Chapter 2: Three Approaches

The following three approaches demonstrate how proper leadership, organization, governance, and prioritization can succeed in fostering information sharing, improving defensive efforts across the entire ecosystem, streamlining incident response processes, and supporting workforce development programs.

While these are not the only valid means of solving the problems and threats described above, it is worth delving deeply into the selected case studies to analyze the specific factors enabling their success. As we detangle the skeins of cross-sector solutions, we can thereby tease out the threads of lessons learned regarding the dependencies for that success, and form a greater understanding of the challenges faced by policymakers and operators using each model. This section provides a summary of each case study; a full analysis for each is provided in Appendices I-III.

Timely, actionable information sharing is a pervasive challenge throughout the cybersecurity community. The 24 Information Sharing and Analysis Centers (ISACs) and numerous Information Sharing and Analysis Organizations (ISAOs) provide information sharing capabilities and services to widely varying degrees of comprehensiveness, but few take a cross-sectoral approach and even fewer provide regularly valuable and dependable information to their members.

The State of Arizona and the Arizona Cyber Threat Response Alliance (ACTRA) have formed a successful partnership that has achieved notable success in facilitating, supporting, and encouraging the sharing of real, actionable information on cyber threats and vulnerabilities. This relationship has been built over time and is based on a foundation of trust, essential for facilitating information sharing efforts. Additionally, ACTRA runs its own workforce development programs, underpinning such efforts across the state in cooperation with the Chamber of Commerce, and by pairing knowledge of need with capability of risk reduction and response, helping to provide critical resources to cybersecurity defensive efforts in both the public and private sectors.

There are challenges with using a private sector-driven and local approach: fostering a collaborative environment focused on the common good, adequately reaching and serving organizations outside of the core area, and overcoming members’ resource limitations [funding] and self-interest. To create a mutually beneficial environment and encourage participation from across the private and public sectors, strong leadership from both sides is needed. Furthermore, members must trust that they have anonymity when desired, and also that their counterparts in other organizations and across the government are sharing back into the system just as they are. Such a scenario requires a reliable partnership with state entities, participation from the federal government, and the development of a cybersecurity community that reaches across sectors. ACTRA, which serves as an interface between its private sector members and its public sector partners, provides a buffer that engenders faith in the anonymity and effective dissemination of information.

Legacy bureaucratic structure, based on long past legislative authorities or historical agency mission statements, which are often heavily sector-specific, segments responsibility for cybersecurity between multiple agencies and state officials. By standing up the New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) and consolidating services through a shared model, New Jersey has been able to increase the breadth and quality of its monitoring services, expand its information sharing and educational initiatives to reach organizations and individuals across multiple sectors, and increase its efficiency across developing cybersecurity priorities. Especially important to this consolidation and coordination is offering state and external partners a single point of contact for cyber concerns.

The NJCCIC serves as the central coordinating, and in some cases, also the operational arm of cybersecurity within New Jersey. Its four branches provide monitoring and incident response services across the executive branch, cyber threat analysis and dissemination, risk and compliance assessments, and external services. The NJCCIC works with internal and external stakeholders already existing within the state, but also provides a new suite of services that operate across relevant agencies and sectors. One of the keys to the NJCCIC’s success is its brand and recognition—it has become the locus for external stakeholders to report incidents and disseminate information to organizations within New Jersey and for entities seeking updated information.

However, operating such an organization is heavily resource dependent, and like many other states, New Jersey faces challenges with recruiting talent. Furthermore, this public-sector driven approach does not engender the kind of effusive two-way sharing that the ACTRA model does, although it provides a reliable system for dissemination to the private sector and improved coordinated defense to New Jersey’s executive branch agencies. This tradeoff between centralized public sector coordination and control, and more diffuse cross-sector governance models highlights important concessions that come with any particular model of administrative structure.

Placing the CISO under the aegis of the Homeland Security Office in New Jersey sends a strong message that cybersecurity is not just an IT problem, and gives the state CISO a mandate to expand cybersecurity planning across state agencies. However, funding gaps and/or a mismatch in strategy from the state’s information technology apparatus can challenge efforts to update legacy systems and implement new security tools.

Achieving cybersecurity goals by creating an extra-bureaucratic structure is dependent on executive support from the governor and cabinet across successive administrations, consistent funding sources, and a protracted willingness to collaborate with partners and customers across multiple sectors—factors that all introduce a certain risk of inconsistency over time.

The state of Washington has taken the shared services model to its full maturity, with IT services centralized through the Office of the Chief Information Officer (CIO) in the Washington Technology Solutions department (WaTech) and through the Office of the Chief Information Security Officer, who reports directly to the CIO. Washington is also notable for its multidisciplinary approach to cybersecurity, extending responsibility outside of the information technology community to the emergency management and military departments of the state bureaucracy.

Institutionalized mechanisms for cooperation between departments increase the longevity of a cybersecurity program and increase efficiency for multistakeholder operations. Such an approach in Washington has enabled a substantial cybersecurity exercise program that reaches across stakeholders, sectors, and partnerships, improving pre-incident planning and information sharing initiatives. Washington has taken the lead nationally in its use of the National Guard to increase the defensive posture of critical infrastructure partners across the state, provide Guard units a way to gain experience with live state and private sector systems, and create an avenue for communications prior to an incident. This kind of capacity building is valuable for developing competencies within these units, but also has the potential to offer benefits in the case of an incident response that requires these units to support the owners of these networks.

Washington’s shared services model has improved compliance, security, and visibility across the executive branch of government. The bifurcation between the office of the CIO and the Departments of Emergency Management and Military Affairs, however, has created occasional friction resulting from conflicting priorities and authorities. Related to this challenge, the lack of a single voice on cybersecurity has created challenges for the State in disseminating and gathering information.

Still, the achievements of this model are substantial, and have been supported by strong state leadership and legislative efforts to canonize the new organizations and authorities. Washington has thereby created an ingrained structure and platform from which to engage with stakeholders across public and private sectors and take advantage of available talent and partnerships.