Cybersecurity Lessons from the Pandemic: CDC Model and FS/ISAC

It is very ironic to see that, on August 18, 2021, the CDC (Centers for Disease Control and Prevention) announced the formation of a Center for Forecasting and Outbreak Analysis, see CDC Stands Up New Disease Forecasting Center | CDC Online Newsroom | CDC   I say that because when we were forming the FS/ISAC (Financial Services Information Sharing and Analysis Center) in the late 1990s, I well remember team member Lee Zeichner remarking that the proposed FS/ISAC model was based on the CDC model. So, what happened?

Perhaps we should start with Zeynep Tufekci’s Opinion column in the August 27, 2021 New York Times with the title “Show Me the Data!” available at Opinion | Better Covid Data Will Guide Us Out of This Pandemic – The New York Times (  Professor Tufekci has published many incisive columns on the pandemic, and this is no exception. She points out that we are suffering from inadequate data for evaluating situations in a timely and effective manner. The collection and analysis of systemic evidence is crucial to decision-making relating to the pandemic. She praises the CDC for setting up the above-mentioned Center, but I have to ask where the CDC leadership of two decades ago had gone.

The FS/ISAC was formally announced in October 1999 by then Treasury Secretary Lawrence Summers in anticipation of Y2K, the idea being that the Banking and Finance Sector would have a network in place to rapidly share and interpret crucial information as systems responded to the millennial date change. It worked very well. I was in Washington, DC, at the U.S. Government’s National Information Center, run by John Koskinen, representing the financial industry, in contact with Stash Jarocki, who was managing a temporary industry control center in the basement of DTCC in New York City. This proactive setup saved the industry from the consequences of a number of serious problems that arose that weekend.

The FS/ISAC has grown from strength to strength over the past two decades and has spawned the FSARC (Financial Systems Analysis & Resilience Center), which was formed in 2016 for the purpose of taking a longer-term view, as I noted in my January 6, 2020 BlogInfoSec column “The FS-ISAC at Twenty.”

Such endeavors as the CDC and FS/ISAC need continuous support and innovation in order to be able to respond to catastrophic events, such as the pandemic, climate change, and ransomware. The FS/ISAC was particularly fortunate in receiving support from the US Treasury—Brian Peretti, in particular. The infusion of $2 million by Treasury helped the FS/ISAC expand at a critical point, see US Treasury gives $2 million to financial security centre (

It is indeed unfortunate that the CDC was not prepared to take in relevant data to provide adequate understanding for proactive decision-making, especially as they appeared to be well ahead of the game decades ago. Perhaps years of neglect and under-funding led to the deficiencies that became so apparent during this pandemic.

The key here is to maintain leading-edge capabilities in tip-top shape so that responses to catastrophes—whether they be virtual or physical—will have been planned for. Following Hurricane Katrina, some 16 years ago, I wrote a chapter, “Responsibilities and Liabilities with Respect to Catastrophes,” in the Handbook of Research on Social and Organizational Liabilities in Information Security,edited by Manish Gupta and Raj Sharman (IGI Global, 2008) The chapter pointed out who should be responsible for handling catastrophic events and how they should go about preparing and dealing with them. It is a tragedy that these recommendations—and those from others—were not adopted.

*** This is a Security Bloggers Network syndicated blog from authored by C. Warren Axelrod. Read the original post at: