Championing Information Sharing: The Launch of CI-ISAC International
Cybersecurity is more successful when it is a team game rather than an individual effort, and information sharing plays a key role in this collaborative success. This is why Information Sharing and Analysis Centers (ISACs) have been set up around the world for critical infrastructure sectors. ISACs help industries share central information and resources to help combat cybersecurity threats across the sector. However, cybersecurity threats are usually sector agnostic and the siloed approach provided by ISACs as well as the political hesitancy has led to a lack of critical transparency and data availability. In his more than fifteen years in cybersecurity, Scott Flower together with David Robinson and David Sandell recognised this problem and understood he had to do something to help global cyber defences.
Just last year, Critical Infrastructure Information Sharing and Analysis Centre, Australia (CI-ISAC Australia) was founded as “the world’s first cross-sector integrated approach to ISACs,” shared Scott. CI-ISAC Australia is now the basis for other national CI-ISACs as it solved one of the key problems in setting up such organisations, economic scale. Australia for example only has four major banks and less than 30 second-tier banks or financial institutions, making reaching a sustainable scale near impossible at a local level. CI-ISAC solved this by integrating all sectors into a single source, greatly increasing the scale possibility for each CI-ISAC.
Not only did this allow for economies of scale, it opened a whole of nation approach that allows for more integrated and open information sharing. Scott added that “more than two-thirds of all cyber threats are third party or supply chain in nature. So if you are sharing well in any one sector, you are missing at least two-thirds of the information you need to defend yourself.” In addition to the economic issue, there is an issue of sovereignty within classical ISACs. Because most large ISACs are run from single countries such as the US, companies are hesitant to share critical data and join purely out of regulatory compliance. Having individualised, sovereign national branches of ISACs through CI-ISAC, it eliminates the issue of control from an outside state. CI-ISAC is hoping to open as many national, independently run branches as possible, with its international office (CI-ISAC International) based in The Hague.
CI-ISAC International is a not-for profit organisation that Scott hopes will function similar to the UN with each country’s CI-ISAC having equal say and representation within the international body. ISACs are faced with commercial issues when started as for-profit business and national security and regulatory conflicts when created by national governments. By creating CI-ISAC as an NGO, they are able to avoid such conflicts and build their organisation with a mission focused approached. Each national branch can “verify, check, and share all that intelligence at a sovereign national level, but then also sharing it globally. [This] is when you start to really understand the threat actor picture at a global scale, [and] is when everyone’s able to share in a trusted environment and have transparent oversight,” as explained by Scott.
CI-ISAC has developed a technological solution that enables deep data collection and cross-sector integration of that data. Scott remarked that it is “a very important technical solution that doesn’t, to my knowledge, even with the major vendors that are out there, exist to the same level that we’ve built.” Bundled together with CI-ISAC International’s constitution, every new CI-ISAC will be freely given the tools needed to succeed on a national level and to provide assistance and intelligence on a global scale. By providing these free resources, Scott is hoping to find “people in every country around the world who are secure cyber security practitioners, who believe that their country deserves a better system than what they currently have.” There are currently passionate practitioners who are looking to set up CI-ISACs in the Netherlands and Brazil.
When looking at where to open an international, enablement entity, the Netherlands was at the top of CI-ISACs search. Scott pointed to The Hague as the best fit due to the presence of the International Court of Justice and the International Criminal Court and its place as the home of international law. With assistance from Philip Meijer of Innovationquarter, Security Delta (HSD), and their new home at HSD Campus, Scott has been supported in accessing different governmental networks, funding opportunities, and bringing attention to CI-ISAC’s mission. Their motto “Trusted local, equals trusted global” encapsulates their mission and relays the importance of national CI-ISACs together with their international NGO in The Hague. The official launch of CI-ISAC International took place during the ONE Conference on October 1st and 2nd. Their official website will be launching soon but if you would like to learn more about about CI-ISAC, CI-ISAC Australia website can be found here.

Get in touch with us.