From: www.itworld.com

Security: an uneasy alliance

by Heather Harreld

April 12, 2001 —

 

JUST AS THE federal government was beginning to enlist a sometimes-reluctant private sector to share details about information system intrusions that could affect national security, it seems that the Bush administration has come to town armed with new ideas.

Despite ongoing efforts by the FBI and other government agencies to share CIP (critical infrastructure protection) information with businesses, the new administration has yet to recommit the Clinton administration's initiatives in government-industry collaboration. In fact, sources say Bush may move the CIP operations to the Department of Defense and out of the National Security Council, which could scare off companies that have begun to share information about possible system vulnerabilities with the government.

This move would come at a critical time in the effort to ward off cyberattacks to the nation's critical infrastructures -- such as banks, electric power plants, and the telecommunications grid -- that are crucial to military and government operations.

John Powers, former commissioner and executive director of Clinton's Commission on Critical Infrastructure Protection, says that the Defense Department under Bush is placing more emphasis on homeland defense and may shift infrastructure protection efforts to the department.

"Policy formulation for infrastructure protection is going to move out of the White House and may move into Defense," Powers says, which would be a shift in security policy. "The single most important insight ... is that infrastructure protection has to be a network of interlocking activities. What you need to have in place is what I would call a 'network manager.' The mission should be centered in the White House because only the White House can serve as the network manager."

Phillip Lacombe, former staff director of Clinton's commission on security and now president of Veridian Systems' information and infrastructure protection sector, says that Bush's reorganization of the National Security Council has not included details on the future of the federal office that coordinates infrastructure protection with business.

"We haven't seen the kind of public statement ... that those of us who are committed to this area would like to see from the administration," Lacombe says.

Still, no funding or other support has been withdrawn from the CIP efforts launched by the Clinton administration, Lacombe adds.

Easing corporate fears

Wherever the government office to run the nation's CIP efforts lands, observers says it will face obstacles that are often inherent in any federal effort to elicit cooperation from the private sector.

Mark Gembicki, chairman and CEO of WarRoom Research in Baltimore, says the new administration must focus its efforts on the potential economic implications for companies that don't adequately secure their systems.

"Companies cannot compete effectively if [their systems are] not secure," says Gembicki, who coordinated an electronic civil defense project for the government to demonstrate the growing cyberthreat to the nation's critical infrastructures. "Shareholder value is more important than national security in the eye of corporate America," Gembicki adds.

One of the core concepts of CIP is to convince the private sector to share intrusion data with federal law enforcement agencies. That may be hampered if the government does not reciprocate and share intelligence data with companies that may be targeted for cyberattacks, corporate espionage, or terrorism.

"I still don't see any progress being made with the sharing of vulnerability information," Gembicki says. "If you're going to play the Orwellian Big Brother game, you might as well do it right. What you need to do is have the U.S. government truly supporting U.S. corporations."

French and Israeli intelligence agencies routinely share classified information relating to potential corporate IT attacks with the targeted companies, Gembicki notes.

Clamping down on intruders

The government's plan to elicit private-sector aid in securing critical infrastructures is centered on the Information Sharing and Analysis Center (ISAC), a mechanism for members of the same industry to share threat and vulnerability data with a central source. To date, three sectors identified as critical by the government -- banking and finance, energy, and information technology -- have launched ISACs.

The goal of the ISAC will be to share information in a confidential environment with the membership -- which could top 500 over the next several years -- to reduce the likelihood that threats will turn into real problems, says Harris Miller, president of the Information Technology Association of America (ITAA), in Arlington, Va., which is leading the effort to deploy the center.

The government has indicated that it will share sensitive information about potential threats with the ISAC to send on to its members, Miller says.

Meanwhile, the FBI in January completed the nationwide rollout of its public/private partnership, called InfraGard, to share computer system intrusion data. Participating companies can e-mail encrypted messages describing intrusions to their local FBI field office or tap a secure Web site reporting suspicious network activities.

Don Withers, CEO of The Training Company in Baltimore and president of that city's InfraGard chapter, says the effort is led by the private sector, with no FBI agents on the governing board.

"The only way we're ever going to solve this problem is if law enforcement and the private sector work together," Withers said. "The critical infrastructure belongs to the private sector. They own it. The law enforcement people don't have the money or the horsepower to do it on their own."

Withers says that, although the Baltimore chapter has been well-received by the local community, some businesses still have reservations about working with federal law enforcement officials.

"You have to cut through some of the misconceptions," Withers says. "A lot of people say, 'The FBI comes in and takes your computers. They tell everyone what's going on, and it's bad press for your company.' That couldn't be more different from what the reality is."

InfraGard is a good option for companies that want to participate in the CIP effort but are wary of ISACs because they may share vulnerability information with competitors.

"How would you feel about one of your competitors having your information?" Withers asks. "I think I would trust the government more than I would my competitors."


InfoWorld