DHS Info Sharing Program Starts Slowly

Only 3 of 16 Critical Infrastructure Sector Join Initiative
DHS Info Sharing Program Starts Slowly
The energy sector partakes in the Enhanced Cybersecurity Service program.

The Department of Homeland Security could do a better job getting critical infrastructure operators to participate in its Enhanced Cybersecurity Service program.

See Also: Insider Risk Management: Adapting to the Evolving Security Landscape

Only three of the 16 designated critical infrastructure sectors - defense industrial base, energy and communications services - participated in the Enhanced Cybersecurity Service, or ECS, initiative as of March.

Richard Harsche, acting assistant inspector general, says in a just-issued audit titled Implementation Status of the Enhanced Cybersecurity Service Program, that DHS's Office of Cybersecurity and Communications Office, the National Protection and Programs Directorate unit running ECS, has not communicated effectively with critical infrastructure operators to inform them of the benefits of participating in the ECS program.

Harsche says the initiative has been slow to expand because of limited outreach and resources. In addition, he says, the lack of analysis and manual review has adversely affected the quality of cyberthreat information provided to commercial service provider, or CSPs.

Full Participation Expected

Andy Ozment, DHS assistant secretary for cybersecurity and communications, suggests the situation is not as dire as the audit implies, noting that by the end of 2014 all 16 critical infrastructure sectors should be ECS program participants.

CS&C - through the ECS program - provides cyberthreat indicators to CSPs, which, in return, use this information to protect their clients, critical infrastructure entities. According to the DHS website, ECS is a voluntary information sharing program that assists critical infrastructure owners and operators as they improve the protection of their systems from unauthorized access, exploitation or data exfiltration. DHS works with cybersecurity organizations from across the federal government to gain access to a broad range of sensitive and classified cyberthreat information.

One of those organizations is the United States Computer Emergency Response Team, or U.S.-CERT, the DHS unit that's responsible for analyzing cyberthreats and vulnerabilities, disseminating cyberthreat warning information and coordinating incident response activities.

ECS Data Flow


Source: DHS
A CSP, or commercial service provider, is identified as a public or private company that receives threat information from DHS and uses it to offer specified services to critical infrastructure customers in a secure environment. OIs, or operational implementers, are qualified critical infrastructure entities that use cyberthreat information from DHS to protect their internal network only. All CSP security and information safeguarding requirements apply to OIs.

But U.S.-CERT does not have an automated system to process and analyze classified cybersecurity threat indicators that are important to secure critical infrastructure IT. U.S.-CERT analysts must manually review and manage all cyberthreat and technical information. Citing U.S.-CERT analysts, Harsche says an automated system to manage and process both sensitive and classified threat indicators would improve the efficiency of the program by reducing the amount of time needed to conduct manual reviews and allow for further analysis.

"U.S.-CERT does not have the capabilities to validate the accuracy of the indictors provided and determine whether they are unique to the ECS program," Harsche says.

Redundant Indicators

That could explain what one CSP told auditors: The threat information received from ECS was inconsistent and not exclusive to program participants. "Some of the threat indicators provided were redundant, formatting was not standardized and a majority of the information provided was unclassified and available through other sources," Harsche says.

"The success of the ECS program is dependent on CS&C's ability to provide critical infrastructure entities with reliable and specialized cyber threat information," he says. "Without an automated system to aggregate and analyze threat indicators expediently, resource-heavy manual reviews will persist."

The IG office offers three recommendations:

  • Ensure sufficient resources are available for the timely completion of the security validation and accreditation process for CSPs and critical infrastructures' internal operations that receive threat information;
  • Improve the ECS program's outreach efforts across all 16 critical infrastructure sectors, including service providers; and
  • Develop a system to manage and analyze sensitive and classified cyberthreat indicators for the ECS program.

DHS concurs with the recommendations, saying the system to manage and analyze sensitive and classified cyberthreat indicators was deployed in May, between the dates the audit concluded and the report issued.

Ozment also says the department as of May entered into 22 memorandums of agreement with critical infrastructure operators interested in joining the ECS program. To address this increase in interest, he says CS&S has requested more resources to support the program in future years.


About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.