Opinion by Gate 15’s Managing Director, Andy Jabbour
Every now and again, a nerve gets struck that leaves me screaming. This week, I read Derek B. Johnson’s (@DerekDoesTech) article in SC Magazine (@SCMagazine), “Feds say goodbye to ‘information sharing,’ hello to ‘operational collaboration’” (14 Feb 2022). That title alone broke my Valentine’s Day heart. There is nothing wrong with Derek’s report. My frustration comes in what I see as a fundamental misunderstanding of preparedness and capabilities that gets repeated, echoed, latched onto and then goes on to inform poor decisions and reactions. Let me try to briefly address this misunderstanding. Maybe not so briefly…
TL;DR. Operational Coordination and Information Sharing are not competing capabilities, they are complimentary capabilities supporting organizational and national preparedness. It is not one or the other, it is both, together, and more.
At the moment, there are a lot of great people striving to help secure organizations and our nation as we see the potential for increased tensions and escalated conflict in and around Ukraine. The security champions are working every day – directly and indirectly – to help ensure our National Preparedness. As a country, we have a National Preparedness Goal.
“A secure and resilient nation with the capabilities required across the whole community to prevent, protect against, mitigate, respond to, and recover from the threats and hazards that pose the greatest risk.”National Preparedness Goal
For the last 15 years, this mission has been the focus of my professional life and is what our team at Gate 15 is striving to support every day. Without making this a dissertation on preparedness, let us just note the goal itself and this statement: “The National Preparedness Goal describes five mission areas — prevention, protection, mitigation, response and recovery — and 32 activities, called core capabilities, that address the greatest risks to the nation.” By building competence in those core capabilities, we achieve organizational, community and national preparedness. So let’s dive into one of those core capabilities – Operational Coordination.
Definitions are always a good place to start. Operational Coordination, defined: Establish and maintain a unified and coordinated operational structure and process that appropriately integrates all critical stakeholders and supports the execution of core capabilities.” Emphasis added.
Speaking to the U.S. House of Representatives Committee on Homeland Security (@HomelandDems) last November, Cybersecurity and Infrastructure Security Agency (CISA; @CISAgov) Director, Jen Easterly (@CISAJen) and National Cyber Director, Chris Inglis (@ncdinglis) spoke on “Evolving the U.S. approach to cybersecurity: raising the bar today to meet the threats of tomorrow.” It was a good hearing and you can read their remarks and watch the hearing here. That may have also been the first time a senior government leader appeared at a hearing with an exposed tattoo, so bonus points to Jen Easterly from this proudly tattooed American.
In her remarks, Director Easterly stated, “At CISA, we are challenging traditional ways of doing business and are actively working with our government, industry, academic, and international partners to move from traditional public-private partnerships to public-private operational collaboration.” Later she noted, “Our partners bring expertise and a unique ability to drive climate change impact and cyber defense activities in their jurisdictions, and it is precisely this assembly of knowledge that will allow us to be better prepared to achieve deep operational collaboration that ultimately reduces the greatest risks to our Nation.” She continued and brought up the newly developing Joint Cyber Defense Collaborative (JCDC) which has the stated goal to bring “together key federal partners with private sector and (state, local, tribal, and territorial) partners who have critical visibility and ability to understand the threat landscape by virtue of their businesses and responsibilities, and to plan and exercise against the most serious threats to our nation.” The JCDC is an interesting initiative you can learn more about here.
Now, I don’t know exactly what operational collaboration is but from the way it has been used, I take it to mean something akin to the core capability of operational coordination, and so Ms. Easterly’s remarks got my big dork energy very excited. A few weeks later, DHS Secretary Mayrokas (@SecMayorkas), Director Easterly and Director Inglis “met with executives from 13 companies, including Google, networking vendor Juniper Networks and security firm Mandiant. Their aim was to deepen relationships between government and industry that security professionals see as vital for protecting the nation’s critical infrastructure.” As reported by Eric Geller (@ericgeller, Politico, 07 Dec 2021), the trip was “‘about taking a spirit of partnership and moving into actual operational collaboration…’ with the aim ‘to increase the cyber hygiene not only of the government’ but also companies with a wide range of expertise and resources.”
It is great to see that outreach and coordination taking place. America has a host of incredible businesses that can directly partner with government to add capability and to collaborate to support initiatives, security, and to better prevent, protect against, mitigate, respond to and recover from the threats and hazards that pose the greatest risks to our nation. But that is just one part of building a secure and resilient nation, across the whole community. Direct coordination is great for those with the capabilities and resources, but it certainly isn’t feasible for the government to attempt that directly with all critical infrastructure stakeholders across the homeland security enterprise, nor would it be wise to exclude those stakeholders and to rely solely on those largest and other selected companies.
Collaboration, and coordination, have to be more inclusive. That was understood in 1998 when President Clinton developed the idea of Information Sharing and Analysis Centers (ISACs). That need was further underscored by the heinous attacks on 9/11. After that attack, the FBI recognized the need to be able to communicate with a much broader community from industry and reached out to the Real Estate Roundtable to establish the RE-ISAC (@RealEstateISAC). Recognizing the opportunity to build on the success of the ISAC model, in 2015 President Obama established the idea of Information Sharing and Analysis Organizations (ISAOs). To achieve our National Preparedness Goal, we need operational coordination to ensure we have “a unified and coordinated operational structure and process that appropriately integrates all critical stakeholders and supports the execution of core capabilities.” Let’s pause and look at that last part, supporting the execution of core capabilities.
Operational coordination is a supporting capability. It ensures we – as organizations, communities and as a nation – are able to execute our other core capabilities. One capability that is really bolstered by effective operational coordination is Intelligence and Information Sharing, typically reduced in name to information sharing, it is really the intelligence that is most critical. I just gave a block of instruction on the intelligence cycle and will spare you from the details but, most simply, the terms can be understood this way – information is data, whereas intelligence is the product of the analysis of information.
The core capability of information sharing is to “Provide timely, accurate, and actionable information resulting from the planning, direction, collection, exploitation, processing, analysis, production, dissemination, evaluation, and feedback of available information concerning physical and cyber threats to the United States, its people, property, or interests; the development, proliferation, or use of WMDs; or any other matter bearing on U.S. national or homeland security by local, state, tribal, territorial, federal, and other stakeholders. Information sharing is the ability to exchange intelligence, information, data, or knowledge among government or private sector entities, as appropriate.”
The ISAC and ISAO models were developed largely to facilitate this core capability. Recognizing that the U.S. government cannot reasonably communicate effectively with all the nation’s critical infrastructure owners and operators, Mr. Clinton proposed a “hub and spoke” model where members from industry could come together in their ISAC to share information among one another and through the ISAC, back and forth with government. Mr. Obama wanted to expand that successful approach to other communities that could self-identify and were not limited to a specific designated sector of critical infrastructure. Today, the National Council of ISACs (NCI, @NCI_ISACs) has 27 members and ISAOs have developed in communities such as for the faith-based community (FB-ISAO; @faithbasedisao), the Cannabis Industry (Cannabis-ISAO; @CannabisISAO), and the Comp TIA ISAO (@CompTIAConnect). The ISACs and ISAOs offer a wide array of support to their members, some being all-hazards, others exclusively focusing on cybersecurity. The partnership has been a success captured and codified in documents such as the 2016 DHS Critical Infrastructure Threat Information Sharing Framework; A Reference Guide for the Critical Infrastructure Community and the NIPP 2013:Partnering for Critical Infrastructure Security and Resilience.
Back to Derek’s article… no one is going to say “goodbye to information sharing.” Yes, there are some (well, a lot of…) frustrations with private-public information sharing. Those frustrations go both ways and have validity. There is a lot of work to be done and leaders like Errol Weiss at Health-ISAC (@HealthISAC) are working cross-sectorally to enhance industry to industry information sharing while other NCI leaders are working with CISA, the FBI, and others to further operational coordination and information sharing on a regular basis.
Derek quotes former CISA Director Chris Krebs (@C_C_Krebs) stating that he was “‘sick’ of the term and the way it has been characterized as a panacea for the country’s cyber ills. ‘It’s not “[and] we have to get beyond information sharing” — we have to work together to understand what our respective advantages are, protect the American people, our networks and counter the adversary. We don’t do it by sharing [Indicators of Compromise].’”
Derek also quotes Morgan Adamski (@adamski_morgan), Director of the National Security Agency’s Cybersecurity Collaboration Center, saying “I really hate the word ‘information sharing.’ I’d actually rather use something like ‘operational coordination’ or ‘collaboration,’ because ‘information sharing,’ to me, is very transactional and antiquated.”
These are not the only grumblings relating to the term information sharing. There are plenty, and they are valid. Again, these are fair frustrations. The partnership – on all sides – has fallen short. Information sharing isn’t the be all, end all of private-public partnership, nor does it alone secure our nation. But it is not a matter of being tired of a phrase or not, we need to ensure we can conduct effective information sharing as one part of the many that ensure we are a nation able “to prevent, protect against, mitigate, respond to, and recover from the threats and hazards that pose the greatest risk.” Across the 32 core capabilities, we fall short of optimal. Review almost any exercise or post-incident after action report and you’ll see areas like planning and operational communication almost always are in need of improvement. Look at the current pandemic and you’ll see that in spades. Cybersecurity is a core capability. Operational Coordination is a core capability. Intelligence and Information Sharing is a core capability.
These are not either/or ideas we can put aside because we’re tired of them or because they have not been successful. It is because they have not been successful that we need to fight to make them better. Operational Coordination and Information Sharing are not competing competencies, they’re complimentary capabilities. In order for us to achieve our National Preparedness Goal, it will take a whole community approach – private and public, large and small – not select relationships.
We stand in the storm of major geopolitical tensions with far-reaching complex and blended threats and impacts, domestic extremism and international terrorism continuing to pose threats to peace and stability. We wait for anticipated catastrophes such as a massively disruptive earthquake in the Heartland and we have to dare to imagine an even more deadly pandemic which can erupt at any time. With so many diverse challenges we need to find effective ways to work together and make improvements to existing structures while we also exploring new initiatives and ways to make us more secure and resilient.
Preparedness is like fitness – it is never perfected, only strived towards and maintained. Only by continually developing all our core capabilities can we hope to achieve “a secure and resilient nation with the capabilities required across the whole community to prevent, protect against, mitigate, respond to, and recover from the threats and hazards that pose the greatest risk.”