Government security officials have begun a new era of interagency cooperation that has led to unprecedented levels of information sharing. And while the high-level meetings have strengthened government security capabilities, they have also highlighted shortcomings in a key part of the data gathering and analysis processes.
The movement inside the government comes as the White House faces continued pressure to narrow the National Strategy to Secure Cyberspace to focus on systems that are most vulnerable to terrorist threats. Security insiders say provisions for home computer users and small businesses should be revisited in a revised draft that is due to be released by the end of the year.
As that debate continues, the heads of several federal security organizations—including the Federal Computer Incident Response Center, the Critical Infrastructure Assurance Office and the National Infrastructure Protection Center—have begun meeting regularly to coordinate their activities and establish ground rules for information sharing.
The meetings represent a significant step forward in the governments handling of vulnerability information. In the past, the various organizations have operated independently, often duplicating efforts and squabbling over responsibility, insiders say.
“The leaders are already working together and have made remarkable steps in improving information sharing,” said Marcus Sachs, director for communication infrastructure protection in the White House Office of Cyberspace Security here. “Its like an alcoholic admitting a problem. Were past that now.”
In addition to their own meetings, the leaders of FedCIRC, NIPC and the other bodies are urging their employees to begin talking to one another as well. Theyre working under the assumption that they will be co-workers soon and should develop good rapport, Sachs said.
Under the proposed Department of Homeland Security, the governments disparate information security organizations would be combined into one body, with the exception of some personnel from the NIPC, who would remain at the FBI. The bill authorizing the funding of the new department is stalled in the U.S. Senate, and Sachs said he doesnt expect it to be approved until late spring or early summer of next year.
The new move toward cooperation has, however, pointed out some inherent shortcomings in the way organizations gather and share data on attacks and vulnerabilities. A major component of the existing system is the network of industry-specific Information Sharing and Analysis Centers that are supposed to gather information from members and forward it to government and law enforcement officials for correlation.
Members are encouraged to submit information on attacks and security breaches so that other members can get an early warning of impending problems. The data is stripped of identifying information before it is passed. But, in practice, the process seldom works.
“No one contributes data because theyre too lazy,” said Mark Rasch, senior vice president and chief security counsel at Solutionary Inc., in Omaha, Neb. “Theres no one whose job it is to share information with the competition.”
In addition, as government officials scramble to improve their own security infrastructure, theyre also facing tough questions about whether the national strategy should be more focused on national and international priorities and less on educating home users.
“We dont have any intention of removing [the section on home users],” Howard Schmidt, vice chairman of the Presidents Critical Infrastructure Protection Board, told eWeek. “Once [home users] turn that system on, theyre part of the network.”