In recent years the cybersecurity policy debate in Washington has been dominated by calls for greater information sharing within the private sector, and between the private sector and the federal government. The passage of the Cybersecurity Information Sharing Act (CISA) (signed into law under the Cybersecurity Act of 2015) underscored federal efforts to collect information from the private sector, and assuaged some concerns regarding private sector liability in sharing activities. However, the law lacked specificity on how continued federal efforts would work with existing information sharing networks, and failed to address other challenges associated with sharing including trust building, privacy and propriety interests, reciprocation, and quality control. This paper aims to bring granularity to implementations of information sharing initiatives by creating a taxonomy of the governance and policy models within each of these organizations. The research shows how this diverse ecosystem of sharing models work together and separately, and the impact governance and policy have on key components critical to sharing infrastructure.
Policymakers and corporate representatives have frequently discussed cybersecurity information sharing as if it were a panacea. The phrase itself refers to many different activities and types of exchanges, but from about 2009 to the end of 2015, the cybersecurity policy debate in Washington was dominated by calls for greater information sharing. 1 Influenced in part by the post-9/11 theme of "connecting the dots," both policymakers and the private sector commonly accepted that improved cybersecurity depended on-and would flow inexorably fromexpanded information sharing within the private sector and between the private sector and the federal government. 2 This view seemed to rest upon the assumption that with more information, systems may be made more secure through prevention measures or rapid remediation.
Policymakers, reluctant to regulate cybersecurity standards, viewed voluntary information sharing as a tangible coordination activity that could be incentivized through policy intervention and sometimes directly facilitated by federal government roles. 3 The policy debate culminated with the 2015 passage of the Cybersecurity Information Sharing Act (CISA). 4 The law sought to encourage information sharing by the private sector by alleviating concerns about liability for sharing otherwise legally restricted information. It also sought to improve sharing within the federal government and between the government and the private sector.
CISA was debated and adopted after several decades of efforts within law enforcement and national security agencies to coordinate and increase information sharing with and within the private sector. The US Secret Service (USSS) established the New York Electronic Crimes Task Force (ECTF) in 1995 to facilitate information exchanges among the private sector, local and national law enforcement, and academic researchers. In 2001, the USA PATRIOT Act mandated that the USSS create a nationwide network of ECTFs, which eventually consisted of over 39 regional hubs. 5 In 1998, Presidential Decision Directive 63 (PDD-63) authorized the Federal Bureau of Investigation (FBI) to create a National Infrastructure Protection Center (NIPC) as a focal point for gathering and disseminating threat information both within the government and with the private sector. 6 PDD-63 simultaneously directed the national coordinator for infrastructure protection to encourage the private sector to create an Information Sharing and Analysis Center (ISAC). 7 The role of the private sector center was to collect and analyze private sector information to share with the government through the NIPC, but also to combine both private sector information and federal information and relay it back out to industry. 8 Although PDD-63 anticipated that there would be one national ISAC, various sectors ultimately formed their own ISACs focused on industry-specific security needs. 9 Over time, additional federal agencies also developed their own information sharing systems and procedures. For instance, US-CERT (US Computer Emergency Readiness Team)an organization that took over many of NIPC’s functions after it was dissolved following a transfer to the Department of Homeland Security (DHS)-releases vulnerability information and facilitates response to particular incidents. Various other information exchanges and feeds-each with its own scope, access policies, and rules-were established across federal agencies charged with securing aspects of cyberspace. For example, in 2001 the FBI formally announced its “InfraGard” project, designed to expand direct contacts with private sector infrastructure owners and operators, as well as to share information about cyber intrusions, exploited vulnerabilities, and infrastructure threats. 10 In addition to these piecemeal federal efforts to expand cyber information sharing, private sector information sharing arrangements also proliferated. Antivirus software companies agreed to share virus signatures with each other, essentially deciding to differentiate themselves on platform usability and support instead of competing for data. 11 Additionally, security researchers and individual corporate professionals formed ad hoc arrangements around critical responses to major incidents such as the Conficker worm and the Zeus botnet-threats that required coordination of response as well as exchange of information. 12 Consequently, even before CISA was enacted, an ecosystem of information exchanges, platforms, organizations, and ad hoc groups had arisen to respond to increasingly pervasive and complex security threats within all industries. Today, this ecosystem of information sharing networks is characterized by a high degree of diversity-the result of years of evolving policies and cooperative models, driven by both the federal government and private sector. Information sharing models and structures operate in different niches-working sometimes in silos, occasionally duplicating efforts, and sometimes
This content is AI-processed based on open access ArXiv data.
