Nonprofit Cyber Charter
Proposal
Establish a coalition among cybersecurity nonprofits in the “do” space rather that the “think” space – Nonprofit Cyber
Background
Despite different business models, the founding organizations have many attributes in common:
- We operate as nonprofits, serving the public interest;
- We develop, share, deploy and raise awareness of cybersecurity-relevant best practices, guidance, tools, standards and services, rather than focusing on reports, recommendations, or abstract research;
- We are not lobbying or advocacy-only organizations, and do not seek to represent the economic or other private interests of our members and funders;
- We bring together highly-talented volunteers, partners, and members representing incredible technical depth and industry diversity; and
- We empower a large base of individual, small business, and enterprise adopters.
We also share deeply-held principles that drive our thinking, activity, and products:
- Sharing and agreement on security practices, along with tools and services implementing those practices, demonstrably lead to practical and effective improvements;
- Transparency of processes and practices is essential for management of risk by all stakeholders;
- A base level of cybersecurity should be a right of everyone, and unnecessary economic and legal barriers to security should be minimized;
- There is no “one-size fits all” set of security practices, and useful security improvements must accommodate a variety of evolving challenges, methods, and approaches;
- Security practices, tools, and services that do not scale will not be effective;
- Security choices must be informed by data about what works, rather than the proprietary economic interests or best guesses of cybersecurity vendors; and
- Our roles as practitioners of security contribute to our ability to understand and positively impact the technology ecosystem.
Purpose of Collaboration
What is the problem we are trying to solve?
A large number of nonprofits in the implementation cybersecurity space are working within their own areas of action toward the joint goal of improving cybersecurity, but the lack of effective, low cost coordination and communication among them can sometimes lead to inefficiency and duplication, present challenges in working together to solve problems, and present issues for stakeholders in dealing with the cybersecurity nonprofit community.
Thesis
Better communication and collaboration will enable programmatic and opportunistic action to improve cybersecurity.
Proposal
Form a coalition of like-minded cybersecurity nonprofits focused on implementation to collaborate, work together on projects, voluntarily align activities to avoid duplication and increase mutual support, and link the community to key stakeholders with a shared communication channel. The coalition is called Nonprofit Cyber.
Form of Coalition
The coalition would have no authority to commit or direct members, but would be a “collaboration-of-equals”: a good-faith effort to better serve the entire community through expert agreement and collaboration. It would not assert any functional or operational control over any party, force any action by any party, or prevent an organization from holding a unique position on any particular issue or topic.
Membership
Members must be:
- 501(c)(3) or 501(c)(6) nonprofit organizations if organized under US law, and holding an equivalent status if organized under the laws of another country;
- Nonprofits with the mission to develop, share, deploy and raise awareness of cybersecurity-relevant best practices, guidance, tools, standards and services, rather than focusing on reports, recommendations, or abstract research;
- Focused on solutions at scale rather than primarily fee-for-service work
- Not associations focused on representing the private interests of members; and
- Involved in “lobbying” only incidentally and only to advance cybersecurity generally rather than on behalf of members.
For the process to add members, see “Governance” below.
Activities
Partnership and collaboration could take many forms:
- Achieve visibility and understanding of the efforts nonprofits are making in cybersecurity;
- Facilitate shared understanding, alignment and deconfliction of activities;
- Encourage the leadership, sharing, and celebration of volunteers;
- Advertise the association and collaboration of nonprofits;
- Encourage and enable specific reference among members to each other’s products where applicable;
- Provide a forum for sharing roadmaps of product development and release;
- Enable and encourage synchronization of product releases where appropriate;
- Create opportunities for joint or coordinated projects and products among members;
- Provide a forum for alignment of threat and/or attack models that drive security practice selection;
- Provide a forum for coordination of joint (by supporting members) public statements and joint communications to authorities on issues of mutual interest, and on the importance of shared and voluntary industry best practices;
- Joint presentations to stakeholders; and
- Joint proposals for work and funding.
Governance
- Co-Chairs
- There shall be no more than two co-chairs
- The co-chairs will be recommended by the Executive Committee and voted by the full membership
- The term of office shall be two years
- Co-chairs may be removed by a two-thirds vote of the Executive Committee, with a replacement elected by the general membership to serve the remainder of the term
- Co-chairs shall serve until their successors are elected
- Co-chairs shall be Active Members and be part of the Executive Committee
- Duties of the Co-chairs
- Shall call and organize meetings
- Lead the general and active management and general direction of the activities of the organization
- Shall ensure there are “minutes” of all meetings and keep the records of the organization
- Executive Committee
- Shall prepare programs of action for consideration by the general membership
- A majority of the Executive Committee members shall constitute a quorum for all meetings
- Shall provide multi-perspective range of views on matters of cybersecurity, risk, education, and published opinions
- Provide answers and resources in response to inquiries directed to the coalition
- Executive Committee members will be elected every two years by the full membership – proposed Executive Committee members may be proposed by the co-chairs upon recommendation from the Executive Committee
- The Executive Committee may amend this Charter by a two-thirds vote, and the Member Agreement by a two-thirds vote – any organization may withdraw from the coalition based on change to either document
- Executive Committee members shall serve until their successors are elected
- Executive Committee members shall be Active Members
- Active membership
- Active membership consists of organizations who support the charter
- Active members must sign a Member Agreement, in a form approved by the Executive Committee, agree to abide by this Charter, and meet other basic requirements, including being listed as a member of the coalition
- Membership shall be extended to organizations who meet the criteria in Section “Membership” and:
- Are legally eligible to conduct business in the United States or with U.S entities pursuant to U.S. and United Nations sanctions and embargo lists
- Are not be subject to undue influence from any government affiliations (other than customer relationships) including credible allegations or public acknowledgement of such affiliations
- Present no compliance risks with respect to U.S. Export Administration Regulations, International Traffic in Arms Regulations and other U.S. or other export restrictions based on the current membership, in each case to the extent applicable and/or practicable.
- Organizations can be removed by the Co-Chairs upon a two-thirds vote of the Executive Committee for any potential conflict with stated principles in the charter
- An organization may withdraw from membership at any time by written or electronic notice to the Co-Chairs with an effective date
- Nominations for Membership
- Basic due diligence on the nominee organization will be conducted
- Basic information must be provided by the organization asserting they meet the criteria for membership
- Package shall be reviewed by the Executive Committee and will make a recommendation for membership (or not) to the co-chairs, who will make the decision whether to grant membership
- Dissolution – In the event of dissolution of the coalition by a two-thirds vote of the Executive Committee:
- Non-monetary voluntary contributions to the organization shall revert to the contributor;
- Any content developed and owned by the coalition shall be usable by any member; and
- Remaining assets, if any, shall be distributed to the existing active membership.in the manner specified by the Executive Committee.
- Startup
- Nonprofit Cyber will begin operations in February 2022
- The initial Co-Chairs will be the Global Cyber Alliance (Philip Reitinger) and Center for Internet Security (Tony Sager), who shall serve until February 2024
- The initial Executive Committee shall consist of the following organizations, who shall also serve until February 2024
- Anti-Phishing Working Group (APWG)
- Center for Internet Security (CIS)
- Cloud Security Alliance (CSA)
- Consumer Reports
- CREST International
- Cyber Readiness Institute (CRI)
- Cyber Threat Alliance (CTA)
- Forum of Incident Response and Security Teams (FIRST)
- Global Cyber Alliance (GCA)
- OWASP
- SAFECode
- Nonprofit Cyber is expected to launch with a press release and a website