You Say “ISAC,” I Say “ISAO”

The White House sponsored a “Summit on Cybersecurity and Consumer Protection” at Stanford University on Friday the 13th of February, 2015 to discuss privacy, data protection and public-private cyber-threat information sharing. They invited the CEOs of major companies. Google, Facebook, Amazon and Yahoo declined. The most prominent of those corporate CEOs who did attend was Tim Cook of Apple. At the Summit, Cook announced the U.S. government would begin accepting Apple Pay in September for Federal programs and Social Security … see “Apple Pay Coming to Federal Programs Like Parks and Social Security” at

The real story here is that the White House cybersecurity proposals in the Executive Order (EO), released on the same day as the Summit, are mostly a rehash of some small part of President Clinton’s Presidential Decision Directive No. 63 (PDD-63) on critical infrastructure protection, which was issued in 1998 and abandoned when a new Administration took over in 2000. It is very informative to read the PDD at  PDD-63 essentially had a five-year time horizon, meaning that we were due to have the proper cyber defenses in place by May 2003. Of course it didn’t happen. And here we are, a dozen years after the deadline, in worse shape than ever in terms of protecting our vital sectors.

The EO, which has the title “Promoting Private Sector Cybersecurity Information Sharing,” is available at (yes, the “ng” is missing). About the only real recommendation (and it’s by no means a mandate) is for private sectors, industries, regions, etc. to form ISAOs (Information Sharing and Analysis ORGANIZATIONS) and exchange information with members and with the government. In return, the White House is offering protection from disclosure of personal and proprietary information. The problem with this is that the government doesn’t have a very good track record of protecting its secrets from inadvertent and intentional public disclosure.

So now we have ISAOs in addition to ISACs (Information Sharing and Analysis CENTERs) with seemingly much the same goals and function. I don’t see the purpose of rebranding since many of us are aware of ISACs and some ISACs have become very effective. As I’ve mentioned previously, I was a co-founder of the Financial Services ISAC (FS-ISAC) which was launched in October 1999 and which became the model for subsequent ISACs, such as the 17 other ISACs now listed under the National Council of ISACs at  Why would one want to change the name of given to institutions that are already known and have already been proven?

Another point is that general voluntary compliance doesn’t really work when it comes to information sharing. From the FS-ISAC experience, I believe that you need a group of committed individuals with strong connections within the sector and with government.  In our case I give much of the credit to Stash Jarocki, who really spearheaded the effort, and Steve Katz, both of Citi, and the folks at Global Integrity, which was an independent subsidiary of SAIC, including Anish Bhimani, who subsequently became a senior security executive at JP Morgan Chase. Strong and trusting relationships with government officials, such as Richard Clarke, who became the White House security czar, and Brian Peretti of the U.S. Treasury, were also crucial for success. Other ISACs have also demonstrated that relationships matter just as much as government encouragement and imaginative technology. The FS-ISAC is in its sixteenth year and has grown stronger and more effective each year. The keys to success are still those trusting relationships, strong commitments, and the ability to keep information confidential and, when necessary, anonymous.

As cyber attacks become more sophisticated, more coordinated and have greater impact, there is a growing need for expanding the ISAC concept. Changing the name of such organizations and asking nicely does not do the job. The force behind ISACs has to come from within.

Aside from the huge benefits derived from security information sharing and analysis (whether by means of ISACs or ISAOs), there is also another even more important security area that has not been addressed adequately by any of the critical infrastructure sectors nor by the government … but more about that another time.

Post a Comment

Your email is never published nor shared. Required fields are marked *