Note: I published this piece several years ago. I’d certainly like to understand if anything has changed for the better in this regard.
An effective Information Sharing mechanism boils down to trust.
Like most, I have had the pleasure to meet people working the security industry across this country through number venues. Like many affiliations these days, while we only get to see each other at a conference or marketing even once in a while, we are typically connected virtually through discussion boards and close knit forums, which give us the opportunity to continue broad and specific discussions at our leisure.
Over time you get a good sense about the people you deal with on a day to day basis. Familiarity flourishes, giving you the latitude to establish trust in the people you are engaging. Trust is the foundation of any successful Information Sharing paradigm. Any effort to initiate a program for sharing information in and around Information security is doomed to failure unless it is initiated by and with people who have already established professional or personal relationships and trust each other.
There are two core facets to trust; first you have to be willing to receive and accept information and secondly you have to be prepared to share true and accurate information. This shouldn’t be too difficult in an industry that is inundated with codes of ethics, security clearances and the like. Do anything to set the precedent that you are untrustworthy and the matrix will become unraveled.
Why has it been so difficult, then, for the Government of Canada to initiate an information sharing program around Critical Infrastructure? Lack of trust.
Participants inside and outside the Government don’t trust each other. Internally, basic human instincts are dictating how people decide to engage each other interdepartmentally. A number of Government stakeholders are competing with each other with regard to the mandate. Careerism also takes its toll on the evolution. External participants will not share information due to the fact that the Department with the mandate has introduced clauses in their legislation that will not protect the proprietary information of the participants from disclosure. What kind of trust model is that? Is it unreasonable to be reticent if the security of the proprietary information of your company is subject to a simple Access to Information Request?
There are some models for this kind of collaboration that have been successful for a long time. I refer to the ITAC Cyber Security Forum, an industry-government policy roundtable that has been meeting at least quarterly since 2000. A great deal has been achieved by that group and they are a good example of thought leadership and information sharing. It is an excellent example for other likeminded groups. The collaboration that goes on around International certification providers, like that of the CISSP program at www.ISC2.org is another good example. While it’s not Canadian, the participants certainly put a Canadian identity to their contributions. Other virtual collaborative groups, such as the forum sponsored by Winnipeg’s Dan Swanson has Global reach in the Audit and Security spaces where there is no discernable cultural differentiation.
Associations like the Information Systems Security Assoc. (ISSA), Armed Forces Communications & Electronics Assoc (AFCEA), and the Federal Assoc. of Security Officials (FASO) all have the ability to drive this agenda. However due to the fact that they are regionalized and do not have the mechanisms in place to easily push a National agenda with cooperation between all the facets of Critical Infrastructure perhaps makes them ill-suited for the task.
The Crown has taken the opportunity to listen to the successes of other government bodies within the “trusted” community. They solicited advice from subject matter experts in Canada and abroad to listen and share their views on what would work best. There was discussion around the need for proper information management and categorization in the private sector, security clearances and the like that would facilitate a higher trust level.
Perhaps the truly workable solution is not one hosted or moderated by the Government. There are many public companies with the expertise and who share the Crowns concern that we need a better grasp of the security threats to Canada’s critical infrastructure. Many of these organizations are already set to participate, given they assisted the Crown stakeholders in the evolution that is Critical Infrastructure Protection in this Country. However, the Government of Canada should take a long hard look at what works. Perhaps a public/private/partnership will elicit the necessary mechanisms to make cross-sector information sharing, in the form of the US Information Sharing Analysis Centers or Infraguard possible.
It will take some investment, but anything is better than waiting another seven years for this part of a mandate to unfold.