Last year, President Obama directed the U.S. Department of Homeland Security to open a program for sharing classified and unclassified cybersecurity information to 16 “critical infrastructure” sectors, including state and local governments. But word of the information-sharing initiative doesn't seem to be reaching state security officials.
Three state chief information security officers (CISOs) were contacted by Government Technology and none of them were familiar with the DHS Enhanced Cybersecurity Services program. Designed to pass along “indicators” of hacker threats, the program was expanded by executive order in early 2013. It previously was restricted to federal defense contractors.
The three state CISOs expressed interest in taking part in the Enhanced Cybersecurity Services program, but were struggling to find information about the initiative and what their involvement would entail. Government Technology contacted Herb Josey, acting deputy director of external affairs from the DHS Office of Cybersecurity and Communications for more information, but he was unable to provide documentation before press time.
“We would definitely be interested in more information as we are always looking for more avenues for information exchange that will further our cyber intelligence program,” one state CISO said.
A recent federal report on the DHS program revealed that just three of the 16 industries were taking part in the program – energy, communications services and the defense industrial base. Just two Internet service providers (ISPs), CenturyLink and AT&T were authorized to receive and load the indicators.
Richard Harsche, acting assistant inspector general for information technology audits for DHS, wrote in the report that enrollment in the program has been slow because of limited outreach and resources. He also noted that cyberthreat data sharing is based on manual reviews and analysis by the National Protection Programs Directorate (NPPD), which has resulted in inconsistent indicator quality.
But Alan Paller, director of research for the SANS Institute, a cybersecurity research and training organization, had a different take. He said the reason why some industries -- especially state and local governments -- weren’t using the program is due to the resources it takes to put the classified and unclassified data to use.
Paller explained that specialized equipment is needed on-site to read and process the classified data that DHS distributes through the program -- regular computers won’t suffice. Most states, cities and counties don’t have the financial means to acquire the technology, he said.
In addition, even if state and local government technology offices had the right equipment, Paller said they probably don’t have the technical people on-staff to assess the impact of automatically using the program’s data.
“I think they don’t know about it because the people using it aren’t in state and local government,” Paller said. “It’s hard to use the classified parts, and the unclassified parts are too close to what they can get from other people.”