This week I had the opportunity to attend the Advanced Cyber Security Center (ACSC) Launch Conference just outside Boston. The center is a public-private partnership with industry, academia, and government participants. Its purpose is to address the challenges in information sharing needed to combat the advanced persistent threat of cyber attacks. They have a particularly impressive policy and legal working group, co-chaired by Professor Jack Goldsmith of Harvard Law School (formerly the Assistant Attorney General in charge of the Office of Legal Counsel) and Michelle Whitham, a Boston attorney. Governor Deval Patrick and the Attorney General of Massachusetts, Martha Coakley, also spoke and lent their support.
Information Sharing Challenges
The conference showed there is a very strong interest in addressing difficult information-sharing problems from a technical, business, legal, and policy point of view. Companies, government agencies, and universities all have valuable information that is a target for cyber intrusions, and yet they often do not share this information for a variety of reasons. These include the lack of a business case for doing so – why should I share information about my vulnerabilities with my competitors or with the government, particularly if doing so might expose me to legal risks? Yet the participants understood that sharing about these threats was vital to building an effective defense.
In the policy and legal working group, we divided the information sharing challenge into two separate, yet related, problems. First, there should be work to address real or perceived legal and policy barriers to sharing. Second, law and policy can be better aligned to incentivize sharing. This is a very familiar challenge for PM-ISE, and our approach was very intriguing to the group. The tools we have used to build the ISE – standards, repeatable processes, outreach and engagement, and addressing legal, privacy, and other challenges head on – are the very same tools this center could use to advance to address cyber information sharing.
At a panel at the main conference, I summarized this discussion and emphasized a horizontal, standards-based approach as one answer to the cyber information sharing challenge. Participants welcomed this approach, generally considering it far superior to a centralized repository of threat information, with all the legal, security, and policy problems that would present. I also emphasized the National Information Exchange Model (NIEM) as an excellent model for the center to consider.
The ACSC presents a real opportunity for PM-ISE to begin to engage with an impressive group of experts, outside the Beltway and with impressive credentials, to address the cyber information sharing challenges.