Business Daily Media

The Times Real Estate

.

Why a NFP ISAC is the best value in protecting our critical infrastructure

  • Written by David Sandell, CEO, CI-ISAC


Why a sovereign, cross-sectoral, not for profit ISAC provides the best value Cyber Threat Information sharing environment for Critical Infrastructure 

As the Federal Government prepares to invest $6.423 million on a ‘pilot’ Health ISAC – a 2023 National Cyber Security Strategy deliverable – it is worth examining what type of ISAC represents best value for money.

But first, what is an ISAC?

ISAC Origin Story

In 1998, in order to elevate security, US President Clinton directed government agencies to share declassified information on physical and cybersecurity threats and vulnerabilities to US critical infrastructure (CI) operators. This initiative led to the creation of Information Sharing and Analysis Centres (ISACs) across each CI sector in the US. There are currently 27 single-sector ISACs in the US. Several of them operate in Australia, like the Global Financial Services ISAC and the Global Health ISAC. 

The NFP Model

These ISACs became Not for Profits (NFPs) as it became clear cyber and other threat intelligence information could only be shared between business competitors if the ISAC had no profit motive, or shareholders to satisfy with returns on investment.  The ISAC itself is owned by the members. It is only in a non-competitive environment where effective sharing, analysis and dissemination, which makes a material difference, can occur.      

Effective sharing is the objective.  And by effective we mean the sharing of curated intelligence that materially benefits the cyber and security operators within each business, not the CISOs or the Board, but those running networks and monitoring ICT environments within each business. 

Australia has already learned a lesson. 

Despite investing significant sums with a private firm over many years to build and energise the CTIS program, on 14 February 2024, Australian Signals Directorate publicly lamented the decline in the “frequency and richness of cyber incident data shared with it by the private sector, underlining the importance of restoring trusted channels for information exchange.”  A key reason for this poor outcome was the absence of a trusted sharing environment of the sort provided by a non-governmental NFP entity.

NFP Benefits

The key benefits of a NFP ISAC are:

Commercial Trust: NFP ISACs are more neutral and trustworthy for the sharing of sensitive information due to the absence of a profit motive. A for-profit ISAC may be motivated to commercialise the data derived from CTI sharing. 

Mission Focus: NFPs are mission-driven, focusing on the greater good rather than prioritising profit or market share. NFPs often have a more stable and long-term commitment to their mission and are less likely to be buffeted by market and shareholder pressures.

Public Trust: Well-governed  NFPs are seen as more trustworthy and accountable to the public. As a member-driven entity, NFP leaders are also accountable to members; the ultimate owners of the NFP entity. 

Sustainability: The NFP model provides better value as surplus is reinvested into the ISAC, not retained for payment of bonuses or dividends. An NFP ISAC will use ongoing membership fees to ensure the ISAC is self-sustaining and not a drag on government budgets.

Participation: NFPs encourage participation from a wider range of stakeholders, including smaller entities.  NFPs can cultivate a community-oriented environment that emphasises collaboration over competition. This can lead to more effective pooling of resources, knowledge, and expertise in the field of cybersecurity as well as CTI analysis and sharing. 

A Cross Sectoral ISAC

While NFP ISACs provide good value for money, a cross-sectoral ISAC takes the value proposition to another level. If the value of an ISAC sharing ecosystem is the sum of its parts, why not extend the reach of the ISAC to multiple CI sectors, to enrich the sharing and to avoid creating sector stovepipes?  Why shouldn’t a health sector business be able to access sharing from cyber threats from the financial services or other CI sectors? Most cyber threats are relevant to multiple sectors so it makes sense for there to be sharing across sectors.  You can bet all CI businesses are interested in learning about the threat, mitigations and responses when another CI business gets ‘hit’. It makes little sense to build separate, single sector stovepipe ISACs that would impede such sharing.  Such an approach does not represent value for money and puts undue pressure on lower maturity sectors such as health that do not have the maturity or insight to share effectively.

Sovereignty Matters: A Local Cyber Neighbourhood Watch

Several US based ISACs have been operating in Australia for many years.  Australian companies with the resources to engage meaningfully with these ISACs have done so in the absence of an alternative.  The era of relying on foreign ISACs is ending.  The $6.3m health sector ISAC presents an opportunity for government to break this cycle of reliance on foreign ISACs and invest in the development of sovereign capabilities.

An Australian ISAC, based in Australia and focused on CI companies operating in Australia, provides the best opportunity to build meaningful cyber resilience; to build a cyber neighbourhood watch

While cyber threats roam the global commons, attacks are often specifically targeted against specific entities in specific jurisdictions. Geography and national boundaries matter. The US- based global ISACs are biased towards their US customers and do little tailoring for their non-US members.  An Australian ISAC would be exclusively focused on businesses operating in Australia.  While an Australian ISAC would draw in intelligence feeds from abroad in order to enrich the CTI information available to its Australian members, its focus would be on its Australian members. To use a weather analogy, A US-based ISAC can provide a very accurate weather forecast for Baltimore. Its forecast for Newcastle is likely to be less detailed and useful to Novocastrians. 

As the Government considers where to invest its health ISAC dollars, it would do well to consider a local solution.

Conclusion

There is strong support for the ISAC model to be adopted in Australia but the discussion has revolved around building stove-piped, single-sector ISACs, without addressing the associated costs of such a model. 

A home-grown, NFP, cross sectorial ISAC with the strength of a member-based collective is a genuine value for money proposition that will help protect Australia’s critical infrastructure. 

 

Five signs that AI is growing faster than the internet did

What do Aussie businesses need to do to keep up? There has been mounting chatter that AI is growing even faster than the rapid acceleration we sa...

Protecting Your Small Business from Cyber Threats This Holiday Season

The holiday season brings a surge of online activity for small and medium businesses (SMBs), with increased sales and customer inquiries offering ...

Essential SEO Strategies: Boosting Your Real Estate Business

In recent years, it is said that more and more people are searching for properties online than those who visit real estate companies in person. For ...

Every Business Needs to Apply a Concrete Strategy

Do you want your website to rank higher in the top results of the Google search engine? Then hire the excellent SEO Services in Australia for your n...

Navigating Cyber Fraud After a Natural Disaster

As Australia enters another long, hot and potentially destructive summer, businesses and residents are preparing for the natural disasters synonym...

8seats messaging startup aims to transform business communication

The new platform brings an innovative approach to unite office-based and desk-less teams 8seats, a next-generation messaging platform for busine...

Sell by LayBy