By Stacey McDaniel
Increased reliance on information technology has made cyberspace the equivalent of our nation's nervous system. As a result, a healthy and secure cyberspace is essential to our economic and national security. The private sector plays a central role in securing cyberspace because it owns and operates the vast majority of our nation's infrastructures and the cyber systems on which they depend. Critical infrastructures are found in each of these sectors: agriculture, food, water, public health, emergency services, government, defense, industrial base, information and telecommunications, energy, transportation, banking and finance, chemicals and hazardous materials, and postal and shipping. Some of these are public, others are private. Behind all these sectors are hundreds of thousands of interconnected computers, servers, routers, switches, and fiber optic cables that allow them to work.
Several of these sectors have created protection plans to secure the critical information infrastructures that they own and operate, but that has been done independently of other sectors. The security plans that emerged from each sector provided the government with some insight into the scope and character of the challenges facing the United States. But that bit of insight only made the government realize how crucial it is to get the private sector actively working with the public sector to improve information sharing. Fortunately, there are efforts under way to do just that. Here are a few.
The hubs for sharing
To address that lack of communication and take a more holistic approach to securing the sectors, the government has called for the establishment of Information Sharing and Analysis Centers (ISACs), as first outlined in the Presidential Decision Directive in 1998, and again in the Homeland Security Presidential Directive (HSPD-7) of late last year. The Bush administration has said industry ISACs are to serve as the primary means for sharing information between government and the private sector. The ISACs are alliances formed within vertical industries and are designed to facilitate information sharing and collaboration to help better protect the economy.
Each ISAC is funded by its membership fees, and consists of a secure database, analytic tools, and information gathering and distribution facilities that allow authorized individuals to submit either anonymous or attributed reports about information and physical security threats, vulnerabilities, incidents, and solutions. ISAC members also have access to information and analysis about information security threats, vulnerabilities, incidents, and solutions provided by other members and obtained from other sources, such as the government and law enforcement agencies, technology providers, and security associations. ISACs also work closely with the Department of Homeland Security's National Infrastructure Protection Center (NIPC) to exchange data about threats and vulnerabilities.
Prime ISAC example
One exemplary example of an ISAC is the Financial Services Information Sharing and Analysis Center (FS/ISAC). Formed in 1999 in anticipation of Y2K, FS/ISAC is one of the first ISACs. In December, 2003, the Treasury Department signed a $2 million one-time contract to upgrade the FS/ISAC. That money will go towards enhancing the network so it can serve more than 30,000 institutions in the financial sector -- including banks, exchanges, insurance companies, and others -- in addition to its existing core members. The upgrades will include:
- Introducing a secure, confidential forum for real-time information sharing
- Adding data about physical threats to the cyber threat information that the center handles
- Providing a Web-based warning and alerts service, with a backup system in case the Internet itself is affected
- Setting up more than 16 performance metrics to determine the center's effectiveness and help assess the state of information sharing across the industry
The FS/ISAC has not only added security measures, it has set measurable goals, something other ISACs are also trying to do.
Challenges facing ISACs
The creation of "trusted partnerships" between the government and the private sector has been a struggle to date, as ISACs still lack the trust, openness, and spirit of cooperation needed to achieve true collaboration. Many in the private sector feel they must share sensitive security details concerning their respective sector, while the government is not fully sharing information with them in return. Lately, the government has made an effort to share more sensitive data gathered by intelligence agencies -- but not enough to satisfy many private sector companies. Of course, the hesitation to share information comes from both sides. A May 2003 General Accounting Office report found that companies are unwilling to divulge information to the government that could be used as evidence in antitrust suits or released to their competitors or the public under the 1966 Freedom of Information Act.
Another stumbling block for ISACs involves locating avenues of additional funding. Most ISACs, as business entities, are not fully financially sustainable. Although ISACs generally collect membership fees, that money is not consistently sufficient to cover the expenses of running the ISAC. Additional funds are needed for operations and activities that include analysis of terrorist activities, housing data, and performing research. This is a touchy subject because many private companies have committed significant time and money to supporting an ISAC, and they feel the government isn't reciprocating with enough funds from its end.
To address these problems, the Department of Homeland Security has set goals for improving information-sharing relationships, introduced methods for measuring progress toward these goals, and begun to look for ways to address the funding shortage some ISACs have experienced.
Task forces address cross-industry cyber security
Last December, five task forces were formed by public and private sector leaders under the guidance of the Department of Homeland Security. Each task force is charged with developing a plan for addressing common concerns from the two communities and presenting tangible proof that their plan is working -- in the form of various deliverables and metrics:
Awareness for Home Users and Small Businesses: Expand on existing outreach programs such as Stay Safe Online and Cyber Citizen.
Cyber Security Early Warning: Begin to develop a national cyber security response system, including implementation objectives for the U.S. Computer Emergency Response Team.
Best Practices and Standards: Corporate Governance: Establish guidelines and best practices for cyber security roles and responsibilities within organizational management structures.
Best Practices and Standards: Technical Standards and Common Criteria: Develop new tools, technologies, and practices, such as secure configuration guides, to reduce vulnerabilities across all sectors.
Security Across the Software Development Life Cycle: Secure Software: Find new methods to reduce vulnerabilities included in products during development, including determining how to teach building secure software.
An effort from the private sector
The Cyber Security Industry Alliance (CSIA) was started in February of this year by a group of leaders from major cyber security software, hardware, and services companies who believed that an association was needed that would focus full time on cyber security public policy issues. Here are the CSIA's goals for the first year:
- Public policy: Monitor and influence legislation and government regulation at both the state and federal levels.
- Education: Create programs in conjunction with leading academic institutions to develop curricula to close the skills gap.
- Awareness: Develop and collaborate in multi-faceted awareness campaigns to raise the visibility of cyber security issues, challenges, and solutions among various audiences, including consumers and small businesses.
- Standards: Identify and support emerging industry technology standards in partnership with other organizations.
The CSIA believes that cyber security is best addressed through market-driven forces; ideally, any standards developed should be through a voluntary partnership between the public and private sector. The CSIA has stated that it will work closely with the Department of Homeland Security on public policy initiatives over the coming year.
Conclusion
As recently as a couple of years ago, each sector of our nation's critical infrastructure had internal mechanisms for collecting and sharing information, but there was no coordination among them. As the government and many industry leaders have come to realize, collaboration is key to securing the backbone of our nation. Other private sector leaders are motivated to cooperate on information sharing initiatives because they see it as an alternative to being faced with formal regulations. Whatever the motivation, the growing partnership between public and private organizations manifested through the ISACs, task forces, and other alliances will enhance the flow of accurate and timely information about physical security threats, vulnerabilities, and incidents - information that is crucial when trying to secure a backbone built on technology.
Stacey McDaniel has been writing about high-tech issues for more than six years.