Tactical Cyber: The Case for Community Cyber ISAOs

An army of bots, hackers and social media trolls has fundamentally altered and intensified the risks from cyberspace.

A prior piece here redirected the national debate about certifications for ISAOs onto a broader view — that ISAOs represented industry formation of cyber capacity and innovation centers at community levels. In that article, the concepts of Community Cyber and Market-Making were introduced. And, it was outlined how an innovative DHS contract vehicle had spawned the Cyber Market Development Project. The views expressed previously, informed from project research, showed how the question about certification was too narrowly scoped; and the piece described how this predicament of issue definition had come about from the genesis of information sharing and its early structures. It’s time to further explore how this project research can inform a deeper understanding of the ISAO movement.

What the White House got right in the Executive Order on Information Sharing, and which DHS further implemented in proper fashion through contractual establishment of the ISAO Standards Organization, was to establish information sharing as a national policy to further national security interests in resilience and cyber capacity building. Yet, in practical terms, what is resilience and cyber capacity building? And how are we to go about it? Are ISAOs supposed to suddenly spring up? What is their mission? What are the use cases?

Let’s look at why it was proper to cast ISAOs in the national security mission space. And how to introduce that mission at community levels.


What has been revealed in the past two years is that an army of bots, hackers and social media trolls has fundamentally altered and intensified the risks from cyberspace. No longer are we fighting JUST identity thieves, DDOS botnets, or black-market enterprises, we are now combating state actor networks and a complex, anonymous web of deceit and manipulation. The trustworthiness of news and information are being undermined.

When we look to define what’s needed to build resilience and cyber capacity, we have to factor the changed game plan of the adversary. Deploying a better firewall and calling it a day won’t work. We have entered the era of cyber intelligence, where businesses need to be better equipped with information to fight the modern cyber battle.

We must also countenance that with all the wizardry of the intelligence community, the requisite Need to Know criteria severely limits its utility outside the national security environment. Yet, businesses also need to know the nature, sophistication, motives and game plan of the attackers.


What is now universally needed is a private-public Order of Battle build. An Order of Battle derives from military lexicon and practice, and it refers to profiling the adversary to identify command and control, malicious architecture and domains, TTP, campaign correlations, and even attribution to attacker networks and identities. Commercial vendors offer sophisticated intelligence, yet tailored services to enterprise customers needs to come down market. That’s the role of Community Cyber and public-private ISAOs.

An Order of Battle build is tactical intelligence. And ISAOs are the perfect structures to offer tactical intelligence across localities, tied to state Fusion Centers, and supporting member needs. Tactical intelligence is the province of bottom up, organic generation, rather than from top down structures. Hence, building local capacity to conduct tactical intelligence is well-suited for ISAOs.

With this in mind, the Cyber Market Development Project – which is commercially prototyped as the c-Market™ – developed the CrowdForce. The first university club is being formed with a partner university, and will grow across our other partner universities. This cadre of cyber threat analysts is formed with the dual purposes of workforce laboratory and tactical collection network.

With the benefit of this description and an identified manifested creation, consider the value of ISAOs, located in communities across the Nation’s footprint, for creating a tactical cyber intelligence capability for elevating cyber defenses from the ground up. This is resilience and cyber capacity building!  This is a use case for ISAOs at community levels: to engage in tactical intelligence, Order of Battle building, and training the workforce in ISAO operations and cyber threat analytics.

ISAO Conceptualization: Expanding the Narrative

When there’s talk of ISAOs, and whether certifications are advisable, it is important to question the premise: with ISAOs, are we considering all their use cases?

Establishment of a network of cyber intelligence entities engaged in tactical intelligence in support of their communities seems a more substantive debate than the narrow question about certifications.

By:  Doug DePeppe, Founder
Cyber Resilience Institute
First Published:  January 4, 2018 on LinkedIn