ISACs: Beyond Information Sharing and Analysis
The IT-ISAC recently participated in a panel on Capitol Hill with fellow ISACs through the “ISACs on the Hill” event organized by the National Council of ISACs. This provided the ISAC community an excellent forum to convey how ISACs individually and collectively add value to their members and across the critical infrastructure community. With the first ISAC being established 20 years ago, and the National Council of ISACs facilitating collaboration among ISACs for over 16 years, there have indeed been many operational successes within the ISAC community.
However, preparing for this event allowed me to reflect on how the IT-ISAC has contributed to homeland security, cyber security, and critical infrastructure protection public policy since our founding in 2000. While a core function of the IT-ISAC is to facilitate information sharing, collaboration, and response within and among our members and partners, we also continue to provide thought leadership and subject matter expertise to policymakers. I want to highlight a few areas where the IT-ISAC has meaningfully contributed to public policy.
● Created Roadmap for Developing the NCCIC: Way back in 2006, the IT-ISAC and Communications ISAC industry leadership had a crazy idea. Instead of having one operations center focused on cybersecurity (US CERT) and another focused on Communications (NCC Watch), why not combine them into one integrated operations center? So, in 2007, at the request of then DHS Assistant Secretary Greg Garcia, the IT and Communications ISACs worked with DHS to develop a “Tiger Team” that provided a roadmap on how to create a joint, integrated operations Center. The “Tiger Team Report” was used by DHS to establish the National Cybersecurity and Communications Integration Center (NCCIC) in 2009.
● CISCP Program: Integrating the two government operations centers was always considered to be a first step. The long-term goal was to have a joint government and industry operations center. After the NCCIC was established, the President’s National Security Telecommunications Advisory Council (NSTAC) created a Cybersecurity Collaboration Task Force, whose goal was to create and test a Concept of Operations (Con Ops) for a joint operations center. The IT-ISAC participated with the Communications ISAC, Financial Services ISAC, and the defense industry to develop a pilot program to test a Con Ops for this integrated capability. The resulting lessons learned created the framework for the DHS CISCP Program. The IT-ISAC subsequently became the first organization to sign a CRADA agreement as part of the DHS CISCP program, and was the first ISAC to embed an analyst at the NCCIC under the program.
● National Cyber Incident Response Plan (NCIRP): The IT-ISAC was one of several ISACs that engaged with government to develop the National Cyber Incident Response Plan. A key feature of the original NCIRP was the Cyber Unified Coordination Group (Cyber UCG). The Cyber UCG provided a sustained, consistent processes for engaging with the critical infrastructure community during national cyber incidents.
● Critical Functions Risk Management: The IT-ISAC served as the industry Chair of the industry-government working group that produced the IT Sector Baseline Risk Assessment. Released in 2009, this work was the first to take a “functions”-based approach to risk assessments, as opposed to the traditional “asset”-based approach. Today, the functions-based approach is being applied as part of the national risk management strategy.
The policy contributions across the ISAC community are immense. For example, automated indicator sharing was an initiative driven by the Financial Services ISAC and ISACs were early adopters, supporters and influencers. The National Council of ISACs, in partnership with the National Infrastructure Coordinating Center (NICC), developed a Private Sector Annex to the NICC’s operating plan. ISACs supported the development of policy oriented Sector Coordinating Councils, National Infrastructure Protection Plans and industry specific Sector Specific plans. The ISACs and their members contributed hundreds of hours in the development of the ISAO Standards Organization’s guidelines and practices for ISAO development and management. The ISACs and their members participate in national and regional exercises such as Cyber Storm and the National Level Exercise series. The lessons learned from these are incorporated into policy and planning documents that strengthen our nation’s preparedness and resiliency.
Of course, these are only accomplishments and engagements within the U.S. The IT-ISAC and many ISAC partners engage on a global basis, serving as experienced subject matter experts and helping to form information sharing organizations outside the U.S.
As we consider the value of ISACs, it is certainly appropriate to examine how ISACs add value to their members operationally. However, over the past 20 years, the ISACs also have been key contributors to and laid the foundation for much of the critical infrastructure policies and plans that underpin today’s national risk management efforts. The value of an ISAC goes well beyond its ability to assist member companies’ corporate risk management. ISACs also drive national and global public policy.
Scott Algeier is the Executive Director of the IT-ISAC.