incentives tied to the voluntary adoption of cyber security measures,” which is the core ISA policy position and taken verbatim from ISA’s “Social Contract” and “Social Contract 2.0″ as well as from ISA congressional testimony.
DHS and DOJ endorse the “Cyber-Risk Oversight Handbook”
Working together, the ISA and the National Association of Corporate Directors have published two editions of the “Cyber-Risk Oversight Handbook,” most recently in 2017.
We launched the latest handbook at a press conference at the National Press Club, where two federal officials lent their support. Endorsement by two federal departments of a cybersecurity document is unprecedented.
“We encourage companies to develop relationships with the FBI, DOJ, DHS, before you need us. I think the handbook makes a compelling case for doing so.”
—Adam Hickey, deputy assistant attorney general for national security.
“The handbook can act as your guide and DHS can also be there to help.”
—Danny Toler, acting Assistant Secretary in the Homeland Security Department’s Office of Cybersecurity and Communications.
The handbook has been a success, with PricewaterhouseCoopers finding in its 2016 Global State of Information Security Survey that the handbook is tied to significant corporate cybersecurity budget increases, better alignment of cybersecurity with overall risk management and business goals, and the fostering of an organizational culture of security.
Executive Order 13800
President’s Trump first executive order on cybersecurity requires federal agency heads to take a risk-based approach to cybersecurity and an integrated, enterprise-wide management strategy that encompasses functions such as budgeting, acquisition, law, privacy, and human resources.
The ISA has long said that cybersecurity isn’t just a technology problem. In the “Cyber-Risk Handbook,” a guide for corporate directors the ISA prepared for the National Association of Corporate Directors, the first principle of five we outline for greater understanding of strategic cybersecurity risk management is this:
Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
The same is true for senior agency leaders—ISA believes that the elevation of cyber-risk management to agency heads is a major step in the right direction and very consistent with the trend that has taken place over the past several years within leading private sector organizations.
Executive Order 13636
In February 2013, President Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity, which formalized the government’s adoption of core ISA policy including voluntary measures and market incentives. The order cemented a departure from previous attempts to regulate private-sector cybersecurity through the Department of Homeland Security. ISA brought together an industry coalition to suggest that regulation was not the answer and pushed for the alternative remedy of private sector engagement and sectors.
Commission on Enhancing National Cybersecurity
In the final months of his administration, President Obama appointed a handful of high level technology and cybersecurity executives to develop a national agenda for the next five to 10 years in cybersecurity. All 12 members of the commission received copies of “The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity” and the ISA delivered multiple comments to the commission.
The resulting report (pdf) adopted all of ISA’s major recommendations from our recent Cybersecurity Social Contract book, as well as scores of specific recommendations made by our board members for their specific industry verticals.
Click here to see our commission’s report tracks with ISA’s major recommendations, and here for sector-specific analysis.
Cyber Space Policy Review
Released in 2009, the Cyber Space Policy Review was the Obama administration’s assessment of U.S. policies and structure for cybersecurity.
The paper drew heavily on ISA thought leadership, including the Cyber Security Social Contract, white papers, and policy recommendations, in topics ranging from market-based incentives public/private partnerships, supply chain security, cyber insurance metrics, best practices and methodologies.
The ISA produced the first and last sources cited in the executive summary, and was the organization cited most frequently throughout the document.
National Infrastructure Protection Plan
The Department of Homeland Security’s National Infrastructure Protection Plan reflects ISA values in two ways.
There’s the content of the plan itself. Both versions of the plan, one written in 2006, the other in 2013, recognize that voluntary partnership between the private- and public-sectors is the appropriate model to address cybersecurity risk in critical infrastructure. Partnership doesn’t mean consultation or approval of one sector’s work by another, but a truly integrated effort.
The 2013 version also took an important step forward by recognizing how the different sectors are driven by different sets of economic drivers. Costs drive decisions in both sectors, but the NIPP recognizes that the federal government also considers “many non-economic values,” and, as a result, “government may have a lower tolerance for security risk than a commercial entity.”
This recognition is a core tenet of the ISA philosophy, which seeks to close the structural gap between private- and public-sector risks tolerances through applied incentives. National security, and economic security, require the higher standard of cybersecurity, and the ISA’s role is to advocate for policies that make it economically sustainable over the long term.
Secondly, creation of the NIPP itself, particularly the first version, was itself the fruit of a successful public-private partnership. DHS judged early in the document’s process that industry involvement would be key. This recognition led to key practices, among them:
- Codrafting: Reflection of private-sector comments in the final language demonstrated that DHS respected and was listening to its partner.
- Personal commitment by DHS: DHS assistant secretary for Infrastructure Protection, Robert Stephan, owned the NIPP 2006 process and was committed to partnership with all the stakeholders, including the critical infrastructures, in drafting it. He frequently showed his engagement and leadership by engaging directly in draft language–related discussions with stakeholder groups in calls or in person.
- Personal commitment by industry: The leaders of industry’s sector coordinating councils and information sharing and analysis centers and other bodies were equally engaged.
Drafting of the NIPP is included as a success story in a study the ISA conducted on public-private partnerships with the support of the Department of Homeland Security and the Information Technology Sector Coordinating Council.
Partnership for Critical Infrastructure Security endorses best practices for managing public-private partnerships
Although the National Infrastructure Protection Plan recognizes partnerships as the best approach to securing critical infrastructure, the ISA and the Information Technology Sector Coordinating Council requested the Department of Homeland Security participate in a study aimed at unearthing best practices for governing those partnerships.
The result was a study of six projects that were evaluated by private-sector executives and government officials for best practices published in the Winter 2015 edition of the Journal of Strategic Security.
The Partnership for Critical Infrastructure Security (PCIS)—the coordinating body for critical industry sectors—endorsed the set of 12 best practices that emerged from the study. The Department of Homeland Security made the best practices part of a Memo of Understanding for operating public-private partnerships under the National Infrastructure Protection Plan.
The 12 best practices are:
- Senior level commitment to the partnership process communicated to staff & upper echelons.
- Involvement at the priority/goal and objective phases of projects, not just implementation.
- Use of the process identified in the NIPP for involving industry.
- Reaching out to stakeholders early on, ideally at the “blank page” stage.
- Continuous and regular interaction between government and industry stakeholders.
- Providing adequate time for stakeholder review (equivalent to government review).
- Establishing co-leadership of programs.
- Consensus partnership decision making.
- Communicating genuine interest in stakeholder input e.g. via co-drafting.
- Adequate engagement from federal agencies beyond DHS.
- Government follow through on partnership related decisions.
- Adequate and competent support services.