Today, the Chair of the National Council of Information Sharing and Analysis Centers (NCI), Denise Anderson, provided Congressional testimony, submitted for the record, on the President’s recent executive order on cybersecurity information sharing and on how the federal government can better support private sector information sharing and analysis centers.
Anderson, who is also the Vice President for Government and Cross Sector Programs at the Financial Services Information Sharing & Analysis Center (FS-ISAC), provided the testimony to the House Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies for its hearing on cybersecurity information sharing.
Anderson commended the President’s efforts to expand cybersecurity information sharing, and urged the White House and federal agencies to deepen their commitment to the existing 18 ISACs and future ISACs that form under the umbrella of the NCI.
ISACs serve as the operational arms of their respective sectors and subsectors, ranging from electricity to health care to transportation to water. They are not-for-profit organizations, voluntarily established by the private sector under a 1998 presidential directive, to provide physical security and cybersecurity situational awareness to their respective sectors. Through the NCI, ISACs provide much needed cross-sector threat analysis. ISACs also collaborate with government partners, such as the National Infrastructure Coordinating Center (NICC) and the National Cybersecurity and Communications Integration Center (NCCIC), among many others, to develop and disseminate threat warnings and mitigation resources.
“It is absolutely essential that the successful efforts that ISACs have established over the years should not be disrupted,” Anderson told the committee. “The White House, Sector-Specific Agencies – including the Department of Homeland Security – and other relevant agencies need to call out, recognize and support the unique role ISAC play in critical infrastructure protection and resilience.”
Among the provisions of the executive order and included in the White House’s cybersecurity legislative proposal is the creation of voluntary standards for information sharing and analysis organizations. Anderson recognized the importance of baseline criteria for effective information sharing, but she also advised that information sharing organizations must have the flexibility and ability to meet the unique needs of their sectors and members.
“Although all ISACs have similar missions, no two ISACs are exactly alike,” Anderson noted.
“Any focus on ISAOs and ISAO standards must be implemented carefully as not only to encourage and foster information sharing and analytical maturity among newly established organizations, but also clearly publish, highlight and fully leverage and emulate aspects of the status quo that are working and have been working for quite some time,” Anderson further noted.
Anderson closed by calling on the White House and other federal agencies to adopt five recommendations to enhance information sharing with, across and by the private sector:
Recognize ISACs and the special operational role they play in critical infrastructure protection and resilience;
Support private sector efforts to form ISACs in the very few critical infrastructure sectors where they do not currently exist;
Encourage owners and operators of critical infrastructure to join their respective sector ISACs;
Facilitate getting all of the ISACs on the NCCIC floor (after four years this still has not been accomplished); and
Recognize the NCI as the coordinating body for the ISACs.