• United States



by CSO Contributor

Sharing Problems

Nov 01, 20043 mins
ComplianceCSO and CISO

Unlike in gift giving, its not the thought that counts when it comes to effectively sharing and analyzing data about vulnerabilities in the nations critical infrastructure. Officials from the private sector and the Department of Homeland Security

which is in charge of critical infrastructure protection (CIP) information-sharing effortsare learning that the hard way.

Information sharing and analysis centers (ISACs) aim to facilitate the exchange of security-related information between the government and companies in industries such as banking, finance, energy and transportation. The idea is that when DHS raises the threat level or hackers discover a vulnerability, affected companies and the government need a secure place to compare notes.

In five years, more than a dozen ISACs have formed, and others are in development. But just because the clubhouses are forming doesnt mean everyone is lining up to play ball. Significant challenges need to be addressed before ISACs will truly be the information-sharing hubs that the federal government desiresat least thats what a report from the Government Accountability Office says.

Although DHS has taken a number of actions to implement the public-private partnership called for by federal CIP policy, it has not yet developed a plan that describes how it will carry out its information-sharing responsibilities and relationships, the report states. DHSs top challenges? Developing processes to facilitate information-sharing, clarifying the roles and responsibilities of the government and private-sector entities, and funding ISAC operations and activities.

Chief among these concerns is funding problems, says Stanley Stash Jarocki, a cofounder and former chairman of the financial services ISAC, the oldest of the centers. The people who are running the board today are volunteers, and [the ISACs] are not their full-time jobs, he says. This lack of funding also causes the ISACs to favor larger companies, which are able to contribute more money than smaller companies.

Despite the passage of a Freedom of Information Act exemption that protects corporate secrets that are properly marked and voluntarily shared through the ISACs, Jarocki says that companies may still hold back for fear that sharing information will lead to legal trouble. He says this concern could be addressed in part with security clearances for the people involved. If were going to share information, the appropriate parties need to be cleared, he says.

DHS has yet to establish a time frame for developing an information-sharing plan or making other improvements. Nevertheless, at a recent security conference, DHS CSO Jack L. Johnson offered a vague reassurance that changes were on the way. Its been a somewhat disjointed process. I know that, he said. Its getting better. I think in the very near future youre going to see the flow of information increase dramatically.