Do enterprises and other organizations need a CDC-like entity to help them in their fight against cyber attacks?
The Society for Information Management (SIM) thinks they might. Madeline Weiss, director of SIM’s Advanced Practices Council (APC), said the group is evaluating whether it’s time to create what she terms “a CDC for cybersecurity,” modeled after the U.S. Centers for Disease Control and Prevention. To that end, an APC task force last month drafted a proposal for such a body, dubbed the CIO Coalition for Open Security. Its goal? To create a framework in which companies can work together, across industries, and share information about malicious cyber activities—much like the CDC collects data and issues bulletins about outbreaks and other health-related developments to the nation as a whole.
The APC is no slouch. The council comprises 33 senior IT executives, most of whom are CIOs employed by large multinational corporations and government agencies. Although the APC usually acts behind the scenes in an advisory capacity, the cybersecurity problem is so critical that the group has been spurred to action, Weiss said in an interview conducted at SIM’s annual meeting in Denver earlier this month.
A large part of that push came from David Bray, CIO of the U.S. Federal Communications Commission, who recently spoke to the group in his capacity as a guest lecturer at Oxford University. Bray delivered a dim and “extremely scary” scenario of the future of cybersecurity, Weiss said, followed by some ideas about what the industry can do about it.
“He made the point that no one organization, no matter how big they are or how well-equipped, can solve this problem,” Weiss said. “He said success is dependent upon collaboration and openness–open in the sense that there is sharing of attacks, and that there is sharing of potential, of possibilities and observations and solutions and that there should be sharing within private, public and governmental sectors.”
Similar efforts exist within other sectors, most notably in the pharmaceutical industry, where Eli Lilly’s InnoCentive acts as a repository of crowdsourced solutions aimed at tackling unresolved R&D problems. Such an approach for cybersecurity, Weiss argued, could be equally beneficial, providing companies with early-warning information and other data they need to thwart attacks. In addition, a CDC-like organization for cybersecurity could connect security problem solvers with those experiencing security issues. For example, it might be able to produce a map of distributed denial of service alerts or act as an information clearinghouse.
“Working together, we can address this issue,” Weiss said. “Working alone, we probably can’t.”
The next step is for the APC to sketch out the framework that would support the coalition, including soliciting volunteers who would lead the initiative.
“Members have done some investigation and learned that there are [similar] activities in various industries, but they seem to be staying within their industries — in other words, lots of silos,” Weiss said.
“We plan to sponsor research that will help us understand who the current key players are and determine what has worked and what hasn’t,” she added. “We then anticipate pushing for combining efforts where feasible to facilitate broader and more open sharing [of information].”