There is an interesting article over at FederalNewsRadio.com discussing some of the challenges that DHS is trying to overcome in order to provide an information sharing environment about cybersecurity issues. One of the issues raised in the article concerns the difficulty that DHS is having in expanding the participation in the Enhanced Cybersecurity Services (ECS) program. This is the program established to share classified threat information with potentially affected private sector organizations.
Sharing Classified Information
In order to encourage the sharing of this classified information, Congress has focused on directing the DHS Secretary to work on reducing the red tape necessary to get security clearances for private sector employees. Unfortunately, the effective sharing of classified information requires lot more than just providing security clearances; an infrastructure must be put into place to receive, store and protect that information.
Security Requirements for Classified Information
Unless DHS is going to rely on couriers with manacled briefcases to deliver and retrieve classified documents to and from private sector organizations, some sort of secure communications equipment will have to be installed. While modern crypto gear has certainly progressed past the point of the equipment I used in the Army 30 years ago, this still requires special equipment that must be secured against theft and tampering and requires some level of training to operate. Even something as simple as a secure telephone must be placed in an isolated room so that classified conversations may not be overheard through other communications devices.
To be useful, classified threat information will have to be discussed within an organization, documents will have to be prepared, stored and shared, and provisions will have to be made for the destruction of classified documents and devices. An entire information security apparatus, maintained to government (ie: military) standards will have to be established, maintained and periodically audited by a government agency.
Cost of Classified Infosec Program
Now many organizations already work on classified projects for the military or intelligence community, so they will already have this type of operation in place. I would bet that the ‘seventeen or so’ companies that are currently participating in ECS program already had a DOD approved information security program in place. Establishing a military-grade infosec program will just be too costly (in set up and maintenance) to make it worthwhile for most organizations based upon possible access to actionable intelligence about a classified cyber-threat.
No, while the ECS program will be viable for a limited number of organizations that already have an infosec program in place, DHS is going to have to come up with an alternative that does not rely on these specialized information control measures. Someone is going to have to establish a methodology for converting classified intelligence information into actionable information for the private sector that only requires limited infosec capabilities.
Readily achievable standards for the protection of that information will have to be developed if DHS expects to establish a cyber-threat information sharing capability that will involve the sharing of high-quality threat information with the bulk of critical infrastructure organizations. Something along the lines of the Chemical-Terrorism Vulnerability Information (CVI) program used by the CFATS program would probably be adequate since it has a manual that provides guidance on how to mark and protect the information.