There is an interesting
article over at FederalNewsRadio.com discussing some of the challenges that
DHS is trying to overcome in order to provide an information sharing
environment about cybersecurity issues. One of the issues raised in the article
concerns the difficulty that DHS is having in expanding the participation in
the Enhanced
Cybersecurity Services (ECS) program. This is the program established to
share classified threat information with potentially affected private sector
organizations.
Sharing Classified
Information
In order to encourage the sharing of this classified
information, Congress has focused on directing the DHS Secretary to work on
reducing the red tape necessary to get security clearances for private sector
employees. Unfortunately, the effective sharing of classified information
requires lot more than just providing security clearances; an infrastructure
must be put into place to receive, store and protect that information.
Security Requirements
for Classified Information
Unless DHS is going to rely on couriers with manacled
briefcases to deliver and retrieve classified documents to and from private
sector organizations, some sort of secure communications equipment will have to
be installed. While modern crypto gear has certainly progressed past the point
of the equipment I used in the Army 30 years ago, this still requires special
equipment that must be secured against theft and tampering and requires some
level of training to operate. Even something as simple as a secure telephone
must be placed in an isolated room so that classified conversations may not be
overheard through other communications devices.
To be useful, classified threat information will have to be
discussed within an organization, documents will have to be prepared, stored
and shared, and provisions will have to be made for the destruction of
classified documents and devices. An entire information security apparatus,
maintained to government (ie: military) standards will have to be established,
maintained and periodically audited by a government agency.
Cost of Classified
Infosec Program
Now many organizations already work on classified projects
for the military or intelligence community, so they will already have this type
of operation in place. I would bet that the ‘seventeen or so’ companies that
are currently participating in ECS program already had a DOD approved
information security program in place. Establishing a military-grade infosec
program will just be too costly (in set up and maintenance) to make it
worthwhile for most organizations based upon possible access to actionable
intelligence about a classified cyber-threat.
Alternative Required
No, while the ECS program will be viable for a limited
number of organizations that already have an infosec program in place, DHS is
going to have to come up with an alternative that does not rely on these
specialized information control measures. Someone is going to have to establish
a methodology for converting classified intelligence information into
actionable information for the private sector that only requires limited
infosec capabilities.
Readily achievable standards for the protection of that
information will have to be developed if DHS expects to establish a
cyber-threat information sharing capability that will involve the sharing of
high-quality threat information with the bulk of critical infrastructure
organizations. Something along the lines of the Chemical-Terrorism
Vulnerability Information (CVI) program used by the CFATS program would
probably be adequate since it has a manual that provides guidance on how to
mark and protect the information.
Posts
No comments:
Post a Comment