What’s private about public-private partnerships?
7 November 2023
Stuart Murdoch
This (5 minute read) blog is an edited transcription of a lecture delivered on 12th September 2023 by Stuart Murdoch as part of the global Borderless Cyber conference. It took place at Royal Holloway, University of London home of the world-renowned Information Security Group (ISG).
A “Secure ‘Facebook’ for cyber threats” was how the front page of the Financial Times reported the Cybersecurity Information Sharing Partnership (CiSP) when it was launched ten years ago in 2013. Throughout those ten years, membership of, and contributions to CiSP, the UK’s national cyber public-private partnership, were voluntary. Indeed, the existence of CiSP, in the words of the UK’s National Cyber Strategy of 2011, was built on a “wider private sector joint working initiative.”
The Concept of Operations (CONOP) for that initiative, Project AUBURN, targeted members from the “Information Exchanges” (IEs), existing cyber sharing entities for the UK’s 13 Critical National Infrastructure (CNI) sectors.
They were targeted because it was felt they would have actionable intelligence to share. The users who were targeted “Network Defenders” would also know how to act on the intelligence shared with them.
Growing the world’s largest cyber public-private partnership
After the initial incubation period, the objective became to grow the community across the whole economy. Growth was partly achieved through roadshows across the country and through trade sssociations in different sectors (e.g. Finance). Membership of CiSP was based on networked trust: you had to be sponsored by an existing member.
Over time, many existing cyber public-private partnerships, including the IEs and WARPs established a presence on CiSP.
The push for growth was a success, at peak CiSP had over 17,000 members, which was believed to be the largest public-private cyber information exchange in the world at the time.
All sectors of the UK economy were present on CiSP, not just the 13 CNI sectors, but the top research universities, as well as law enforcement through Regional Organised Crime Units (ROCUs) etc.
The growth was achieved by changing the membership criteria: it was no longer just for “Network Defenders” who knew how to act on the intelligence shared. The result was a very broad membership from Primary School teachers to sophisticated CSIRT responders.
A trusted community
In building the collaboration platform for the CiSP community, it was clear that if people were going to share, they would have to trust the community that they were sharing with: the privacy and confidentiality of the information shared were vital to a functioning information sharing community. So the collaboration environment was built with a number of controls which allowed people to control who they shared what with.
The most fundamental mechanism for this was what CiSP called “Nodes.” These were groups which were completely open, required permission, or even secret.
These proliferated and allowed for sharing with a narrower, known, group of people, not only sharing with all users in the whole platform.
In addition to groups, the platform was designed to allow people to share information in a way in which their contribution could be anonymized. This meant that individual contributors could chose not to share their identity to most other users of the platform, and that meant contributions were available from organizations which would not allow on-the-record contributions as a matter of policy. We had wondered whether the use of anonymity would decrease over time as people “got to know each other” but in fact, as the community was always growing, there were always “new people around”, and so the ability to share “off the record” was always important.
Throughout the platform people could chose to express how they want their information handled via the Traffic Light Protocol (TLP). This allowed a contributor to identify an audience and how that audience could use the information they received. The TLP was, in fact, first used in the meetings of the IEs mentioned earlier, and was subsequently adopted as a standard by FIRST.
There are often more conditions which people want to express when sharing: not only who you can share on to but, for example, what they are permitted to do with the information. The IEP standard, managed by FIRST, is an attempt to standardize that (CiSP did not implement IEP).
There were other ways of managing the privacy of information built into the platform. If you work with members of the NCSC in the UK you will know that they tend to only share the first letter of their surname. The ability to set the rules about what you share, with whom, is as important for meta data as it is for the content you share, if you are going to maximize sharing. CiSP allowed its members to specify who got to see what of their Personal Profile. The view you got of a profile and the meta data differed depending on who was viewing that information.
States have rules in place to try and prevent anti-competitive practices. The rules about “information sharing” between competitors in a given sector can be quite tough (sharing information on prices, for example, can lead to price-fixing.) Having an independent e.g. public sector organization as the “community manager” of the CiSP public-private partnership ensured that some of those concerns could be overcome.
The CiSP community had a “Fusion Cell” whose job it was to actively manage the community – for example to promote useful content - but also to highlight and monitor matters relating to the confidentiality and privacy of the information shared. The Terms & Conditions for the CiSP Collaboration Environment likewise made it clear that the information which was shared with the CiSP community had certain exemptions from the Freedom of Information Act (FOIA), providing an additional reassurance to those sharing more sensitive information.
One of the key privacy-related questions that was raised over the ten years of the life of CiSP was: who owns the information I share? In a community like CiSP (or even LinkedIn) I build up social capital based on the perception of the contributions I make. As I move from one company to another, should that information and my kudos move with me or was it my former organization's information?
The same holds true for the meta data. Do I need to build a whole new account and identity and start from scratch? Should all, most, or some of this information be considered mine and form part of my “portable profile”?
Voluntary information sharing vs. mandatory incident reporting
One thing which has changed since 2013 is the amount of mandatory incident reporting. Membership of CiSP was always free and voluntary, but across the globe there has been a significant shift towards mandatory incident reporting, which has had a chilling effect on voluntary information sharing. In Europe, NISD2 entered in to force on 16 January 2023 and needs to be implemented (repealing NIS 1) by 17 October 2024. This includes certain rules about Mandatory incident reporting. In the UK we have thirteen CNI sectors, with six classified as Operators of Essential Services under our implementation of NISD.
This means that operators must report certain cyber incidents to a Competent Authority. In the UK, the NCSC is not a regulator and so does not act a Competent Authority, but concerns about the impact of “over-sharing” with a regulator has meant that regulated industries have shifted to reporting the minimum that they must in order to comply rather that the most that they can in order to help their sector or the wider economy.
This has led to the demand for a more decentralised model for information sharing. The CiSP was a centralized, National platform. A decentralized model would allow an organization to retain control of the information they chose to share: to report what they must and share what they chose.
A unique repository
The CiSP community was 10 years old this year and it represented a unique repository of valuable information about how to successfully build trusted communities that enable sharing of sensitive information sharing by respecting the confidentiality of the contributors:
- CiSP data didn’t belong to a private sector organisation so they couldn’t monetize the data.
- There are rules for public sector organisations about maintaining public records.
- Private sector organisations can (and do) change what they do with your data, as those of you who are (or were) Flickr users will no doubt be very aware, not to mention the change in ownership of X - the platform formerly known as Twitter.
CiSP was initially funded in 2013 by OCSIA in the UK Cabinet Office, building on the private sector joint working initiative, Project Auburn. A year later in 2014, CERT-UK took on the responsibility of maintaining the platform, and then in 2016 NCSC UK took on the responsibility when it subsumed CERT-UK.
At each point in that history, the internal priorities, ownership, focus and objectives changed, and the impact of those changes could been seen and measured in the data.
The CiSP community was unique and precious, a huge asset to the UK, as was the data which generated by that community. A globally significant repository of data was built up on how national cyber sharing strategies play out over time, what did, and did not, work: what were the effects of:
- Voluntary, hence organic growth (including groups)
- Changes in strategic imperative & hence member types
- Effects of growth on willingness to share
Over its ten years, the CiSP collaboration platform made a real contribution to UK cybersecurity of the UK and became a global case study, which researchers referred to in order to understand how we can continue to evolve our response in order to adapt to the ever-changing nature of cyber threat.
Disclaimer: Stuart Murdoch is CEO and Founder of Surevine who built the CiSP collaboration platform, and supported it for the decade of its existence, from 2013-2023.