Shared Intelligence Makes Everyone Smarter
Print Issue: January 2004
If someone were to write the book Everything I Need to Know About Homeland Security I Learned in Kindergarten, chapter one would be called “Sharing.” Just as we were encouraged to let schoolmates use our things and join our games, the book would tell us, so should we share certain information with law enforcement, government, and industry—even competitors. In school, sharing yielded perhaps a new friend or experience. In business and government, information sharing yields a network of allies to prevent and protect against terrorism and other threats.
This lesson has not been lost on the government or the security profession. The Homeland Security Information Sharing Act of 2002 reflects this realization, allowing the president to establish procedures for federal agencies to share homeland security information. Law enforcement and private and public sector security professionals have meanwhile been marshaling technology and sharpening networking skills to bridge the knowledge gap.
While some progress has been made, these efforts have also resulted in a confusing, sometimes overlapping, array of programs—each with its own champion—bringing together various levels of business, government, and law enforcement. The following discusses some of the more significant efforts involving federal authorities and what they have achieved.
InfraGard. Perhaps one of the best-known public-private information-sharing partnerships is the InfraGard program, launched in 1996 to fight cyber and physical threats to critical infrastructures. About 80 local chapters, comprising industry and FBI representatives, dot the country from Albany to Sacramento. A national board links the chapters together.
Among InfraGard members contacted for this article, the consensus is that the program works best at the chapter level. For example, John Bumgarner, president of InfraGard’s 418-member Charlotte, North Carolina, chapter, says that the program “works well because it’s a grassroots project.” Much of the information exchange is conducted in person at chapter meetings and events, such as recent presentations in Charlotte on common hacker attacks and local vulnerability to terrorism.
While information sharing within chapters and among certain chapters is excellent, according to Bumgarner, he says that networking nationwide “needs improvement.” InfraGard also faces the challenge of trying to encourage businesses to provide information to government.
“It’s a one-way street right now,” says Bumgarner. That’s due in part to mistrust of government and fears that, despite recent federal legislation creating some protections, any information provided privately to government could be forced into the public domain through the Freedom of Information Act (FOIA) or similar state statutes. While Bumgarner still champions InfraGard, he says that, given its current limitations, he supplements it with other information-sharing networks including the Secret Service’s local electronic crimes task force. He also networks with contacts in several professional associations.
InfraGard is aggressively addressing these issues for its 10,000 or so members, says Dr. Phyllis A. Schneck, chair of InfraGard’s National Executive Board. For example, it is developing partnerships to bring Department of Homeland Security (DHS) representatives into the information-sharing mix.
But the FOIA issues are tricky. “InfraGard has exemptions in FOIA which enable information to be shared between InfraGard members and FBI InfraGard coordinators and agents without fear that that information is subject to FOIA,” explains Schneck. That information only becomes public record if the supplying company prosecutes a case based on that data. However, Schneck concedes that these FOIA exemptions haven’t yet been tested in court.
Schneck adds that all InfraGard members have been subjected to an FBI background check. Moreover, information is “sanitized” before being shared to remove identifying characteristics. Both moves are intended to further increase the comfort level to enhance information sharing among all parties.
If InfraGard succeeds in increasing the flow of information, its leadership also knows that data analysis will become a big issue. In anticipation of that need, the group is now reaching out to the DHS, which has agreed to analyze the data, with the results coming back to InfraGard members by industry sector, Schneck says.
ISACs. Corporate reluctance to share information has also hampered the effectiveness of Information Sharing and Analysis Centers (ISACs). Established by Presidential Directive 63 (PDD 63) in 1998, ISACs are organizations that pull together major players in a single area of critical infrastructure (such as water, transportation, banking, or telecommunications) and facilitate sharing of information on vulnerabilities, threats, and breaches among those players, whether in private industry or government. (Originally, the National Infrastructure Protection Center—NIPC—represented the government in ISACs, but its role has been transferred to DHS’s Information Analysis and Infrastructure Protection Directorate. As of press time, the Bush Administration was recasting PDD 63 to reflect the creation of DHS and to further emphasize ISACs.)
The dozen or so functioning ISACs (a few of which represent industries that haven’t been identified as critical infrastructures) have had mixed success. Last year, the U.S. General Accounting Office (GAO) concluded that private industry participants feared that they “could potentially face antitrust violations for sharing information with other industry partners, have their information subject to [FOIA requests], or face potential liability concerns for information shared in good faith.” Of five ISACs scrutinized by GAO auditors, three (IT, energy, and water) sectors said that they refused to share their libraries of incidents and historical data with the government due to FOIA concerns; the energy ISAC also pointed to antitrust concerns. To encourage private-sector participation, the GAO has called for “public-policy” inducements, such as grants, tax incentives, and regulations.
Last April, representatives from 10 ISACs banded together to form the ISAC Council. The body, which encourages cross-fertilization of ideas among sectors and a sound understanding of interdependencies, may remedy some of the problems, in part by creating a data-sharing protocol, according to recent congressional testimony by Robert F. Dacey, the GAO’s director of information security issues. “In addition, the council will develop analytical methods to assist the ISACs in supporting their own sectors and other sectors with which there are interdependencies and establish a policy to deal with matters of liability and antitrust,” Dacey told Congress.
A few ISACs, such as telecommunications, have been recognized as exemplars. In testimony before the House of Representatives, AT&T’s Frank Ianna credited part of his industry’s ISAC success to government funding. As a result, he explains, “the core infrastructure and round-the-clock staffing is not borne exclusively by the private sector, as is the case with other ISACs.”
Liz Gasster, public policy director and a senior attorney at AT&T who works closely with the telecom ISAC, also attributes the ISAC’s track record to its longevity; it functioned as an ISAC even before such a designation existed. It was established in 1984 to function as a government and industry forum for telecommunications security and service restoration. When the presidential directive was issued, the organization essentially only had to change its name.
Another contributing factor to the ISAC’s effectiveness, Gasster adds, is that it is “a physical 24/7 operation, not just virtual.” The largest telecom companies assign representatives full time to the offices of the government’s National Communications System (which operates the ISAC), where they work together daily. “They know each other well,” says Gasster, “and they agree to share information with the caveat that no one will take marketing advantage.” Any competitor information that will be used by another company is sanitized, she says.
Because the government provides offices, a 24-hour watch desk, and computers, “there’s a real quid pro quo,” Gasster says. Companies have received information or assistance from government that has yielded tangible benefits. After 9-11, for example, AT&T needed to do recovery work at Ground Zero. Officials from the National Communications Center and National Coordinating Center for Communications helped get the company authorization to enter the perimeter. These officials also helped to arrange military transport for AT&T personnel stranded in California in the wake of 9-11 after airspace was shut down, something the company’s disaster recovery plan did not contemplate.
IAIPD. The Information Analysis and Infrastructure Protection Directorate (IAIPD) is part of DHS. The IAIPD has taken on the roles that had been the domain of the former NIPC and the former Critical Infrastructure Assurance Office. The IAIPD serves as a center for the collection, assessment, and dissemination of information about cyber and physical threats and how to respond to them. Its information-sharing role largely comprises sending information bulletins to the private sector and distributing summaries of relevant news articles. It also coordinates ISAC activity.
Critics like Internet security guru Marcus Ranum have attacked the IAIPD as irrelevant given its lack of authority. In his new book, The Myth of Homeland Security, Ranum asks, “How is the NIPC supposed to make a positive impact when the only way they can bring about change is by asking nicely?” Credibility is also a problem, according to Ranum, who writes, “Many of NIPC’s alerts are essentially derived from the alerts issued by commercial product manufacturers, which makes private-sector organizations wonder if NIPC exists to do much more than to paraphrase and summarize alerts that have already been issued by commercial antivirus or security companies.”
MATRIX/ATIX. The Multistate Antiterrorism Regional Information Exchange (MATRIX) is a pilot project in which several states have access to various criminal databases maintained by federal, state, and local governments. These databases contain such information as criminal records, driver’s license data, marriage certificates, Social Security numbers, and vehicle registration records. Funded by a $4 million grant from the Department of Justice and spearheaded by the Florida Department of Law Enforcement, MATRIX is an attempt to increase the exchange of information on persons suspected of terrorism and other crime among government authorities.
Communication and data access occur through the Regional Information Sharing System (RISS), a secure network that had been used to transmit sensitive information between law enforcement agencies before the establishment of MATRIX. The network is based on standards that enable state and federal systems to interoperate. Each state has been assigned a Web site on the RISS intranet, which is secured via virtual private network; states use the site to post and find antiterrorism information.
MATRIX is off to a rough start, however. Fourteen states had signed onto the project early on, but that number had been halved (remaining members include Florida, Michigan, and New York) as of November. One of the dropouts is Louisiana. Lt. Walter Wolfe of the Louisiana State Police explains that while the pilot was appealing, funding and privacy concerns ultimately led the state to opt out.
Wolfe elaborates that the pilot project has two aspects: a secure network for states to discuss what they are experiencing on the terrorism front and a “data crunching” process whereby states submit data on their residents, which are compiled and analyzed. The first problem, Wolfe says, is that federal funding only covers the creation of these databases: In future years, “we’d have to support and maintain it for $1.7 million per year.”
Of equal concern were privacy and information-control issues. The data mining per se wasn’t the problem, Wolfe says; the data would be crunched by a private company. “Our concern was about being able to maintain who had access to that, what was being done to the data that was being extracted,” Wolfe says. In addition, it wasn’t clear how readily updates to criminal and driver’s license records could be inserted into the databases.
MATRIX has also been rejected by Alabama because of cost concerns. Martha Earnhardt, information manager for the Alabama Department of Public Safety, says that the department is interested “but just doesn’t have the money at this point.” In fact, she says, the department has suffered an 18 percent cut in general appropriations.
Various civil liberties groups have questioned MATRIX as well. For example, the Electronic Frontier Foundation warns that MATRIX “aims to give state law enforcement agencies across the nation a powerful new tool for analyzing personal records of both criminals and ordinary Americans.”
A close cousin of the MATRIX program, in everything from name to communication network (RISS) to sponsorship (Justice) to function, is the Antiterrorism Information Exchange (ATIX). The exchange’s inaugural users are located in Colorado, Arizona, Tennessee, Delaware, and Hawaii.
While MATRIX has a data-analysis component, however, ATIX simply involves the sharing of information among law enforcement officials, not the cross-fertilization of databases. As the GAO has explained in a brief description of the system, the FBI and other federal agencies link to ATIX via Law Enforcement Online, the FBI’s “system for sensitive-but-unclassified law enforcement data that provides an encrypted communications service for law enforcement agencies on a virtual private network.”
Users can exchange information on ATIX via a Web page and on a bulletin board. ATIX also serves as a conduit for the FBI, DHS, and other agencies to distribute security alerts via e-mail on a need-to-know basis to certain private industry groups, the public health community, school systems, emergency management agencies, and other bodies.
GuardNet. GuardNet, the Army National Guard’s broadband network, allows real-time communication among 2,700 National Guard facilities across the country. During the 9-11 attacks, the network was pressed into service for communications among the 50 states. Given that success, GuardNet has been under consideration for homeland security duty. “We are currently having discussions with various organizations involved in homeland security to identify their requirements and determine how GuardNet can help meet some of those needs,” says Major Ellen Krenke, a National Guard spokesperson.
Maureen T. Lischke, chief information officer for the National Guard, explains that nothing has been finalized yet because DHS and other newly formed bodies with an interest in the project have had to get up and running before considering it seriously. “Once they were created and their missions defined, we then started the conversations with them,” Lischke says.
Part of the appeal of the system is its track record, says Jeffrey H. Joseph, CEO of Community Learning and Information Network, the nonprofit organization that helped develop GuardNet. For instance, it has been used to remotely train members of the National Guard in more than 300 classrooms, a training system that could be expanded to local first responders.
Now may be an opportune time to do what is needed to expand GuardNet. Each of the states’ (plus three territories’ and the District of Columbia’s) National Guard units is consolidating its facilities to a central location, which entails consolidating the networks, says Krenke. “GuardNet currently is undergoing a modernization effort to migrate from ATM [asynchronous transfer mode] to IP [Internet protocol] technology,” she says.
She says that while GuardNet is a feasible medium for homeland security communications—and it even “performs some of that mission today”—it is not a panacea. “GuardNet should be viewed as one of a number of existing networks, which, upon integrating them together, can provide much of the necessary coverage,” Krenke says.
Intelink. Intelink is a CIA-operated intranet designed to link classified databases held by the CIA, FBI, Secret Service, National Security Agency, and other U.S. intelligence agencies. Although it has been in existence since 1994, it only gained significant attention and use after 9-11.
Because the range of information on Intelink is so wide, it is divided into user categories for different groups, such as the military. The sensitive content also calls for a multilayered security approach, which includes strong cryptography and authentication through a public key infrastructure.
One ex-CIA intelligence agent says that Intelink is adequate but could stand improvement. Larry Johnson, now a principal with BERG Associates in Washington, D.C., calls Intelink “a mirror image of the Internet,” in that it contains a lot of scattered information. “You have to know what you’re looking for and how to navigate it,” he says. In addition, Johnson has found that important data, such as archival information, can’t be found on Intelink. As an example, he says that a user can find the State Department’s annual Patterns of Global Terrorism for 2002, but not for prior years. “At the point where you can’t pull up historical information, the Internet itself is more helpful,” Johnson says. But he points out that many members of the intelligence community are not granted access to the Internet because it is an open medium.
CEO COM Link. Online communication is not always the favored approach; some corporate executives would prefer to pick up the phone. That’s the methodology behind Critical Emergency Operations Communications (CEO COM) Link, which allows business and government to trade information on imminent threats for the purpose of response and recovery. Formed in the wake of 9-11, CEO COM Link is a project of the Security Task Force of the Business Roundtable (an organization of 150 top chief executive officers who cumulatively operate a substantial percentage of U.S. critical infrastructures). Its goal was to help ensure that these companies and government officials could obtain real-time situational information in an emergency. The link, a secure dialup network, can be activated by the CEO of the Roundtable or a high-ranking member of DHS with CEO COM Link credentials.
In the event of a perceived need to activate the system, member CEOs are alerted (a CEO COM Link spokesperson declined to specify the alert mechanisms) to dial into a secure conference call at a certain time, where they are briefed by DHS Secretary Tom Ridge. In certain cases, the companies can pass the information to other businesses, says Marian Hopkins, director of the Security Task Force. In addition, information is passed, as necessary, to “partnering” organizations in the chemical, water, and financial services industries, says Hopkins.
While officials at the Business Roundtable are unwilling to divulge specifics, the system has been activated at least four times. Early last year, the St. Petersburg Times reported that Ridge activated CEO COM shortly before he raised the terror threat level from elevated to high. According to the Times, Ridge recommended that companies deploy more guards, step up access control, closely monitor trucks and activity in parking garages, and protect ventilation systems.
Hopkins gives CEO Com high praise: “The use it has had so far makes me extremely confident that it works and that it works well,” she says, pointing to the large participation of member CEOs and DHS’s appreciation for the forum.
BITS—a nonprofit consortium of the 100 largest U.S. financial institutions—has a similar information-sharing system, called Crisis Communicator. BITS CEO Catherine Allen has described it to Congress as a “high-speed, automated alert system that allows BITS… to bring together CEOs, CIOs, crisis management executives, and government officials in a matter of minutes.”
SECURE. Ridge recently announced the launch of yet another communication effort, Homeland Security’s Strategic Communications Resources Effort (SECURE) Initiative. Little has been made public about this program, but what is known is that all 50 states, as well as two territories and the District of Columbia, can now communicate with each other and DHS over secure phones and videoconferencing equipment. According to DHS, currently all state governors now have secure telephones and teleconferencing ability, and DHS is arranging for five more officials from each jurisdiction to join the communication network.
Datacasting. Also proposed as a means of sharing data among government and business is digital broadcasting. For over a year, the Association for Public Television Stations (APTS) has been rallying support for a homeland security public safety network using public television’s wireless digital broadcasting ability—190 of the 357 U.S. public television stations have already gone digital, and the rest are under federal mandate to do so.
Under this system, law enforcement might send emergency or terrorist threat information (in the form of video, audio, text, maps, and so on) to its local public TV station. From there, it would be encrypted, inserted into the broadcast signal, and, without interfering with the signal, “datacasted” to schools, businesses, government offices, or other relevant sites. Capturing the data on a PC and unscrambling it would require the installation of a special tuner card that costs about $300 and a small antenna, which adds another $30 to the cost of the system.
John Lawson, president and CEO of APTS, touts the advantages over other media. He says that data transmission is nearly instantaneous, bypassing wired and wireless services, which can be overrun during emergencies. He also points out that the system is “addressable,” so public safety officials can send information to specific parties.
Stations in Kentucky, Missouri, Texas, Nevada, and elsewhere already use their signal to send crime information, weather alerts, bioterror warnings, and similar information. Government response to the initiative has been favorable but reserved. “We’ve received an almost universal positive response, but we’ve yet to identify a champion who will embrace [this],” says Lawson.
A major goal of APTS is for the federal government to bless datacasting by mentioning it as a viable initiative for states and localities receiving grant dollars for emergency communications. “We just want public television to have a seat at the table as these new systems are planned and deployed,” Lawson says.
GEWIS. Many information-sharing programs deal strictly or primarily with threats to or intrusions into computer networks and systems. One pilot program that came online this past October is DHS’s Global Early Warning Information System (GEWIS), which measures traffic flow and activity on the Internet and reports potential cyberattacks or disruptions to government and industry. GEWIS has been described as the cyber counterpart of the Terrorist Threat Integration Center, a storehouse of data contributed by police and intelligence agencies. But the program has been decried by skeptics as a “flow meter” that simply detects when online activity increases, which isn’t always indicative of an attack.
Marcus Sachs, who was heavily involved in GEWIS until his recent move to the private sector, says the system is designed to look at activity at certain routers, domain name servers, and other critical points, which can have value. In its earliest testing stages, for example, GEWIS even detected power fluctuations in the Northeast during the August blackout, but no one knew what those fluctuations meant at the time, Sachs says.
Due to privacy concerns, GEWIS will not look at message content, Sachs says. “It’s all about performance,” he adds, “not what’s in a message.” Fears that private communications could be compromised led to the downfall of the similar Federal Intrusion Detection Network (FIDNet) a few years ago.
CWIN. Closely associated with GEWIS is the Cyber Warning Information Network (CWIN), a vehicle for government and business to share cyber alerts and warnings over a secure network. “You notice problems on GEWIS; you talk about it on CWIN,” explains Sachs. He adds that it is designed to link about 75 network operation centers in the United States, 60 of which belong to the private sector. As of October, the network infrastructure was more than 50 percent complete, according to DHS officials.
Sachs says that much of the success of CWIN, which was just getting rolling as of press time, depends on “a positive command-and-control-structure.” Also, DHS needs to run CWIN like it does other emergency networks, “with plenty of drills, exercises, and daily information available only on CWIN so that the companies and agencies connected to it will use it.”
SHARE. With authorization from the USA Patriot Act, the Secret Service has been establishing a nationwide network of electronic crimes task forces, based on such a task force developed in New York in 1995. Thirteen cities now have such task forces, with Cleveland just up and running as of the time of this writing. The task forces are authorized to investigate computer attacks, identity fraud, and other incidents with and without homeland security implications.
Although they have tended to focus on the financial community, such task forces are a burgeoning source of good information for industry, says Bumgarner. One notable example is an information-swapping initiative that was recently launched. Under SHARE (Systematic Homeland Approach to Reducing Exploitation), the Secret Service and U.S. Immigration and Customs Enforcement (ICE) “will jointly conduct semiannual meetings with executive members of the financial and trade communities impacted by money laundering, identity theft, and other financial crimes,” according to a government statement. At these meetings, Secret Service agents and ICE analysts will share relevant data pertaining to their investigations.
CIDDAC. End users, vendors, and the Philadelphia Chapter of InfraGard recently joined forces to create a partnership and their own network for sharing computer-based threats. Dubbed the Cyber Incident Detection and Data Analysis Center (CIDDAC), it aims to overcome industry resistance to information sharing by giving government nonproprietary data on attacks and trends.
So-called Real-time Cyber Attack Detection Sensors would be placed on the outside of a member organization’s network, similar to the way a honeypot is deployed, to detect incidents and attack signatures. Data would be sent to and analyzed at an operations hub at the University of Pennsylvania. The ultimate goal is to deploy enough sensors so that any attacks on infrastructure such as the power grid could be quickly detected.
John Chesson, coordinator of InfraGard’s Philadelphia chapter, says that automation is the key to this system. “The conclusion today is that to accurately defend against cyberintrusion-type of events, there needs to be an automated reporting system in place,” he says. “Attacks occur at the speed of light,” he says, and the more human involvement in analyzing them, the longer the delay in finishing the analysis and seeking a solution.
A possible obstacle is that participating organizations would have to enter into a service contract to use the sensors and monitoring services, and they might be unwilling to bear the expense. The system can only work if most companies are willing to participate. Although it has been reported that insurance company American International Group will reduce premiums for customers who use CIDDAC sensors, an AIG spokesman says the insurer is “technology agnostic” and that a blanket benefit tied to CIDDAC doesn’t exist.
Results. As this plethora of alliances and technologies shows, there is great interest in improving information sharing and considerable activity toward that end. But the extent to which progress is being made is less clear.
One problem remains the lack of a coherent overarching approach to sharing. The GAO voiced that concern in a recent report. In the report, the GAO stated that “no national plan to facilitate information sharing yet exists that clearly delineates the roles and responsibilities of federal and nonfederal CIP [critical infrastructure protection] entities, defines interim objectives and milestones, sets time frames for achieving objectives, and establishes performance measures.”
Moreover, GAO auditors wrote that the piecemeal approach to information sharing has yielded “ineffective communication among the federal, state, and local governments that has resulted in untimely, disparate, and at times conflicting communication between those who need it most.”
Another obstacle remains the continuing hesitancy of some in government to share what they know. In a survey of federal, state, and city officials, GAO auditors were told that “information on threats, methods, and techniques of terrorists was not routinely shared; and the information that was shared was not perceived as timely, accurate, or relevant.”
Federal authorities acknowledged that they were reluctant to share data with state and local agencies. Among other concerns, the authorities feared that state and local governments would be unable to adequately secure classified information.
While sharing may be a skill learned in kindergarten, it is clear that getting disparate groups to share homeland-security information is anything but elementary. Despite the difficulties, everyone involved recognizes that this is one subject they cannot afford to fail.
Michael A. Gips is senior editor at Security Management.