Why a sovereign, cross-sectoral, not for profit ISAC provides the best value Cyber Threat Information sharing environment for Critical Infrastructure 

As the Federal Government prepares to invest $6.423 million on a ‘pilot’ Health ISAC – a 2023 National Cyber Security Strategy deliverable – it is worth examining what type of ISAC represents best value for money.

But first, what is an ISAC?

ISAC Origin Story

In 1998, in order to elevate security, US President Clinton directed government agencies to share declassified information on physical and cybersecurity threats and vulnerabilities to US critical infrastructure (CI) operators. This initiative led to the creation of Information Sharing and Analysis Centres (ISACs) across each CI sector in the US. There are currently 27 single-sector ISACs in the US. Several of them operate in Australia, like the Global Financial Services ISAC and the Global Health ISAC. 

The NFP Model

These ISACs became Not for Profits (NFPs) as it became clear cyber and other threat intelligence information could only be shared between business competitors if the ISAC had no profit motive, or shareholders to satisfy with returns on investment.  The ISAC itself is owned by the members. It is only in a non-competitive environment where effective sharing, analysis and dissemination, which makes a material difference, can occur.      

Effective sharing is the objective.  And by effective we mean the sharing of curated intelligence that materially benefits the cyber and security operators within each business, not the CISOs or the Board, but those running networks and monitoring ICT environments within each business. 

Australia has already learned a lesson. 

Despite investing significant sums with a private firm over many years to build and energise the CTIS program, on 14 February 2024, Australian Signals Directorate publicly lamented the decline in the “frequency and richness of cyber incident data shared with it by the private sector, underlining the importance of restoring trusted channels for information exchange.”  A key reason for this poor outcome was the absence of a trusted sharing environment of the sort provided by a non-governmental NFP entity.

NFP Benefits

The key benefits of a NFP ISAC are:

Commercial Trust: NFP ISACs are more neutral and trustworthy for the sharing of sensitive information due to the absence of a profit motive. A for-profit ISAC may be motivated to commercialise the data derived from CTI sharing. 

Mission Focus: NFPs are mission-driven, focusing on the greater good rather than prioritising profit or market share. NFPs often have a more stable and long-term commitment to their mission and are less likely to be buffeted by market and shareholder pressures.

Public Trust: Well-governed  NFPs are seen as more trustworthy and accountable to the public. As a member-driven entity, NFP leaders are also accountable to members; the ultimate owners of the NFP entity. 

Sustainability: The NFP model provides better value as surplus is reinvested into the ISAC, not retained for payment of bonuses or dividends. An NFP ISAC will use ongoing membership fees to ensure the ISAC is self-sustaining and not a drag on government budgets.

Participation: NFPs encourage participation from a wider range of stakeholders, including smaller entities.  NFPs can cultivate a community-oriented environment that emphasises collaboration over competition. This can lead to more effective pooling of resources, knowledge, and expertise in the field of cybersecurity as well as CTI analysis and sharing. 

A Cross Sectoral ISAC

While NFP ISACs provide good value for money, a cross-sectoral ISAC takes the value proposition to another level. If the value of an ISAC sharing ecosystem is the sum of its parts, why not extend the reach of the ISAC to multiple CI sectors, to enrich the sharing and to avoid creating sector stovepipes?  Why shouldn’t a health sector business be able to access sharing from cyber threats from the financial services or other CI sectors? Most cyber threats are relevant to multiple sectors so it makes sense for there to be sharing across sectors.  You can bet all CI businesses are interested in learning about the threat, mitigations and responses when another CI business gets ‘hit’. It makes little sense to build separate, single sector stovepipe ISACs that would impede such sharing.  Such an approach does not represent value for money and puts undue pressure on lower maturity sectors such as health that do not have the maturity or insight to share effectively.

Sovereignty Matters: A Local Cyber Neighbourhood Watch

Several US based ISACs have been operating in Australia for many years.  Australian companies with the resources to engage meaningfully with these ISACs have done so in the absence of an alternative.  The era of relying on foreign ISACs is ending.  The $6.3m health sector ISAC presents an opportunity for government to break this cycle of reliance on foreign ISACs and invest in the development of sovereign capabilities.

An Australian ISAC, based in Australia and focused on CI companies operating in Australia, provides the best opportunity to build meaningful cyber resilience; to build a cyber neighbourhood watch. 

While cyber threats roam the global commons, attacks are often specifically targeted against specific entities in specific jurisdictions. Geography and national boundaries matter. The US- based global ISACs are biased towards their US customers and do little tailoring for their non-US members.  An Australian ISAC would be exclusively focused on businesses operating in Australia.  While an Australian ISAC would draw in intelligence feeds from abroad in order to enrich the CTI information available to its Australian members, its focus would be on its Australian members. To use a weather analogy, A US-based ISAC can provide a very accurate weather forecast for Baltimore. Its forecast for Newcastle is likely to be less detailed and useful to Novocastrians. 

As the Government considers where to invest its health ISAC dollars, it would do well to consider a local solution.

Conclusion

There is strong support for the ISAC model to be adopted in Australia but the discussion has revolved around building stove-piped, single-sector ISACs, without addressing the associated costs of such a model. 

A home-grown, NFP, cross sectorial ISAC with the strength of a member-based collective is a genuine value for money proposition that will help protect Australia’s critical infrastructure.