To the editor:
In his article ‘Combating US cyber adversaries calls for whole-of-government approach’, which appeared in C4ISRNET on 17 May 2023, U.S. Rep. Mark E. Green highlights that cyber criminals take advantage of gaps in our visibility over domestic infrastructure and the need for a strong, cross-sector, and whole-of-government approach.
He also points out that interagency cooperation can be improved through the State Department’s new Bureau of Cyberspace and Digital Policy, and that efforts are needed to improve collective cybersecurity.
His observation that over 80% of critical infrastructure is privately owned and operated indicates that a whole-of-nation effort is needed, not simply a whole-of-government effort. Furthermore, close partnerships within the private sector are needed, as is the ability to share timely, actionable, and contextualized information to stop cyber-attacks in their tracks.
These important aspects canvassed by Rep. Mark Green apply equally to Australia, where several government initiatives and legislation that address cyber assurance, reporting, and security have been introduced. However, with Australia’s critical infrastructure entities increasingly being targeted by sophisticated cyber-attacks, we must ask the question - is that enough?
Defensive strategies cannot be formulated in isolation by individual critical infrastructure entities; a collective security posture is needed. In addition, a community-based approach is needed to support government efforts in materially uplifting cyber resilience across the critical infrastructure ecosystem.
The challenges for directors and boards of critical infrastructure operators have increased and additional obligations have now been placed on them and their entities. The onus is on them to act to mitigate risks, which involves balancing risk mitigation measures, and the associated costs within the entity’s operational context.
The extent to which the government can share information across the entire critical infrastructure community must be questioned in light of the high classification of much of that information. It can provide assessments of the threats and will need to increase that effort; however, that is likely to be of a highly technical nature, which many critical infrastructure businesses will not be able to process or understand.
Existing sharing initiatives, led by government, are heavily focused on the sharing of technical threat information and due to low maturity of most small-to-medium enterprises, galvanizing community engagement across the public and private sectors has not been as smooth as anticipated.
Australia’s critical infrastructure providers now span 11 sectors and 22 asset classes, as well as their embedded supply chains; most of these organisations don’t have the capability to share ‘machine-to-machine’ intelligence. Nor has the capability existed in industry to share cyber threat intelligence and build collective cyber defence.
Industry needs an internal trusted facilitator for the intelligence exchange and to ensure the overall quality of information flowing out to the critical infrastructure community.
Existing Information Sharing and Analysis Centres, or ISACs, do not address the breadth of critical infrastructure sectors, only supporting a few of the eleven sectors. Cyber threats span all sectors and a more holistic approach to sharing information on cyber threats and attacks is required. Furthermore, as mentioned above, many public and private sector organisations lack the knowledge, resources or capabilities to effectively participate and gain value from threat-sharing initiatives.
What is needed for the critical infrastructure community over and above the good work already done by government? First, trusted cyber threat intelligence sharing that ensures an industry-led trusted environment to securely and independently gather and disseminate cyber threat intelligence across all critical infrastructure sectors. Second, a commercially safe environment where Intellectual Property and liability protections exist. Third, operational processes and technical capabilities that enable sharing of contextualised cyber threat intelligence and the ‘turn-key’ capabilities that address member needs. And fourth, a transparent and open culture that encourages behaviours of participation, collaboration, and cooperation between members.
The Critical Infrastructure - Information Sharing and Analysis Centre was launched on 6 February this year to address those four aspects, and is establishing a cyber-intelligence sharing community to help boost the cyber resilience of all critical infrastructure providers in Australia, from the largest to the smallest. CI-ISAC offers a mechanism for national collective cyber defence for the critical infrastructure community - a cyber-intelligence sharing community focused on industry owners and operators of Australia’s critical infrastructure to deliver collective cyber defence.
CI-ISAC intends to augment existing initiatives and not detract from the excellent work already underway. CI-ISAC is not introducing any new frameworks or assurance initiatives; rather, it is putting in place an industry-led vehicle and capabilities around operational cyber threat sharing to drive cyber defence outcomes. This enables members to manage their risk more effectively by getting insights across all critical infrastructure sectors.
ISACs represent an opportunity for Industry to self-organise and manage their own challenges — engaging with Government on their own terms – to improve Australia’s overall cyber defences. The strength and utility of an ISAC is directly related to the number of members it brings together and the diversity of insights and knowledge that these members bring to the ISAC’s intelligence-sharing platform. A single Australian ISAC offers a cross-sectoral perspective and a united ability to interact with Government initiatives.
Furthermore, a single CI-ISAC facilitates resource pooling, expanded access to support, and improved overall cyber posture. Above all, it improves the quality of analysis and contextual information sharing. The network effects of a large, cross-sectoral ISAC benefit members by leveraging mature players to build turn-key capabilities which can be used to assist less mature, financially constrained industry members and accelerate their cyber maturity. This, coupled with central supporting functions, consolidates expertise, and maximises utilisation of highly skilled and low-density cyber professionals. CI-ISAC Australia offers economies of scale and efficient utilisation of central expertise.
This contextual information sharing is vital as technical indicators in isolation do not inform risk-based decisions to enable a proactive response. CI-ISAC builds context around threat information shared by members, validating and enriching insights from members and supporting decision-making for all members. Additionally, CI-ISAC is bore-sighted on the operational requirements of its members with reporting and analysis aimed to match the “operational cadence of businesses.”
These approaches will materially raise the level of collective defence of CI-ISAC members. Uplift is by industry, for industry, with a focus on threats targeting Australia, but informed and augmented with strategic global partnerships.
David Sandell, CEO and Managing Director, CI-ISAC
CI-ISAC is a not-for-profit entity that connects companies and governments, allowing them to share information on cyber-attacks and strengthen their collective responses.
Have an opinion?
This article is an letter to the editor and the opinions expressed are those of the author. If you would like to respond, or have a letter or editorial of your own you would like to submit, please email C4ISRNET and Federal Times Senior Managing Editor Cary O’Reilly.