Security Info Sharing: A One-Way Street?
Government and the private sector sharing information about security threats - whether physical and digital - isn't a two-way street. What the government takes, it doesn't always give.
It's a problem highlighted in a just-released report, Efforts to Identify Critical Infrastructure Assets and Systems, issued Tuesday by the Department of Homeland Security's inspector general:
Several factors hamper DHS's ability to share information with its critical infrastructure/key resources partners. Although information submitted by states and sector experts is unclassified, the final lists are classified Secret. This presents an obstacle to stakeholders who do not have the necessary clearance. Threat information from intelligence agencies is also classified, which can be an impediment to information sharing. ... The intelligence on cyber threats to critical infrastructure control systems is not often shared with the owners of those systems.
The gap between stakeholder expectation and DHS reluctance to share critical information is something the inspector general feels can be resolved, and recommended that the department develop that would lead to greater sharing of final lists with partners and provide specific guidance to partners on sharing sensitive and classified information.
While DHS concurred with the recommendation, the IG wasn't totally satisfied with the department's response, which also involves sharing sensitive information with state governments.
There was no indication in its response on what actions will be taken to address this recommendation. We understand that protective security advisers and other DHS staff continue to work with states on sharing sensitive information. This recommendation will remain resolved and open until the department provides further information on how it will address greater sharing of lists.
No doubt DHS and its cohorts elsewhere in government, academia and business can figure out a way to furnish the owners of the nation's critical infrastructure with timely information regarding threats without exposing classified information.
The IG also noted that progress has been made in securing the cyber component of critical infrastructure operations, citing the National Infrastructure Protection Plan - a government document that aims to unify critical infrastructure and key resources - that states that cross-sector cyber work is inherently difficult. In its discussions with public and private experts across 15 sectors, the IG said, most understood the importance of cybersecurity.
However, many experts said that more pressing concerns, such as attacks on buildings or the possibility of biological contamination, are a higher priority. A security manager for one non-DHS sector-specific agency said that the sector has no cybersecurity concerns, while others believed that attacks on asset control systems would not create nationally significant problems. Some state experts suggested that staffing limitations or the need for more expertise hinders their cyber asset identification.
These issues may explain why most sectors have a limited emphasis on cyber criticality criteria. A criterion for the freight-rail subsector suggests that states submit cyber systems that would create a loss of signaling apparatus and disrupt the monitoring of rail cars in transit. A freight rail expert told us that cyber issues are vital to the market viability of railroad companies. Cyber disruption could have devastating economic consequences.
Specific cyber identification criteria for each sector would likely not improve cybersecurity overall. Many assets with cyber components are already identified on the lists without itemizing cyber systems or interdependencies. Sectors with greater concern about cybersecurity did note positive work with the Homeland Infrastructure Threat and Risk Analysis Center on cyber assets, and some regulatory entities, such as the Nuclear Regulatory Commission, help focus asset owners on enhancing cybersecurity. As DHS expands its risk analysis and understanding of cross-sector dependencies, the need for specific cyber criteria for various sectors may appear.
Even if some enterprise don't see cybersecurity as crucial as physical security of the nation's critical infrastructure, the IG report demonstrates how the two are inevitably linked.