In the practice of cybersecurity (as in many other aspects of life), the emphasis is on protecting oneself (and one’s group, organization or country), often without regard to the impact of such an approach on others, which can be detrimental. This desire for survival is hard-wired into the human mind. Usually, it is only with considerable effort that working with competitors for the common good comes to the fore.
Protection alone does not guarantee well-being, as the COVID pandemic has shown. Although there is a basic need to ensure survival of one’s own group, even at the expense of others, we should nevertheless consider coopetition, or cooperative competition, which is defined as a business strategy that uses insights gained from game theory to understand when it is better for entities to work together rather than compete. I have seen both sides of the competitive landscape in financial services, and there are many situations where coopetition is the better approach.
My first major experience of coopetition was my involvement in the establishment of the Financial Services Information Sharing and Analysis Center (FS-ISAC). I was a member of the sector-wide committee that created the FS-ISAC in the late 1990s and served on the original board of managers. My company was one of 14 founding members. The official launching of the FS-ISAC by Treasury Secretary Larry Summers took place in October 1999, purposely ahead of the year 2000 (Y2K) date rollover. ISACs are set up by industry sectors and government agencies so that information about threats and exploits may be shared and actual attacks can be reported anonymously. ISACs, of which the FS-ISAC was the first, have proliferated globally and provide invaluable information and support ahead of, during and after major cyberattacks. This is an example where a common defense across competitors really makes a huge positive difference.
My next collaborative project was contingency planning for Y2K. Many of us working in IT understood that there were literally millions of cases where the Y2K issue would crash critical computer systems. This was because the data fields in many legacy programs consisted of only two digits, so that 00 would be interpreted incorrectly as 1900 rather than 2000. I was an active participant in several initiatives by the Security Industry Association, now SIFMA. We put together guidance for preparing for massive system failures and set up command centers over the weekend of 31 December 1999 and 1 January 2000. I was situated in the national command center in Washington, D.C., USA. We saw many system failures and attacks by hackers that were never made public. Overall, the preparation paid off and most organizations were back in business on Monday, 2 January 2000. There were many naysayers who claimed Y2K was a nonevent promulgated by the IT consulting industry. It was not a nonevent. It was a bona fide successful effort to avoid a catastrophe and an example of how working together can really pay off. These same Y2K contingency plans and preparations served the financial services industry well in recovering from the 2001 attacks on the US World Trade Center towers.
Following my participation in Livewire, a 4-day US national cyber defense exercise conducted in October 2003, I came up with the concept of a business-oriented simulation model that soon became the Distributed Environment for Critical Infrastructure Decision-making Exercises (DECIDE) Platform. DECIDE simulates cyberattacks on organizations and their partners to stress test incident response plans. The simulation model, which is available from Norwich University Applied Research Institutes (NUARI), was the basis for a series of successful biannual exercises for financial services under the name Quantum Dawn. It is also being used for exercises in other private and public sectors.
In 2005, the prospect of an avian flu pandemic prompted a number of contingency planning projects. I was involved in the effort by SIFMA’s predecessors in planning for the US financial services sector. At that time, we put together plans for backup communications networks and remote working based on assumptions as to the potential impact on travel. The plans were never invoked as that pandemic was controlled, but they could have served us well during the COVID pandemic had they been kept up to date.
Unfortunately, not all my collaborative efforts have been successful.
Perhaps the most disappointing was the failure of the Generally Accepted Information Security Principles (GAISP) project. The Information System Security Association took over the leadership of the project from the previously failed Generally Accepted System Security Principles (GASSP) project run by the International Information Security Foundation. In 2004, I chaired the GAISP Information Security Policy Principles Working Group, which was made up of about a dozen volunteers. We accomplished a fair amount only to witness the overall effort collapse due to bickering and in-fighting among the project’s top leaders, destroying any possibility of success. We are paying for this lack of global information security principles and standards many times over. Yes, there are a number of standards and frameworks for cybersecurity practitioners, but they generally lack scope or substance. It is certainly time to regroup and reboot a new GAISP effort. It can be done.
A case in point is the Generally Accepted Privacy Principles (GAPP) framework, which was published in 2009 by the Canadian Institute of Chartered Accountants and the American Institute of Certified Public Accountants, with support from ISACA and the Institute of Internal Auditors. The GAPP framework was successfully designed for accountants and auditors, and it worked.
In other cases, personal gain outweighs benefits for all. I was a lead researcher in an attempt to get the banking and finance sector to establish a laboratory to provide quality certification for commonly installed commercial cybersecurity software, much like the Underwriters Laboratory’s certification for physical devices or the Consumers Union testing of consumer products. The project did not get off the ground despite considerable effort by many leaders in the field. This was mainly because of competition among security enterprises as well as the fact that some large financial firms saw cybersecurity as a competitive advantage for themselves. In my opinion, such a certification program would have helped avoid many cyberattackers’ recent successes, some against enterprises that opposed the certification project.
Despite the occasional setbacks, I remain a strong advocate of coopetition. I believe that cybersecurity is an area that benefits from defenders cooperating, especially since attackers have no problem working together. Another potential area for collaboration is artificial intelligence biases, fairness and ethics. Interestingly, a recent article quotes Stanford researcher Percy Liang as follows:
“The goal ... is to create something equivalent to Consumer Reports, where people can go to understand the strengths and weaknesses of foundational AI models, such as those from Meta, Google and OpenAI.”
Let us work together to be more successful in assuring the security and safety of AI systems (and addressing their biases, fairness and ethics) than we have been with certifying cybersecurity products and services. And perhaps we can even create a Generally Accepted AI Principles (GAAIP) framework.
Editor’s note: For further insights on this topic, read C. Warren Axelrod’s recent Journal article, “Reducing Cybersecurity Security Risk From and to Third Parties,” ISACA Journal, volume 3 2022.