Understanding the collaborative structure of the Financial Institutes
Information Sharing and Analysis Centre (FI-ISAC) in the
Netherlands
An exploratory case study
Gamze Ulker
Student number: s2078783 Word count: 23.890
Master: Crisis and Security Management Leiden University
‘Collaboration at an industry-wide level is not only a critically
important element of defense, it is essential’ (Nelson, 2018)
ABSTRACT
Cyber security is emerging as one of the most challenging aspects of the information age for policy-makers and scholars of International Relations. The financial sector is in particular vulnerable to cyber-attacks. The interconnectedness of individual actors, the complexity of the financial services industry and the introduction of new technologies, increases the risks of a large-scale cyber-attack on the financial sector. These interdependent infrastructures create an environment of shared risks that could only be tackled through joint risk management Protecting critical infrastructures is considered as one of the key challenges that have arisen from the deregulation and privatization process in the 1980. Collaboration between the public and private sector in critical infrastructure protection is inevitable rather than an option. The Dutch Financial Institutes Information Sharing and Analysis facilitates collaboration between public and private entities to share information and best practices. This research aimed to provide an in-depth analysis to explore the characteristics, benefits and challenges relating to the FI-ISAC as a (shared) participant-governed network.
The research first outlines the methodology and is followed by the theoretical framework that is quite extensive. The chapter on theoretical framework first explores the collaboration imperative in which the importance of cooperation on critical infrastructure protection will be emphasized. After, a section will be dedicated to the collaboration theory delving deeper into the concept of public-private partnership and its limitations in regards to critical
infrastructure protection. The theoretical framework will then present an alternative approach of the collaborative governance and network governance approach. After establishing a theoretical foundation of collaboration structures, theory on the importance of information sharing will be explained. This will be followed by a chapter on Information Sharing and Analysis Centres (ISACs) to outline a conceptual framework that serves as a starting point for understanding the FI-ISAC. Furthermore, a chapter will elaborate the context and background in which the FI-ISAC operates in. After establishing a contextual basis, the findings will be presented that will subsequently be analyzed by connecting these to the network governance theory. In the final chapter, a summary will be given including a suggestion for future research and an outlining of the limitations of this research.
Table of Content
1. Introduction ... 7
2. Methodology ... 10
2.1 Case selection: Dutch Financial Information-Sharing and Analysis Center (FI-ISAC) ... 10
2.2 Method ... 11 2.3 Operationalization ... 11 2.4 Data-gathering ... 12 2.5 The interviewees ... 12 2.6 Data-analysis ... 12 2.7 Methodological constraints... 13 3. Theoretical Framework ... 14 3.1 Collaboration imperative ... 14
3.2 Cyber security: a concise explanation ... 16
3.3 Collaboration: a process of mutual beneficial interdependencies... 17
3.4 Public-private partnership ... 19
3.5 Collaborative Governance as a theoretical foundation ... 21
3.6 Network Governance Theory ... 23
3.7 Forms of Network Governance ... 24
3.8 Network Governance and its tensions ... 25
3.9 Understanding the need to exchange information in networks ... 27
3.10 Deriving a Framework ... 31
4. Information Sharing and Analysis Centre (ISACs) ... 32
4.1 A brief history ... 32
4.2 Structures, Operations and Business models ... 33
4.3 Challenges... 35
5. Context and Background ... 36
5.1 Poldermodel: the basis of the Dutch approach... 36
5.2 Policy efforts on tackling cyber threats in the Netherlands ... 37
5.3 National Cyber Security Centre ... 41
5.4 Cyber Security Council ... 43
5.5 Digital Trust Centre ... 43
5.6 Critical Infrastructures in the Netherlands ... 44
5.8 Dutch financial sector approach ... 46
5.9 Information Sharing and Analysis Centers in the Netherlands ... 48
5.11 Collaboration with the FS-ISAC and the EU FI-ISAC ... 51
6. Findings ... 53
6.1 FI-ISAC, a working model ... 53
6.2 FI-ISAC (internal) structure ... 54
6.3 Safeguarding trust ... 55
6.4 Best practices: The American FS-ISAC and its membership model ... 57
6.5 Cross-sectoral collaboration ... 59
6.6 Challenges... 60
6.7 FI-ISAC: a growing community ... 61
6.8 ISAC 2.0? ... 62
7. Analysis ... 64
7.1 Identifying the network governance model ... 64
7.2 Horizontal collaboration and self-regulating processes... 65
7.3 Organization of self-organization ... 66
7.4 Identifying the Network Governance form ... 67
7.5 Advantages of the (shared) participant-governed network ... 68
7.6 Challenges of the (shared) participant-governed network ... 69
7.7 A Network Evolution? ISAC 2.0? ... 71
8. Conclusion ... 73
8.1 Suggestions for further research ... 74
8.2 Limitations of the research ... 75
List of abbreviations
CERT Computer Emergency Response Team
CI Critical Infrastructure
CII Critical Information Infrastructure
CIIP Critical Information Infrastructure Protection
CIP Critical Infrastructure Protection
CSC Cyber Security Council
CSIRT Computer Security Incident Response Team
DDoS Denial-of-service attack
ENISA European Union Agency for Network and Information Security
FCI Financial Core Infrastructure
FI-ISAC Financial Institutes Information Sharing and Analysis Centre
FIRST Forum for Incident Response and Security Teams
FS-ISAC Financial Services Information Sharing and Analysis Centre
HCTCU High-Tech Crime Unit
ISAC Information Sharing and Analysis Centre
ITU International Telecommunication Union
NCSC National Cyber Security Centre
NCSS National Cyber Security Strategy
NICC National Infrastructure against Cybercrime
NIST National Institute for Standards and Technology
NCTV National Coordinator for Security and Counterterrorism
NVB Netherlands Banker’s Association
TNO Netherlands Organization for Applied Scientific Research TLP Traffic Light Protocol
1. Introduction
‘Cyber security is emerging as one of the most challenging aspects of the information age for policy-makers and scholars of International Relations’ (Carr, 2016: 43). In our interconnected world, cyber threats can come from various unexpected directions and sources. Choo labels these threats as a ‘360-degree challenge’ since cyber exploitation and malicious activity are becoming increasingly targeted and sophisticated, and are characterized by a fundamental uncertainty (Choo, 2011: 72). While politicians, experts and scholars have been aware of cyber threats since the early years of internet technology, challenges and the complexity in resolving and addressing these threats have increased (Carr, 2016: 43). In reaction,
governments outline various ways in which they intend to address cyber insecurity in their national cyber security strategies (idem).
The state is responsible for the provision of national security. Critical infrastructure protection is seen as a fundamental part of national security in many countries around the world (Cavelty and Suter, 2009: 1). ‘The potential implications of a large scale cyber-attack on critical infrastructure are so extensive that it follows naturally that the government would recognize some authority and responsibility here’ (Carr, 2016: 54). The financial sector is in particular vulnerable to cyber-attacks. The interconnectedness of individual actors, the complexity of the financial services industry and the introduction of new technologies, increases the risks of a large-scale cyber-attack on the financial sector (Gray and May, 2018: 1). ‘A successful cyber-attack on one institution could spread rapidly through the
interconnected financial system’ (Lagarde, 2018). In addition, a significant disruptive attack against the financial sector could have ‘catastrophic effects on the economy and threaten financial stability’ (Maurer, 2018). This could directly result in a loss of revenue as well as indirectly result in losses in terms of consumer confidence ‘that reverberate beyond the financial sector because it serves as the backbone of other part other parts of the economy’ (idem). ). ‘The risk is only likely to grow as the financial sector increasingly relies on digital infrastructure and financial technology, systems become more interconnected and processes more automated’ (Borghard, 2018).
Protecting critical infrastructures is considered as one of the key challenges that have arisen from the deregulation and privatization process in the 1980. Consequently, critical
infrastructural systems are private owned and operated in many states (Cavelty and Suter, 2009: 1). Therefore, in the context of national security and protecting these critical systems, a type of relationship between the public and private sector is fundamental (idem). ‘Cyber security is too comprehensive to be managed by a single sector since cyber security affects all sectors of the community’ (NCSC.nl, 2018). Governments have fundamental information and critical infrastructure owners and operators have hands-on access to these systems. Both roles are vital for managing national cyber security (Christensen and Peterson, 2017). Therefore, collaboration between the public and private sector in critical infrastructure protection is inevitable rather than an option – but the terms of collaboration can vary (Donahue and Zeckhauser, 2006: 435). In addition, these interdependent infrastructures create an environment of shared risks that could only be tackled through ‘joint risk management’ (Cavelty and Suter, 2007: 3). Thus, the main form of collaboration in protecting critical infrastructures resides in information sharing platforms.
While the term ‘public-private partnership’ (PPP) has become popular and is often used to depict any public-private collaboration, it is important to note that this concept is not a ‘miracle solution’ that can be applied without conceptual limitations (Cavelty and Suter, 2007: 3). Instead, the term PPP seems not appropriate in the context of critical infrastructure protection due to its focus on lowering costs and increasing efficiency rather than enhancing security (idem). Therefore, an alternative approach will be presented that defines a new role for the government in shaping framework conditions that facilitate cooperation without a need of constant oversight (Cavelty and Suter, 2007: 5). The network governance theory is based on the notion of self-regulating and self-organizing networks and emphasizes the role of the government to coordinate and stimulate functional networks. In the context of critical infrastructure protection, this theory fits seemingly since ‘absolute state control and provision of security are no longer available’ in the field of protecting critical infrastructures.
The Financial Institutes Information Sharing and Analysis Centre (FI-ISAC) reflects such collaboration between public and private entities to protect the financial sector as one of the critical infrastructures in the Netherlands. The collaboration was initiated by the Netherlands
Banker’s Association (NVB) in 2003 to share cyber incidents. The FI-ISAC provides an ecosystem in which trust is built among critical operators and information about root causes, incidents and threats is easily shared, making it possible for less advanced entities to learn by others (ENISA, 2017: 7). Since the FI-ISAC as collaboration structure is under searched and underexplored, it allows for an in-depth analysis drawing upon fifteen years of experience. Information sharing between organizations, cross-sectors, national and international is perceived as an effective measure to increase cyber resilience in organizations, sectors and society. Therefore, exploring the FI-ISAC contributes to a better understanding of increasing cyber resilience in the financial sector. Applying the network governance theory that
perceives the FI-ISAC as a self-regulating and self-organizing network, contributes to a better insight of how to FI-ISAC organizes collaboration. Therefore, the network governance theory will be used to answer the research question: What are the advantages and challenges of the collaboration structure of the FI-ISAC in the Netherlands? Since research on the FI-ISAC in the Netherlands is limited, this exploratory research will serve as a baseline for future
2. Methodology
This chapter will outline the methodology of the research. Besides elaborating on the research question, the chapter will also delineate the research method by describing the data gathering and analysis process. Additionally, the final section of this chapter will delve deeper into the constraints that are related to the methodology of the research and will be underwritten in terms of reliability and validity.
Research question:
What are the advantages and challenges of the collaboration structure of the FI-ISAC in the Netherlands?
2.1 Case selection: Dutch Financial Information-Sharing and Analysis Center (FI-ISAC)
According to literature, the Netherlands provides an example of successful public-private cooperation ‘at improving overall cyber security for its society in general, including
government, industry, and citizens’ (Van Den Heuvel and Baltink, 2014: 118). In addition, it is stated that ‘the Netherlands leads the way in cybersecurity in several respects like its public-private partnerships in the ISACs and the Dutch banking sector’s innovative strike against cybercrime’ (Munnichs, Kouw and Kool, 2017: 37). Manley (2015) adds that the success derives from the lessons learned from failed earlier attempts. These lessons learned resulted in the current bottom-up approach that ‘moves past strict, hierarchical models and represents where all partners have an equal seat at the table’ (Manley, 2015: 94). The Dutch approach to public-private collaboration is ‘highly influenced by the poldermodel (Clark et al., 2014: 32). A manifestation of this consensus-building thought with a bottom-up approach is the existing collaboration between public and private entities in the Information Sharing and Analysis Centers (ISACs). ‘The ISAC system puts the Netherlands at the forefront of international developments in this area’ (Munnichs, Kouw and Kool, 2017: 40). While ENISA (2018) and Doeland (2017) conducted comparative research on the different European ISACs contributing to a better (general) understanding of the phenomenon, an in-depth analysis is still missing. Therefore, the scope of the research will focus on the
Netherlands to provide a rich and in-depth analysis of the collaboration phenomenon. In addition to the leading role in public-private cooperation on cybersecurity, the Netherlands is chosen for practical and feasible reasons in terms of access to contacts and documents. Furthermore, the ISAC on the Financial Institutions is selected since this sectoral
collaboration was the first ISAC that was initiated in the Netherlands, thus most lessons can be learned drawing upon 15 years of experiences.
2.2 Method
The research question serves as the basis of the research and aims to understand the Dutch FI-ISAC and its collaborative structure. This greater exploratory richness will be achieved with qualitative data that will be gathered through expert interviews. Since the concept of the Information Sharing and Analysis Centre was initiated and established in the United States, the American model will be followed as a baseline in comprehending the conceptual term. Expert interviews will be conducted to establish a factual basis since they provide a rich source of information in a single interview and can provide access to ‘unpublished’
information (Gillham, 2005: 59). The output derived from these interviews will be used as source in itself. Given that the research and information on the Dutch FI-ISAC is quite limited, interviews with experts are an effective source for information and aim to establish a rich(er) understanding of this organization in relation to its collaborative structure. This qualitative research is therefore explorative and descriptive in nature. In addition, this
research merely explores the topic of the FI-ISAC in the Netherlands and can be perceived as an initial research, which forms the basis of a more conclusive research.
2.3 Operationalization
While conducting this singe case study to explore the Dutch FI-ISAC collaboration structure, indicators from the theory will guide the process. To understand the Dutch FI-ISAC as a working public-private collaboration, Manley’s (2015) four crucial elements will be used to establish the foundation of the cyber partnership between public and private entities. These four elements involve: trust-building, legal baseline, bottom-up approach and community involvement. In addition, the theoretical framework on network governance will be used. According to this theory, actors within these networks fix rules themselves and determine
responsibilities and commitment based on equality and trust, thus reflecting the self-organizing and self-governing nature of the Dutch FI-ISAC (Provan and Kenis, 2007).
2.4 Data-gathering
Information will be acquired from websites such as the National Cyber Security Centrum and the Dutch Payment Association, Betaalvereniging. These two organizations cover the
majority of available information on the FI-ISAC. Additionally, journals will be used that describe the Dutch FI-ISAC. Interviews will be conducted with experts that will be of added value due to their experiences. These interviewees are contacted via email and have given permission to record the interviews. Three of the five interviews were conducted in a face-to-face setting and the remaining two via phone calls. These interviewees were selected based on the snowballing sampling technique where one interviewee named different individuals that could be relevant for the research. The unstructured interview type is chosen since this plan provides the flexibility balanced by structure, ‘and the quality of the data so obtained’ (Gillham, 2005: 70). The interviews will be transcribed, presented and analyzed with a discussion on the results.
2.5 The interviewees
Five interviews are conducted with experts (C-level) that are directly involved. They are chosen by their position and activities, which reflect their expertise. To safeguard their anonymity, their names will not be mentioned.
- Interviewee 1: C-level, FS-ISAC - Interviewee 2: Liaison officer - Interviewee 3: C-Level, FI-ISAC
- Interviewee 4: Expert National Cyber Security Centre - Interviewee 5: Expert, Dutch Payments Association
2.6 Data-analysis
The interviews are recorded and unfocused transcribed which reflects what has been said without indexing the time-line and without including symbols and non-verbal
where symbols, non-verbal communication and time-lines are not relevant for the analysis of the data. The transcripts will be shared with the interviewees to establish respondent
validation of the data. The questions that are asked are not all identical since different experts with different functions and knowledge will be interviewed. Therefore, no coding scheme will be used in analyzing the data.
2.7 Methodological constraints
Along with the several advantages that the snowball sampling technique presents, this method also has some limitations. Representativeness is the central limitation of this
technique. This convenience sampling is by definition usually not representative or random. Therefore, this sampling methods often reveals selection bias and has implications for the external and internal validity (Cohen and Arieli, 2011: 428). Furthermore, since the interviewees are dependent on referrals and bias of the gatekeeper, snowball samples are claimed to be biased and cannot be generalized. However, since there is little (public)
research available on the Dutch FI-ISAC, it is essential to receive referrals from these experts since they are in this private community and can facilitate the research by referring to
relevant colleagues. The natural consequence is the possibility that other potential
interviewees are masked because of the gatekeeper’s bias or limitations in social network (Cohen and Arieli, 2011: 429). These limitations result in a possible reduction of the internal and external validity. The notion of ‘what we did not learn because of who would not talk to us’ reflects perfectly the methodological constraints (Groger, Mayberry and Straker, 1999: 834). However, due to the exploratory nature of this qualitative research, the research does not strive for generalization but aims to establish explanatory richness of the Dutch
collaborative approach in protecting critical infrastructures within the Financial Institutions Information Sharing and Analysis Center (FI-ISAC). In addition, this research provides a baseline for future research.
3. Theoretical Framework
This chapter will form the analytical framework for the research. This chapter starts off by describing the collaboration imperative to underline the importance of cooperation in protecting critical infrastructures. This will be followed by different theories on how to organize collaboration. In addition, information sharing and its benefits within these collaborations will be described. .
3.1 Collaboration imperative
Before delving into conceptual frameworks, it is important to understand the importance of cooperation between the public and private sector. The collaboration imperative will therefore serve as the basis for this chapter. According to Luiijf and Kernkamp, more than eighty percent of the critical infrastructural systems that need to be protected are privately owned and operated in most nations (2015: 27).
Figure 1: Relationship CIP and CIIP (Luiijf, 2016)
Critical Infrastructure Protection (CIP) is perceived as a crucial part of national security. Critical Infrastructures (CI) are ‘those infrastructures which are essential for the maintenance of vital societal functions, health, security, economic or social well-being of people, and the disruption or destruction of which would have serious consequences’ (Luiijf, 2016: 5). Physical disruption of critical elements of CI is not the only factor that is threatening the operation of CI. Luiijf additionally explains how information and communication
technologies are becoming more important for CI to function. Consequently, this results in the concept of Critical Information Infrastructure (CII) ‘which comprises both critical
information and (tele)communications infrastructure and ICT and process control systems that are a critical part of the CI service provisioning’ (Luiijf, 2016: 5). As figure
1demonstrates, the Critical Information Infrastructure (CII) consist of Critical Infrastructures such as mobile telecommunication services and the ‘critical information and communication infrastructure within each of the Critical Infrastructures such as key administrative systems’, Luiijf explains (2016: 17). In addition, cyber security and cyber security strategies are closely connected to CI and CIIP. Section 3.2 will explore the concept of cyber security briefly. While this connection is evident, it is also important to note that cyber security is not a synonym for CIIP since CIIP excludes ‘ordinary cybercrime, privacy and human rights issues and economic cyberspace matter’ (2016: 9).
The European Commission defines the Critical Infrastructures as ‘those physical and
information technology facilities, networks and assets which, if disrupted or destroyed, have a serious impact on the health, safety, security or economic well-being of citizens or the effective functioning of government’ (European Commission, 2004: 3). While these critical infrastructures extend across many sectors, some critical elements in these sectors are not ‘strictly speaking infrastructure, but are in fact, networks or supply chains that support the delivery of an essential product or service’ (European Commission, 2004: 4). The financial sector is in particular vulnerable to cyber-attacks. The interconnectedness of individual actors, the complexity of the financial services industry and the introduction of new technologies, increases the risks of a large-scale cyber-attack on the financial sector (Gray and May, 2018: 1). ‘A successful cyber-attack on one institution could spread rapidly through the interconnected financial system’ (Lagarde, 2018). As defined broadly by the European Commission, it is clear that the impact of the disruption of these critical infrastructures will be felt at all societal levels. While the majority of these critical infrastructures are owned and operated by private companies, the ‘national government will ultimately be held responsible and accountable for the mishap occurring from CI services and goods, making the private sector risk a political and governmental issue’ (The Hague Security Delta, 2015: 15). Therefore, it is pivotal that industry and government work together in order to ensure a critical infrastructure that is resilient and secure (ENISA, 2011: 5). As a result, the private sector has the expertise and experiences in dealing with these threats and challenges, while the public sector has complementary strengths such as investigative advantages that are fundamental in tackling cross-border cybercrime threats (Germano, 2014: 2). Since
significant expertise and access reside in both entities, collaboration is essential ‘to attain feasible and effective cybersecurity solutions (Germano, 2014: 3). Against this background, one can state that the public and private sector have essential roles in managing national cyber security (Merrel and Haller, 2018).
While collaboration between both sectors is crucial, governments have the responsibility to protect these critical infrastructures against natural disasters, terrorist activities and now also cyber threats. In a world where digital and physical systems converge, critical infrastructures are connected to the internet and sharing sensitive data. Therefore, cyberattacks on these critical infrastructures are of increasing concern and severity. ‘Cyberattacks on critical infrastructure have grown increasingly sophisticated – and effected’ whether for financial, political or military gain (Deloitte, 2017).
3.2 Cyber security: a concise explanation
Although the concept cyber security is often used interchangeably with the concept of
information security, both concepts are not ‘totally analogous’ (Von Solms and Van Niekerk, 2013). Cyber security goes beyond the boundaries of information security. ‘Information security is the protection of information, which is an asset, from possible harm resulting from various threats and vulnerabilities’ (2013: 97). While cyber security is fundamental for securing the cyberspace, electronic information, itself, but also for ‘the protection of those that function in cyberspace and any of their assets that can be reached via cyberspace’ (2013: 101). Building upon this notion, reducing cyber related threats can be only done ‘effectively when both the human and the technological component are taken into consideration (2017: 190). Therefore, cyber security problems do not only require technical solutions and countermeasures, but also ‘interventions by governments, by regulators and policy-makers, by businesses and organizations, and even by the end users themselves’ (idem). The
definition used by the International Telecommunications Union (ITU) reflects the presented notions: Cybersecurity is the collection of tools, policies, security concepts, security
safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets (ITU.int, 2018)
Having established the necessity for public and private entities to work together on protecting the fundamental critical infrastructure against ever evolving threats, it is important to explore how this collaboration should be organized and what it takes for the collaboration to succeed. Against this background, the next section will outline the theoretical framework of
collaboration and its safeguards that can be understood in the context of critical infrastructure protection.
3.3 Collaboration: a process of mutual beneficial interdependencies
Collaboration is defined as ‘a process in which autonomous actors interact through formal and informal negotiation, jointly creating rules and structures governing their relationship and way to act or decide on the issues that brought them together; it is a process involving shared norms and mutually beneficial interactions’ (Thomson and Perry, 2006: 23). Collaboration refers to ‘instances in which government officials seek to fulfill a public mandate through collaboration with private firms, groups or individuals’ (Donahue and Zeckhauser, 2011: xi). In addition, the authors claim that collaboration between a private firm and government does not necessarily involve collaboration, especially when the contract discloses too many details involving the role of the firm. ‘Where a government grants to the private entity a significant amount of general discretion as to how to get the public job done, then the relationship is collaborative’ (Donahue and Zeckhauser, 2011: 1). Therefore, Donahue and Zeckhauser conclude that collaboration differs from ‘direct government service provision and simple contracting’ that identifies and specifies both ends and means through the contract. The relationship is in particular collaborative when the government analyzes and adapts the delegated authority over time (idem). While information sharing is pivotal for collaboration, it is not ‘sufficient for it to thrive’ and acknowledge that the absence of mutual benefits will be detrimental for collaboration purposes (Thomson and Perry, 2006). Additionally,
Thomson and Perry argue that organizations that collaborate must experience what they call mutual beneficial interdependencies (2006: 27) Mutual beneficial interdependencies is either based on complementarities or on shared interests which are in general based build upon homogeneity or acknowledging issues that go beyond the mission of the organization. Examples of these types of issues are environmental degradation or humanitarian crises (idem).
Manley (2015) outlines four elements that will additionally contribute to a more successful partnership. Based on an extensive literature review and research on strengthening cyber security structure, Manley formulated four crucial elements that should be considered in any cyber partnership between public and private entities (2015: 90). The first element includes building a high level of trust. In building a high level of trust, Manley notes that building confidence through small efforts leads to a common goal that is reached. In this context, he adds ‘success breeds confidence and confidence breeds trust’ (2015: 90). Different styles of communication can contribute to a confident and trustworthy partnership such as informal styles of communication to build personal relationships.
The second element is creating clear legal guidance. After establishing a high level of trust between the entities, the next fundamental step is a clear baseline legal guidance to nurture this partnership. According to Manley, this can be done in two ways: a non-legally binding (collaborative) or legally binding (contractual) agreement. In this context, Manley argues that while a collaborative partnership is the most favorable since this type of partnership promotes ‘goodwill gestures’ and ‘collectively leverage resources for a specific goal’, this type is also non-binding. In addition, Manley builds further upon Osborne’s warnings relating to rigid forms of partnerships that could discourage teamwork and efficiency since operations were directed from a strict top-down hierarchy. Manley adds that strict legally binding contracts could lead to decreasing cooperation from both sides, thus the partnership will not be able to comprehend and respond to the complex nature of cyber challenges (2015: 86). According to Manley, the most conducive partnerships for teamwork and communication is a bottom-up approach including a collaborative framework (Manley, 2015:92). While a collaborative framework means promoting good will and providing knowledge exchange, it also reflects the non-binding nature of such framework (idem). Likewise, Wettenhal argues that ‘true partnerships involve horizontal relationships with consensual decision-making rather than vertical, hierarchically with a party superior in a controlling sense (2003: 91)
After establishing this clear legal baseline, the next steppingstone toward an effective
partnership is a bottom-up approach. Within the PPP, participants should feel like equals and the bottom-up approach should avoid hierarchical and strict models, since these conditions will make voluntary collaboration most likely to stop (Manley, 2015: 94). Furthermore, a bottom-up approach will allow addressing and responding to potential cyber threat at lower
levels in a faster space since the participants/entities have more autonomy, hence the ability to respond faster to cyber-attacks and thus more resilient over time (idem). The fourth element entails involvement of the community within and surrounding the entities.
While the concept of public-private partnership is used often to describe any collaboration between public and private entities, the term is not always applicable without conceptual limitations. Therefore, the following section will explore the concept of the public-private partnership in the context in which the term became popular. Furthermore, the next section will denote the conceptual limitations of the concept in relation to critical infrastructure protection.
3.4 Public-private partnership
Public-private partnership as a concept became popular in the 1970s during a period of bureaucratization when skeptics signaled a crisis that reflected the national state as the root cause of the crisis (Cavelty and Suter, 2009). As a result, it was supported for public
bureaucracies to hand over tasks to the private sector and eventually privatize them or carry them out in partnership with the private sector. While there is plenty of research conducted on PPPs, there is no generally accepted definition of what constitutes a public-private partnership (Warsen et al., 2018: 1165). The European Network and Information Security Agency (ENISA) defines a public-private partnership as: ‘an organized relationship between public and private organizations, which establishes common scope and objectives, and uses defined roles and work to achieve shared goals’ (2011: 12). A public-private partnership is an agreement between a government entity and private party to mitigate risk of public services to private entities and promotes efficiency and productivity (Osborne, 2000). The
distinguishing factor of public-private partnerships includes the transfer of risk between both entities (Cooke, 2006: 2). Public-private partnership can be perceived as ‘relationships among government agencies and private or nonprofit contractors that should be formed when dealing with services or products of highest complexity’ (Wendell, 2002). The fundamental character of public-private partnership can be described as to ‘exploit synergies in the joint innovative use of resources and in the application of management knowledge, with the optimal
attainment of the goals of all parties involved’ (Cavelty and Suter, 2009: 2). In addition, both authors underwrite the importance of complementarity of goals as well as the existing
have different forms and models ranging from informal to more formal partnerships. The degree of formality differs and depends on the amount of government control (Luiijf and Kernkamp, 2015: 29). According to ENISA (2017), countries with a longstanding tradition of strong public administration and authority, have a greater distance between the public and private sector. A highly hierarchical approach and structure will thus be reflected in this type of partnership. On the contrary, countries with a tradition and history of sharing power between the public authority and citizens have a different approach that symbolizes less hierarchical in public administration (ENISA, 2017: 18). Accordingly, the cultural dimension is one of the most crucial determinants in the manner these partnerships are established and developed (idem).
As prior mentioned, the concept of the public-private partnership is often used as a ‘miracle solution’ without considering the limitations of the term in relation to its context (Cavelty and Suter, 2009: 3). ‘Generating security for citizens is a core task of the state; therefore, it is an extremely delicate matter for the government to pass on its responsibility in this area to the private sector’ (2009: 3). Without delving deeper into the discussion on how well equipped the state is to provide national security in this context, it is important to comprehend these challenges against the context of critical infrastructure protection. While the public-private partnership was traditionally designed to lower costs and enhance efficiency in the context of complementarity of goals, mutual trust and strategies, efforts of cooperation in terms of critical infrastructure protection are program-based with the objective of increasing security rather than increasing efficiency (Cavelty and Suter, 2009: 5). In addition, both authors denote that interests of both entities relating to critical infrastructure protection are only partially convergent, and therefore synergy efforts are not always easily established (idem). Carr underwrites this notion of challenging the perception about the complementarity of goals and threats, by stating that ‘the private sector regards cyber-security challenges as financial and reputational – not as a common public good, which is how governments regard national cyber security’ (2016: 55) Moreover, she adds that private entities develop and formulate cybersecurity strategies on a different framework within a different context.
Operators of critical infrastructural systems make decisions based on a business model, which reflects shareholder interests and profit margins. This makes the approach of promoting ‘public good’ by the government with common goals and shared interest incompatible (2016: 56). In addition, private security firms often perceive information sharing as ‘ensuring
business continuity, not as a security policy issue’ (Cavelty and Suter, 2009: 4). Some firms find it more convenient to address issues on their own without involving government
intervention (Germano, 2014: 3). The final obstacle includes the rudimental nature of public-private partnerships. PPP in the field of critical infrastructure protection is too narrow because of the lack of horizontal and vertical integration of infrastructures. Therefore, more involvement and cooperation with small and medium-sized enterprises is proposed since it gets more difficult to distinguish critical infrastructure operators and ‘regular’ companies (2009: 3-4).
After carefully considering the restrictions that are inherent to the PPP in relation to critical infrastructure protection, an alternative approach will be presented that is more suitable for understanding collaboration in protecting critical infrastructures. The collaborative
governance approach will be outlined and used as a stepping stone for the network
governance theory that reflects networks as self-organizing with a new role ascribed to the government in coordinating these networks.
3.5 Collaborative Governance as a theoretical foundation
The collaborative theory the appropriate starting point as a theoretical foundation in developing an alternative approach (Cavelty and Suter, 2009). Building further upon this notion, Donahue and Zeckhauser (2006) use the concept of collaborative governance in the context of critical infrastructure protection. ‘Efforts to protect vital infrastructure in the coming decades will almost certainly involve extensive interaction between business and government, frequently featuring the shared discretion that is the hallmark of collaborative governance’ (2006: 452). At the same time, the authors acknowledge the ‘uncomfortableness’ of many Americans in the notion of collaborative efforts between public and private sector. Additionally, the conventional idea and mindset of the ‘broader public’ is that government is doing public work and business is doing private sector work, ‘each sector cultivating its own garden’ (2011: 8). Ansell and Gash define collaborative governance as ‘a governing
arrangement where one or more public agencies directly engage non-state stakeholders in a collective decision-making process that is formal, consensus-oriented, and deliberative and that aims to make or implement public policy or manage public programs or assets’ (2007: 544).
In reaction to this definition, Emerson et al. argue that this view is too narrow since it does limit collaborative governance to only formal, state-initiated agreements, and to commitment between government and non-government stakeholders (2012: 3). Therefore, a broad
definition of collaborative governance is formulated as ‘the processes and structures of public policy decision-making and management that engage people constructively across the
boundaries of public agencies, levels of government, and/or the public, private and civic spheres in order to carry out a public purpose that could not otherwise be accomplished’ (2012: 3). By defining collaborative governance broadly, the definition parallels other definitions, but includes a ‘wider range of emergent forms of cross-boundary governance, extending beyond the conventional focus on the public manager or the formal sector, yet also inclusive of some of the more traditional forms of cross-boundary governance such as
interagency cooperation’ (Emerson and Gerlak, 2014: 769). Collaborative governance is highly effective since it responsive in achieving desired impacts due the fact that the transboundary agreement must generate returns for partners in order to legitimize the
involvement of their organization (Emerson et al., 2012) If the joint action fails to achieve the identified targets, the collaborative governance regime will be pressured by its partners to make the necessary changes in targets, collaborative dynamics or investments.
The collaborative governance regime is characterized by its adaptive nature since it is ‘more flexible, voluntary and soft-wired compared to more structured, unitary organizations with stronger incentives to maintain status quo strategies’ (Emerson et al., 2012: 19). Additionally, Cavelty and Suter examine the theoretical basis of governance theories distinguishing the neoliberal governance approach and the network governance theory (Cavelty and Suter, 2009: 4). The distinction of both approaches can be understood as the consequences of specialization in modern societies. Due to specialization and globalization, many tasks that were performed by the state are today handled by private firms. Without the capacities and specific expert knowledge, the government is not able to fulfill these tasks on its own. Following the neoliberal approach, the government will specifically define and contractually outline the delegated tasks to companies. By stipulating the fulfilled tasks, the government will cultivate its powers by interfering when the private sector fails to offer the necessary services. However, in the context of specialization, governments simply lack the required specific expert knowledge to ensure control over the outsourced functionalities.
that operates a critical infrastructure, as the level of protection depends on many technical and organizational factors which differ widely from business to business’ (Cavelty and Suter, 2009: 5). Unlike the neoliberal approach, the network governance theory recognizes the notion and outlines the importance of shaping conditions in a manner that is operates effectively without constant oversight (2009: 6).
3.6 Network Governance Theory
Public services are offered by ‘a plethora of independent, self-regulating, self-organizing networks’ (idem). These networks consist out of actors ranging from public and private sector, fixing rules themselves, determining the responsibilities and commitment, thus being able and capable to monitor themselves with their own sufficient expertise. The term network is defined narrowly as the ‘focus is on groups of three or more legally autonomous
organizations that work together to achieve not only their own goals but also a collective goal’ (Provan and Kenis, 2007: 3). Governance refers to the self-organizing
inter-organizational networks (Zabiński, 2014). The network governance approach is characterized by a ‘horizontal process with independent interactions of interdependent entities’ (Zabiński, 2014: 49). This horizontal process embodies the process of negotiating objectives based on mutual relationships. Interactions within these networks take place in an institutional setting, either in a formal or informal context. In addition, the self-regulating process demonstrates that ‘a network is not controlled from outside, even though it is subject to external
constraints’. While the government is represented within these networks, it has no authority since decisions are made based on negotiations. Therefore, the absence of a hierarchical order in the process of coordinating public and private interests is of great importance (2014: 49). The independence of these networks illustrates the ‘governance without government’ expression in which the government is assigned a more coordinating role by facilitating networks with the objective that the necessary tasks are fulfilled. This new role for the
government is called ‘meta-governance’ and symbolizes the organization of self-organization (idem). By stating that these networks are self-regulating and independent, networks become resistant to government steering. ‘It means that the government is unable to control them, which is partly due to its limited resources, lack of legitimacy and the fact that the
In addition, network governance is distinguished by three basic forms that are presented by Provan and Kenis (2007). While the authors examine the effectiveness of each form, the next section will briefly describe the three forms of network governance to establish a theoretical framework which contributes to a better understanding of the FI-ISAC. Due to the
exploratory nature of this research, it is impossible to analyse the effectiveness of the FI-ISAC at this point.
3.7 Forms of Network Governance
Provan and Kenis (2007) identify three basic forms, or models, of network governance in an effort to build a new theory about network governance. The first basic, and simplest form, of network governance involves participant governance. ‘This form is governed by the network members themselves with no separate and unique governance entity’ (2007: 234). The authors demonstrate that this type of governance can be accomplished formally or informally, through regular meetings or uncoordinated efforts. In addition, participant-governed networks can be ‘highly decentralized’ in which all members participate on an equal basis in the
process. This is referred as shared participant governance (2007: 234). Contrary to this shared participant networks, it is also possible that networks are ‘highly centralized’ and ‘governed by and through a lead organization that is a network member’ (idem). Members of a shared participant-governed network count on commitment and participation of all. ‘Only by having all network members participate, on an equal basis, will participants be committed to the goals of the network’ (Provan and Kenis, 2007: 234). Additionally, the authors explain that shared network governance leads to members collectively making decisions and managing activities within the particular network (2007: 235).
The second form of network governance includes the lead organization-governed network, and often occurs in ‘vertical, buyer-supplier relationships, especially when there is a single powerful, often large, buyer/supplier/funder and several weaker and smaller
supplier/buyer/resource recipient firms’ (idem). Thus, in a lead organization-governed network, all network activities and essential decisions are coordinated by a ‘single
participating member, acting as a lead organization’. Therefore, this governance model is often characterized as centralized, brokered with asymmetrical power (2007: 236).
The third form of network governance entails the network administrative organization, also known as the NAO model. ‘The basic idea is that a separate administrative entity is set up specifically to govern the network and its activities’ (idem). The NAO plays a coordinating and sustaining role in the network. However, unlike the lead organization-governed network, the NAO is not a member of the organization. The NAO can be a government body or a non-profit. The NAO is often government-run when networks initially start to support its growth by facilitating the network and assuring that the goals are met (2007: 236). The authors argue that the successful adoption of a particular governance model depends on trust, size (number of participants), goal consensus and the nature of the task (2007: 237). ‘When trust becomes less densely distributed within the network, as the number of participants gets larger, as network goal consensus declines, and as the need for network-level competencies increases, brokered forms of network governance are likely to become more effective’ (2007: 237).
While these models provide a clear categorization and conceptualization of the different forms of network governance, it is important to take into account that these models reflect theoretical ideal types (Boeke, 2017). ‘In practice, institutional constructs and procedures often display a combination of characteristics, and elude a clear categorization’ (Boeke, 2017: 451). In addition, once a form of the network governance is decided, it is up to the managers to lead and manage the network. Therefore, it is essential that the managers recognize tensions, regardless of the adopted form, that are latent to network governance (Provan and Kenis, 2007: 14).
3.8 Network Governance and its tensions
Tensions that are related to network governance should be carefully considered. By understanding the various tensions, Provan and Kenis offer an analysis for network
effectiveness by tackling these tensions that could consequently result in a network evolution.
While the purpose of our research is not to examine the network effectiveness of the FI-ISAC, acknowledging the tensions can contribute to a better understanding of the challenges that are related to its collaboration structure. The first tension that is formulated involves Efficiency versus Inclusivity. The tensions regarding efficiency is mainly the ‘need for administrative efficiency in network governance and the need for member involvement, through inclusive decision-making’ (idem). While ‘efficiency is seldom an efficient
endeavor’ in collaborations where trust-building among partners is fundamental, it can be stated that the involvement of more members in a network reflects a more time consuming and resource intensive process. In addition, the risk of a burn out for participants in a shared-governed form of governance is formulated due to the fact that the involvement of these enthusiastic participants ‘takes an increased toll on their time and energies’ (2007: 14). Within a shared-governed structure, there is a chance that a small group of participants end up doing the most work, which could eventually lead to a drop in enthusiasm due to increased levels of frustration. A proposed solution would be a shift towards a lead organization form where this burden can be reduced. Furthermore, the NAO model would offer a ‘greater balance’ than the other proposed forms since the NAO model would allow for ‘structured and representative participation for key issues while having a staff assume more routine
administrative burdens’ (2007: 15).
The second tension that is described comprises of Internal versus External Legitimacy, a challenge for network governance to address these tensions between them. The authors note that members, especially competing and diverse participants, must believe in the mutual beneficences of collaborating in such network. The facilitator has a key role in building trust among these participants and coordinating the internal needs of the participants. The tension emerges when the internal legitimacy of the participants does not correlate with the external needs (Provan and Kenis, 2007: 15).
The third tension within network governance contains Flexibility versus Stability. Networks are often characterized by their flexible and adaptive nature, which allows organizations to respond to threats and opportunities in a prompt manner. However, networks that do not focus on short-terms projects must focus on sustainment. ‘Stable networks mean that participants can develop long-term relationships with at least some other members, so that each understands the other’s strengths and weaknesses and respond accordingly to maximize network outcomes’ (Provan and Kenis, 2007: 17). While flexibility allows quick responses, stability provides consistent responses.
Furthermore, a final issue of network governance concerns network evolution. What happens when a network needs to change its form? A network can avoid such change with the risk to
be ‘either ineffective or fail’. However, this problem arises when the mandated organization was imposed with a form that does not suit the network. On the other hand, it is possible a network with its management is willing to adopt a different network governance form. When a shared-governed network is attracting more participants, the needs and demands of its current governance structure will most likely change. ‘At this point, network-level managers can either struggle with the current governance form, which is likely to become increasingly ineffective, or shift to a different form that is consistent with having more participants, less dense trust relations and so on’ (Provan and Kenis, 2007: 18). Additionally, it is important to note that evolution of the network governance form is not a natural process rather than a specific choice that must be made by participants of a network (idem)
While the collaborative and network governance are outlined and appropriate in the context of critical infrastructure protection by its self-organizing and adapting nature, both concepts seem interchangeable, as there are blurred lines between the two terms. In addition, the term collaborative governance can be perceived and used as an umbrella concept consisting of different disciplines, while network governance is a type of governing just like the neoliberal approach. Therefore, the network governance will be used in analyzing the collaboration structure, its advantages and disadvantages of the FI-ISAC in the Netherlands. The FI-ISAC reflects cooperation between private firms and government body through informal ties and work together in a non-hierarchical relationship to exchange information. After establishing the appropriate theoretical framework on collaboration within the context of critical
infrastructure, the next section of this chapter will elaborate on how information is shared within these networks.
3.9 Understanding the need to exchange information in networks
In order for collaboration to succeed, Carr points out that safeguards must be in place in order to stimulate all entities to share information in a manner that protects confidentiality and takes competitive concerns into account (2016: 47). In this context, secure and trusted
information-sharing is of crucial importance in order for cyber alerts and classified / sensitive information to be shared in a timely manner between both entities (Choo, 2011: 726).
The instantaneous need for information sharing regarding critical infrastructural protection is the result of the President’s Commission on Critical Infrastructure Protection (PCCIP), which was established by former president Bill Clinton (Cavelty and Suter, 2009: 2). The initial task of the Commission was to assess risk and establish defensive mechanisms. Consequently, the Commission staffed all government departments and expanded the range of actors by
including critical infrastructure operators. ‘This approach rested on the assumption that security policy in the case of critical infrastructure protection could no longer be the
exclusive domain of the state and implied shared responsibility’ (Cavelty and Suter, 2009: 3). This assumption and the expansion of the traditional core of security policy resulted in ‘the most immediate need’ for information sharing between all important actors for the protection of critical infrastructure systems (idem). As a result, the Commission structured the merger of the public-private partnership with the critical infrastructure that led to the establishment of Information Sharing and Analysis Centres (ISACs). The period of political debate on
cybersecurity was influenced by what was called the ‘post 9/11 theme on connecting the dots between policymakers and private sector’ on expanding exchanging information (Sedenberg and Dempsey, 2018: 2). The core assumption behind this rationale was that with increasing (sharing) information would lead to more secure system through remediation and preventive measures (idem).
The National Institute for Standards and Technology (NIST) sets up guidelines for organizations to establish and participate in cyber threat information sharing. These guidelines are established in response to the increased cyber-attacks that are more frequent and sophisticated. In order to improve ‘security posture’ against the most capable threat actors, it is pivotal for organizations to exchange information that can help identify, assess, monitor and respond to cyber threats (2016: 4). By sharing information, organizations gain a more complete understanding of the threats they are potentially facing. Consequently, this will result in a better-informed decision-making process on mitigation strategies, threat detection approaches and defensive capabilities. Accordingly, the authors point out that by ‘correlating and analyzing cyber threat information from multiple sources, an organization can also enrich existing information and make it more actionable’ (2016: 1).
By quoting Tony Sager on ‘allowing one organization’s detection to become another’s prevention’, Johnson et al. (2016) outline the importance of this paradigm in advancing the overall security of organization by actively exchanging information. The benefits of
exchanging threat information emerge from the fact that peer organization may face common threats (2016: 3). Therefore, cyber defense is most compelling when organizations cooperate together and defend against these well-organized actors with their sophisticated attacks (idem). Johnson et al. (2016) identify four advantages of sharing cyber threat information for an organization:
1. Threat information sharing enhances shared situational awareness of an
organization. Even a single new indicator or observation can increase awareness and security of an organization or community
2. By using shared information, organizations can inform their cybersecurity and management practices resulting in an improved security posture
3. Organizations can improve the value of their data and offer insights that would alternatively remain unavailable. Therefore, collaboratively enriching information leads to knowledge maturation
4. Sharing threat information contributes to a better understanding of the threat environment. Thus, an organization can ‘identify affected platforms or systems, implement protective measures, enhance detection capabilities, and more
effectively respond and recover from incidents based on observed changes in the threat environment’. Therefore, sharing information goes hand in hand with a greater defensive agility.
While it is evident that threat information sharing has benefits, it is also important to consider the related challenges. Building a trusted relationship is the core of information sharing and demands efforts to establish and maintain trust (Johnson et al., 2016). Therefore,
communication through regular phone call, in-person meetings and social media can contribute to the trust building process. Safeguarding sensitive information and protecting classified information can be challenging for organizations. Accordingly, organizations should use designations to shared information in order to manage the risks related to disclosure of sensitive information. In addition, achieving interoperability and automation can challenge an organization since the use of common formats and protocols is time-consuming and requires resources, and ‘the value of these investments can be substantially reduced if sharing partners require different protocols or formats’ (2016: 4).
In order to build trusted relationships and safeguard information sharing, mutually agreed procedures on how to distribute sensitive information, are essential. While there are many methods of information designations, the Traffic Light Protocol will be outlined since this model is commonly used in the Information Sharing and Analysis Centre (ISAC) and therefore the most relevant for the purpose of this research. The Traffic Light Protocol is a tool for exchanging information within a trusted community often used by collaboration between public and private entities (ENISA, 2007: 32). ‘TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience and it employs fours colors to indicate expected sharing boundaries to be applied by the recipients’ (FIRST, 2018). The four colors that are used following the TLP are: red, amber, green and white.
- TLP: RED indicates that information is not for disclosure and restricted to
participants only. In the context of a meeting, this means that information is limited to those present at the meeting. Information with TLP: RED should be exchanged verbally or in person (idem).
- TLP: AMBER demonstrates limited disclosure and members can exchange
information with their own organization and with clients or customers to whom that particular information is essential in protecting them or prevent further harm. - TLP: GREEN information has limited disclosure and is restricted to one’s
community. Members may share information with peers and partner organization within the community or sector, however not through publicly accessible channels. Therefore, information that is designated with the green color cannot be shared outside of the community.
- TLP: WHITE designates information which disclosure is not limited. Information may be disseminated without any restriction (FIRST, 2018). In addition, members receive information from external sources such as IT security companies (ENISA, 2007: 31). While some ISACs use the TLP, others provide information through a mailing list to indicate the source.
The TLP method reflects a certain level of simplicity since the responsibility of the receiver and originator are very clear. However, the challenging part of this method involves for ‘for those who provide RED labelled information to consider on how to provide related actionable Amber labelled information (Luiijf and Kernkamp, 2015: 38).
3.10 Deriving a Framework
The previous theoretical frameworks provide the foundation for the theoretical underpinnings to this research and the scope for the analysis. The network governance theory allows to analyze the FI-ISAC as a self-regulating and self-organizing network consisting of competing organizations that are sharing information with each other to increase their cyber defense, and ultimately collectively increase the cyber defense of the financial sector. The network
governance theory also allows the research to describe the network governance form of the FI-ISAC. Drawing upon fifteen years of experience, the network governance theory will shine light on how (competing) organizations collaborate with each other in terms of sharing sensitive information in a trusted community.
4. Information Sharing and Analysis Centre (ISACs)
Before exploring the Dutch FI-ISAC, it is important to understand the conceptual framework of the Information Sharing and Analysis Centre (ISAC). Therefore, this chapter will depict how ISACs can provide a platform to stimulate cooperation between the public and private sector to protect critical infrastructure by sharing information. It is important to note that this conceptual section will be based on the American approach since the creation of the ISACs were initiated and established in the United States first. Accordingly, this chapter will serve as a starting point for understanding the ISAC in its conceptual context.
Information Sharing and Analysis Centers (ISACs) are dedicated to increasing sectoral cybersecurity through information sharing and exchanging best practices in a trusted forum (Clark et al., 2014: 32). ISACs build upon a foundation of public-private collaboration to promote information gathering about a different range of security threats and distribute the information among government entities, private-sector member firms and law enforcement (Cheney, 2010: 6). ‘By sharing information about information security breaches and attempted breaches, ISACs seek to promote the sharing of information about the threat environment that is common to all its members’ (Gordon, Loeb and Lucyshyn, 2002: 6). Organizations can use their participation in an ISAC to reflect their dedication to cyber security, and may even result in a possible sales increase (Ghose and Gal-or, 2004: 2002). Additionally, Ghose and Gal-or (2004) state that participation in an ISAC could act as an impediment for cybercriminals.
4.1 A brief history
The term ISAC was first introduced after the Presidential Decision Directive-63 (PDD-63) was signed in 1998, and reflected the need to establish sector-specific organizations in order to share information about vulnerabilities and threats (National Council of ISACs, 2018). Consequently, the first ISAC was introduced by the financial service sector in 1999. The PDD-63 was revised by the Homeland Security Presidential Directive-7 in 2003 with the mandate to share information about ‘physical and cyber security threats and vulnerabilities to
help the U.S. critical infrastructure’ (FSISAC.com, 2018). Prieto argues that a couple of ISACs were created as a result of the PDD-63, however he underlined the notion that the 9/11 terrorist attacks highlighted the necessity of information sharing to address terrorism and stimulated the creation of new ISACs (2006: 406). Nelson, former FS-ISAC president, adds that despite presidential support information sharing through ISACs went slowly. ‘Trust must be earned, and businesses were cautious to share any kind of information with what were arguably competitors’ (Nelson, 2018). However, over time, organizations began to recognize the added value of the ISAC community. Today, the FS-ISAC is a global community of nearly 7,000 members across 38 countries (idem). It has taken 18 years for the process of information sharing within a community like FS-ISAC to take hold among global financial institutions. Good things take time, and information sharing is no different’ (Nelson, 2018). As prior mentioned, the Presidential Decision Directive 63 (PDD-63) was responsible for the development of the ISACs to ‘serve as mechanisms for gathering, analyzing, and
disseminating information on infrastructure threats and vulnerabilities to and from private infrastructure sectors and the federal government’ (United States General Accounting Office, 2006). Initially, Clinton’s directive contemplated a single center that would cover all of the private sector (Sedenberg and Dempsey, 2018: 10). However, over the next decades various ISACs were created on ‘industry-specific basis to share data on a peer-to-peer basis, to feed information into the federal government and to provide a channel for federal information to flow out to the private sector’ (Sedenberg and Dempsey, 2018: 10-11).
While the overall missions were similar, ISACs were established based on the unique characteristics and the needs of their sector, leaving the functionalities and design to be decided by the sector that formed them (Relyea, 2004: 427). Therefore, the ISACs vary in operational arrangements, management, business models and funding mechanisms, which will be explored in following section (Relyea, 2004: 429).
4.2 Structures, Operations and Business models
The various ISACs have initiated different management arrangements and operations to meet the needs and requirement of every sector. In doing so, diverse business models, funding mechanisms and communication methods will be outlined to comprehend the varying
structure and operations of ISACs. There are different business models used for ISACs. Most of the ISACs are operated and managed as private entities such as the Financial Services,
Chemical, Electricity Sector, Food, Information, Technology, Public Transit, Real Estate, Surface Transportation, Highway and Water ISACs. Besides, there are also ISACs that are established as part of an association that represent a critical infrastructure sector or just a segment of it. An example of this structure is the Water ISAC that is managed by the Association of Metropolitan Water Authorities. Moreover, some ISACs have alliances with government agencies such as the American Chemistry Council that manages the Chemical ISAC. Furthermore, some ISACs are operated by government agencies in partnership with the private sector such as the Department Homeland Security’s National Communication Systems and National Coordinating Center (NCC) that finances the Telecommunications ISAC. (GAO, 2004: 17).
Besides the varying business models, the (evolving) legal structures also differ per ISAC. The Financial Services ISAC started in 1999 as a limited liability corporation and evolved to a non-stock corporation that is managed by the board of directors with representatives from the Financial Services ISAC. The change from a limited liability corporation to a non-stock corporation was made to simplify the membership arrangement and the process to acquire public funding (2004: 18). The Energy ISAC also evolved in its structure from a limited liability corporation to a non-profit charitable organization in order to eradicate membership obstacles.
Funding mechanisms vary from fee-for-service, associate sponsorship, grants, contracts, voluntary or in-kind operations by ISAC members (idem). The Financial Services,
Information Technology, and Water ISACs use the fee-for-service funding mechanism. This funding mechanism provides a layered membership structure to the members for the provided services. ’These tiers typically include some basic level of service that is provided at minimal or no cost to the member and additional tiers that provide - for a fee –more personalized service and access to additional resources’(GAO, 2004: 14). To avoid membership barriers, the Financial Services ISAC transformed its model to a layered fee-for-service model. This approach includes five levels of services that differ in membership cost from ascending services of information and analytical capacities.
- Basic (free of charge); - Core ($750 annually);
