Page 33 - index
P. 33
and is not delivering the necessary results to significantly improve our national cybersecurity
and resilience posture.
Rather, the current construct of the NCCIC is heavily government focused and includes a series
of one-off agreements and relationships with various private sector entities where the
engagement model is one to one, cannot scale widely, nor does such architecture provide any
opportunity for broad and productive collaboration between and among stakeholders. Of note,
there are 18 private sector Information Sharing & Analysis Centers (ISACs) across the critical
infrastructure owner and operator community in sectors like transportation, energy, financial
services, communications, information technology, defense, and more.
These ISACs represent thousands of companies and organizations and routinely engage in the
activity of information sharing, analysis, and collaboration to promote cybersecurity protection,
security, and resilience. After more than five-and-a-half years of the existence of the NCCIC,
only four of those ISACs have onsite participation at the NCCIC. How can that possibly be the
case when policy makers at every level and industry leaders agree that cybersecurity is a real
and dangerous concern? In most cases, the barriers to participation are just too significant to
overcome. This should be corrected immediately.
What makes this matter more curious is the fact that the President’s National Security
Telecommunications Advisory Committee (NSTAC), in response to a request from the White
House, delivered a Report to the President in May 2009 that recommended the establishment of
a joint, integrated, public – private capability with 24 x 7 operational presence. The capability
envisioned would be designed to improve detection, prevention, mitigation, and response to
cyber events that may become incidents of national consequence through information sharing,
analysis, and collaboration.
The recommendation included a three-phased approach that included federal, state, and local
government, private sector, academia, non-governmental organizations, and our international
partners. The concept of the Joint Coordination Center (JCC) was specifically referenced as the
foundation for the NCCIC when it was launched in October 2009, but the recommendations
have never been implemented as articulated in the Report.
The fact that the White House recently announced the creation of yet another entity to analyze
cyber threat intelligence for the government, the Cyber Threat Intelligence Integration Center
(CTIIC), seems to affirm a White House view that the NCCIC has not been successful in fulfilling
that role. The initial concept for the JCC included a robust analysis component, but also active
participation by the private sector critical infrastructure owner and operator community.
In fact, following the efforts of the NSTAC Cybersecurity Collaboration Task Force, which
included about 80 subject matter experts from industry and government, a number of private
sector companies decided to pursue a pilot project to test and examine industry cross sector
information sharing, analysis, and collaboration capabilities across four distinct critical
infrastructure sectors.
33 Cyber Warnings E-Magazine – March 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
