Securing Our Intangible Economy
Motivated partially by self-preservation, but also by a “carrot & stick” combination of grants and threats of litigation – the public and private sector “information sharing and analysis” that occurred prior to Y2K was unprecedented.
The preparation for the Y2K roll-over proved a significant global effort that focused the entire world’s attention on how dependent we had become on hardware and software conceived in an era of relative cyber-innocence. The pre-Y2K years also popularized the term “Critical Infrastructure Protection” (CIP) as governments recognized a need for shared public-private responsibility of global information networks. The actual roll-over thus occurred with minimal disruption.
After 9/11, the original cyber focus of CIP organizations broadened to an all-hazards perspective. Lead agencies found many information sharing challenges butting against the “need-to-know” wall of the security and intelligence community.
It is interesting to recognize that these early CIP concepts and challenges surfaced during the era of the “knowledge economy” – when information ceased being scarce. Since 2002, this knowledge economy has evolved to its current state, now known as the Intangible Economy, one which is even more dependent on a global information sharing network. Information sharing can be examined based on four factors of production for this intangible economy:
- knowledge assets (what people know and put into use);
- collaboration assets (who people interact with to create value);
- engagement assets (the level of energy and commitment of people); and
- time quality (how quickly value is created)
Each of these four factors are applied to the needs of three groups of stakeholders who have a vested interest in sharing CIP related information:
- Local – those that have an immediate need to respond to an event;
- Business sectors – who have a shared interest in the continuity of operations of their sector; and
- Governments – who have a geopolitical and strategic interest in CIP
The familiar “Neighbourhood Watch” program illustrates the importance that most communities place on watching out for one another. Knowledge assets (what people know and put into use) provide daily examples of how individuals quickly identify unusual occurrences, whether related to natural hazards, strangers in their midst, or unusual behaviour. These could occur at a local bank, school, or the local dump. When something unusual happens, the collaboration assets (who people interact with to create value) are often the friends and business associates that they see on a regular basis, be they doctors, lawyers, police or firefighters. These individual stakeholders have the engagement assets (the level of energy and commitment of people), based on a vested community interest in the outcome. When it comes to the time quality (how quickly value is created) of information sharing, the success of any “Amber Alert” program typifies this added value of a quick response at the local level to find lost or kidnapped children.
This same process of information sharing related to knowledge, collaboration and engagement assets combined with the time quality is what is required by first responders to respond effectively to CIP events. What may be missing at the local level is access to specialist resources or funding to enable preparation of such things as a local (tactical) disaster response plan and training.
Business Sector Stakeholders
In addition to the required opportunity to compete on an equal footing, members of most business sectors also have a vested interest in the health of their sector. The whole financial sector, for example, wants to ensure that consumers retain faith in the use of automated teller machines. Similarly, the telecommunications sector must assure the public that the internet can be safe for e-commerce.
Typically, knowledge assets in a given sector are made available by their respective trade associations. The Canadian Bakers’ Association, the Canadian Association of Defence and Security Industries, and the Canadian Electrical Association are prime examples of how competitive issues are set aside when it comes to ensuring the delivery of common services in a secure and professional manner.
Likewise, the collaboration assets within a sector are often major consumers of a product or service that exhibit a high degree of interdependency. For example, the transportation of chemicals or manufactured goods via rail or surface carriers is a well-known supply chain where each sector is dependent upon the other to effect a mutually successful transaction.
When an incident occurs that threatens to disrupt that supply chain, the engagement assets are rapidly deployed. The time quality of the response to an unexpected disruption is critical to all.
Recognition of this mutual interest in the resilience of a sector is one of the primary reasons for the success of sector-based Information Sharing and Analysis Centers (ISAC’s) in the United States.
Governments typically have a dual role: one as regulator, and the other as servant of the national good. Thus, the knowledge assets sometimes place government organizations in a potential conflict of interest when viewed from the perspective of those being regulated.
Typically, the collaboration assets within government and with the business sectors are not necessarily the same as those expected to respond tactically to CIP crises.
Similarly, the engagement assets within government are focused on their areas of jurisdiction. The limited role and conflicting mandates of various government departments often result in stovepipes that limit the time quality of positive government intervention.
However, the strategic value of government’s knowledge, collaboration and engagement assets are of critical importance in establishing the strategic direction of the national economy for all business sectors and for dealing with our national security and prosperity agenda.
The time quality of national assets that can be brought to bear in an ice storm, flood or power outage is measured in days and weeks and not in minutes and hours as at first responders and local levels. In fact, one of the primary tasks of governments is to coordinate the efforts of multiple departments at federal, provincial and territorial governments. Examples of information sharing and analysis at this level can be found in the various U.S. government and sector coordinating councils that work with U.S.-based sector ISACs.
Finally, if we step away from the individual needs of the three stakeholder groups, and look at the system that allows them to collaborate and coordinate their activities, the U.S. model contains many elements that could well serve Canada’s needs.
Many examples of local or regional centers already share and analyze information that is focused on a common interest. There are State fusion centers, cross border economic regions (Pacific North West Economic Region – PNWER), and large metropolitan incident response teams. All of these local stakeholder groups exhibit excellent examples of knowledge, collaboration and engagement assets intended to provide the “time quality” response in a crisis.
In the U.S., business sector-based ISACs receive information from local, state and federal agencies, law enforcement agencies, vendors, media and the Internet, ISAC members, Critical Emergency Response Teams, academia, think tanks, and from their national intelligence community. The sector ISAC provides the venue for approved information exchanges with other ISAC’s, the government and the ISAC members.
The approved information exchange is based on government protocols and caveats and individual member agreements. The ISAC operates as a trusted third party with the appropriate physical and personnel security clearances. Because they are sector-based, they cater to the reality of the business world that crosses international and inter-provincial borders. Many of the ISACs have international members – and contributions are received from, and distributed to, international entities. Several Canadian business entities currently participate in cross-border ISACs.
What is seriously missing, however, is a Trusted Third Party (TTP) that provides for the two-way sharing and analysis of information, respecting protocols and caveats for sharing data between the Canadian government and industry.
The U.S. model provides a formal government coordinating council that serves the dual purpose of coordination among government entities, and provision of a focal point for discussions with a similar private sector entity that represents multiple business sectors.
In the current Canadian model, Public Safety Canada provides a venue for collaboration among multiple government departments. However, it lacks a necessary government coordinating council that represents a combination of federal, provincial and territorial interests. Similarly, there is no equivalent industry sector coordinating council that represents the interest of multiple business sectors in discussions with multiple government agencies.
Many of the early CIP information sharing and analysis efforts were conceived in the early stages of the knowledge economy. Having examined today’s information sharing and analysis needs based on the four factors of productivity for the intangible economy, we can asses the U.S. model and lessons learned in terms of its potential to meet Canadian needs.
Based on this, four recommendations are offered to the Canadian CIP public and private community for the short, medium and long term:
- Develop local regional information sharing and analysis capabilities (they can be called ISAC’s, fusion centers, watch and warning centers – as long as their information sharing objective is clearly defined).
- CIP owners and operators should investigate the benefits of becoming members of existing sector-based ISAC’s and/or other ISAC’s that are a critical part of their supply chain and exploit the specialist expertise that they provide.
- Establish a Canadian TTP entity to provide the venue for information sharing and analysis according to protocols of caveated data between Canadian government and Canadian private sector entities.
- Government and industry could establish coordinating councils to focus information sharing and analysis discussions across multiple levels of government (federal, provincial, territorial and local) and between multiple business sectors.
In Y2K we succeeded in focusing both government and industry to find a solution to a problem with a fixed deadline. Unfortunately, most CIP related events have no fixed dates to focus our attention and the sharing of critical information suffers. What is needed now is leadership within all groups to move quickly toward a “Made In Canada” public-private information sharing solution.
Jim Robbins is President of EWA Canada Ltd and a member of the Board of Directors and a Senior Advisor to the International Systems Security Engineering Association.
© FrontLine Security 2007