Information Sharing

Terrorists constantly change their tactics to stay one step ahead; the cyber criminals and nation-states that infiltrate computer systems are no different. As soon as cybersecurity experts resolve one major security flaw, adversaries will exploit another. Unlike counterterrorism, robust cybersecurity depends on much more than intelligence agencies and law enforcement. Securing the nation against cyberattacks requires sharing information between agencies at all levels of government, Fortune 500 companies, small businesses, civil society, academia, and everyday citizens.

What Does Information Sharing Mean?
  • Data exchange:
    Computers and human analysts exchange highly technical data on cyberattacks and tactical, short-term defense measures.

  • Threat intelligence:
    Experts in government and the private sector analyze and share the intentions and capabilities of cyber criminals and nation-states, as well as defenses.

  • Response:
    Public and private sector leaders determine when a cyberattack merits elevation or the activation of emergency protocols.

  • Notification:
    The public learns when personal information has been stolen or compromised, or if a cyberattack is affecting government services.

Essential Terms:

Information Sharing and Analysis Centers (ISACs)
Official ISACs are members-only bodies that correspond to designated critical infrastructure sectors—banks belong to the Financial Services ISAC, water utilities to the Water ISAC and health insurers to the National Health ISAC.

Information Sharing and Analysis Organizations (ISAO)
More informal than ISACs, ISAOs may organize based on region or interests, instead of economic sector. This flexibility allows partners to choose the right forums for sharing, given their goals.

Multi-State Information Sharing and Analysis Center (MS-ISAC)
This remains the only national cyber information sharing body dedicated to state-specific threats.

National Cybersecurity and Communications Integration Center (NCCIC)
Created in 2015 and operated by DHS, the NCCIC is intended to be the nation’s primary center for cybersecurity information sharing, linking all sectors of government and private industry.

What Can Governors Do?

Recommendation 1: Establish a State ISAO/Integration Center

Set up a single body for collecting and sharing cybersecurity information that is relevant to your state.

  • The name is irrelevant—an ISAO need not be called an “ISAO” (see exampleson reverse side);
  • Define the scope—What will the ISAO share, who will it share with, and when? Will it have any additional duties, such as training or technical assistance?
  • Start small, then grow—An ISAO should focus initial efforts narrowly, resolve unforeseen obstacles, and then scale; an overwhelmed staff and unfulfilled promises could undermine its reputation, turning off partners and restricting information sharing;
  • Do not reinvent the wheel—Seek advice from private industry, other ISAOs and nonprofits who stand ready to provide how-to guides on cyber information sharing;
  • Build on top of existing infrastructure and relationships—Hit the ground running and reduce overhead costs by co-locating or merging with an existing fusion center or Ops Center (while maintaining a focus on cyber threats);
  • Delegate a high-level salesperson—An ISAO depends on willing members and partners, who must be recruited through a sustained, statewide campaign to sell its benefits;
  • Integrate ISAOs into decision processes—Through regulation, executive order or other appropriate authority, ensure that state agencies collaborate as a matter of policy (not personal preference); and
  • Interface with ISAOs and ISACs outside of your state—Regularly follow up with the ISAO head to ensure that it interacts with and provides feedback to the NCCIC, the MS-ISAC and other relevant ISAOs.

Recommendation 2: Consider exempting cyber threat information from open records laws

Many private sector entities possess information that can help the state defend its own networks, conduct proper oversight of regulated sectors and prepare for major cyberattacks. Such companies often express reluctance to collaborate due to concerns that sensitive data might become public record. North Dakota and Iowa recently amended their open records laws to fix this. Of course, cybersecurity needs must be balanced against the need for government transparency.

Humans, not Technologies, Present the Toughest Obstacles to Information Sharing

  • Reluctance to share sensitive/proprietary/confidential data;
  • Concerns that sharing data could trigger lawsuits;
  • Preference for other business priorities; and
  • Organizational challenges and cultural differences that fuel mistrust.

Overcoming these obstacles requires sustained, high-level attention from executives—a culture of information sharing starts at the top.