[Image via thelatinkitchen]

As you probably already know, cybersecurity is a hot topic in the elections world these days; you probably also know that it’s been a hot topic in many other worlds for some time as well. What you may not know (I’m certainly learning) is that a whole new ecosystem of information sharing has sprung up around cybersecurity – an ecosystem that’s making its way into elections. A new CI Scoop [CI = “critical infrastructure”] by the EAC’s Mark Listes helps election officials understand the full alphabet soup of entities that can be involved:

ISACs, MS-ISAC, and ISAOs, what are these and why should you care? As a quick answer, if you are an election official or administrator, these entities are about to impact your work. Today’s blog explains how.

If the intelligence community is our nation’s security lookout, Information Sharing and Analysis Centers (ISACs) blow the horn precisely and carefully when the lookout sees something on the horizon. ISACs gather, analyze, appropriately sanitize, and disseminate useful information to critical infrastructure owners and operators. For our sector, that audience would include election officials and administrators. The kinds of information ISACs would share could include alerts about potential threats to physical sites such as polling places or cyber targets such as voter registration databases.

Contrary to what you might expect though, ISACs are not federal entities. The centers are non-profit, member-driven organizations. However DHS and a sector’s SSA [“sector security agency; for elections it’s Homeland Security and the GSA] do work extensively with the ISACs, which are often viewed as an honest information broker that organizations within a specific infrastructure space can inherently trust.

There are many ISACs, and each is built to support a certain sector or type of critical infrastructure owner or operator. Here is a list of all of the ISACs. The centers have 24/7 threat warning and incident reporting capabilities, as well as the ability to reach and nimbly share information within individual sectors, between sectors, and among government and private sector stakeholders.

DHS has not yet announced that any of the existing ISACs will directly serve the elections subsector, but it is likely too early in the process for that kind of announcement. However, if one were to speculate, it would not be too attenuated of a prediction to think that the election community may be served by the Multi-State ISAC (MS-ISAC) because of its existing focus on government facilities and infrastructure. This is just speculation at this point, but we will use this blog to keep you posted when an announcement is made.

Now let’s talk about Information Sharing and Analysis Organizations (ISAOs). These entities are similar to ISACs but are further removed from the government. The organizations are not sponsored or funded by DHS, and DHS usually does not work extensively with ISAOs. That said, [they] also gather, analyze, and disseminate critical infrastructure information. Critical infrastructure owners and operators turn to ISAOs when they feel that they need an additional honest broker of information to provide a more complete assessment of threats. One advantage of ISAOs is that while they don’t have access to confidential information, they also don’t always require clearances or membership in a sector before sending information to someone. The organization has the ability to share its intelligence with a broader list of individuals and entities impacted by a critical infrastructure designation. For example, in the election space, a local township may not have access to ISAC reports, but could receive data from an ISAO.

As we all continue to wade our way through the critical infrastructure alphabet soup of acronyms, I hope today’s blog helped you to understand ISACs, MS-ISAC, and ISAOs. These independent information sharing entities are likely coming to a conversation near you, so let us know if you have any additional questions about how they work or why they exist. You can also get additional information about these terms and about critical infrastructure more generally by reading our Starting Point White Paper on elections as critical infrastructure.

This blog post – and all of the others at the CI Scoop – are an invaluable resource for anyone in the field, like me, who knows that the election community needs to come up to speed on cybersecurity but doesn’t know where to start. [The “starting point” white paper is also aptly named and is highly recommended; if you’re reading this blog, go get that paper, read through it at least once and keep it handy for future reference.] Folks in the field who are thinking about what’s next are already grappling with the various issues surrounding ISACs, MS-ISAC, and ISAOs – including who’s involved, what they communicate about and when – so knowing the basics is increasingly important in order not to be left behind.

Thanks and kudos to Mark Listes specifically and the EAC generally for creating this resource; as we develop ways to help election officials learn about and discuss cybersecurity issues, the “CI Scoop” and its accompanying documents will play a central role.

Go ahead and dig into that alphabet soup – and stay tuned …

Posted in Uncategorized and tagged