Friday, March 19, 2010
Counterterrorism Info to Private Sector
There is an interesting article over on FCW.com (Federal Computer Week web site) about a new program being planned by DHS to share classified anti-terrorism information with private industry (thanks to DHS CERT Control Systems web page for the link). The Cybersecurity Partners Local Access Program (CPLAP) will provide security clearances for select cybersecurity professionals in industry so that they can be informed about cybersecurity threat information. The distribution of information would be through local fusion centers that are already set up to provide such classified information to local law enforcement personnel. The CPLAP would also, according to the article, “allow industry officials to build relationships with their local fusion centers”. The cybersecurity officials would be from a variety of critical infrastructure sectors, presumably including the Chemical Sector. ChemPLAP Needed for CFATS I have been advocating for a while now that DHS should establish this type of information sharing as part of the CFATS program. I don’t know that DHS (or any other part of the intelligence community) has any particular intelligence related specifically to chemical facility security, but the time to establish this type of program is actually before actionable intelligence becomes available. The Infrastructure Security Compliance Division (ISCD) really does need to get started on establishing a ChemPLAP (Chemical Partners Local Access Program) for the CFATS community. With the inevitable funding and time constraints involved, they should probably concentrate first on Tier 1 facilities. Expansion to the other Tiers would proceed after the bugs were worked out of the program. InfoSec Problems The biggest obstacle to this type of information security (InfoSec) program is getting the appropriate security clearances for the civilians involved in the program. Having dealt with the security clearance program in the Army (and running it at the Company and Battalion level), I know how difficult it is to keep up with the bureaucratic requirements of the process. Throw in the background check requirements (though these are not too extensive for Secret level clearances) and you have a time consuming process on both ends of the system. There are other potential problems in establishing this type of program. Participants need some training about handling and disseminating classified information. Secure communications and storage need to be addressed. Proper classified document destruction procedures need to be established and followed. Finally there needs to be an audit process established to ensure that classified information is actually being protected in accordance with the proper laws and regulations. The article says that the industry professionals will have to go to their local fusion center to get the information. Presumably this is because of the need for secure communications links that are already available at these locations. If there is a prohibition against taking classified documents out of these centers, then many of the previously mentioned problems will be greatly reduced. Open Source Intelligence Of course, most of the InfoSec problems can be avoided if DHS were to establish an active open-source intelligence collection, processing and reporting program. Now, just because the information comes from open sources, doesn’t mean that the resulting intelligence products will be uncontrolled products. The process of analyzing and reporting makes the resulting information sensitive at the very least. Fortunately ISCD already has a methodology for handling and disseminating sensitive, but unclassified material. The Chemical Vulnerability Information (CVI) program is already in place at all CFATS covered facilities. This program should be adequate to protect intelligence products from open source information. The Chemical Security Assessment Tool (CSAT) could be adapted for the dissemination of CVI protected intelligence reports, with each facility designating one or more Intelligence Officers for access to an Intelligence Tool. I am glad to see that DHS is starting the move to making classified counterterrorism information available to industry professionals. Limiting that information sharing to the cybersecurity community is less helpful. Every sector needs this type of capability, but the CFATS community is probably the best organized to implement and successfully use such a program.