On March 27, 2013, the UK Government announced the Cyber Security Information Sharing Partnership (“CISP”), a partnership between government and industry to share intelligence on cybersecurity threats.
Introduction of the CISP follows a successful pilot program across key UK sectors and is part of the UK’s Cyber Security Strategy to facilitate information-sharing on cyber threats. It introduces a secure web portal where government and industry partners can exchange real-time information regarding threats and vulnerabilities they have identified. It also sets up a team of expert analysts, the Fusion Cell, to draw together a single intelligence picture of cyber threats across the UK. It is understood that the Fusion Cell will be staffed by analysts drawn from industry, as well as the law enforcement and intelligence communities.
Announcing the initiative, Francis Maude, the Cabinet Office minister responsible for the national Cyber Security Strategy, stated: “Government, industry, business, families and households ignore cyber threats at their peril…We need to team up to fight a common cause; that is what the CISP is all about – government and business working together to get the best possible picture of the threats.” Maude said businesses must be more open about data security incidents if they hope to combat cyber threats, and encouraged participation by emphasizing that the more information each member shares, the richer and more useful the collective knowledge will be.
Initially, the CISP will focus on private sector organizations that own or operate the UK national infrastructure and are at greatest risk from cybersecurity threats, continuing work already undertaken through the Centre for the Protection of National Infrastructure. However, the UK Government is keen to extend the scope of the program and is already in the process of setting up additional pilots beyond critical infrastructure, including with small- and medium-sized businesses.
This latest initiative in the UK’s Cyber Security Strategy follows the European Commission’s recently released proposed directive on cybersecurity, and recent announcements in Germany of a proposed statutory framework for reporting cybersecurity incidents.