[ISN] Report: Private Sector Too Wary Of Sharing Security Information

From: InfoSec News (isn@private)
Date: Wed Jul 28 2004 - 00:52:03 PDT


By Thomas Claburn 
July 27, 2004

The Department of Homeland Security and private industry aren't doing
enough to exchange information related to threats to critical
infrastructure such as IT and telecom networks, the banking system, or
the food supply, a report issued Tuesday finds.

A Government Accountability Office report offers recommendations to
the Department of Homeland Security to improve the protection of
national critical infrastructures in 13 sectors. GAO, the research arm
of Congress formerly known as the General Accounting Office, suggests
developing a plan for information sharing that more clearly describes
the responsibilities of DHS and of private-sector information-sharing
centers, which were created to pool data on the threats and
vulnerabilities most relevant to each critical industry. The report
also calls for establishing policies and procedures for agency
interaction and the coordination of information sharing.

"Sharing information between the federal government and the private
sector on incidents, threats, and vulnerabilities continues to be a
challenge," the report says.

The report notes that the private sector's approach of collecting data
through information-sharing and analysis centers, or ISACs, isn't
working because companies fear the data will become public. "Much of
the reluctance by ISACs to share information has focused on concerns
over potential government release of that information under the
Freedom of Information Act, antitrust issues resulting from
information sharing within an industry, and liability for the entity
that discloses the information," the report says.

To address such problems, DHS is developing a road map tracing
information-sharing relationships among the agencies involved, a set
of goals for improving those relationships, and metrics for measuring
improvements. No timetable has been announced, but the plan is
expected later this summer.

The report comes at the request of Congress, which sought these
recommendations following an April 21 GAO report, and GAO testimony
about on the status of private-sector ISACs and their efforts to help
protect the nation's critical infrastructures.

Such problems aren't new. John Pescatore, VP and research fellow at
Gartner Research, notes that shortly after DHS was formed in November
2002, he recommended that the agency take steps to improve information
sharing, such as having secure E-mail for intraagency communication.  
Almost two years later, he says, it still doesn't have that. Pescatore
says that while the report gives DHS some good marks, it has mostly
dealt with the easiest problems. "They've attacked some low-hanging
fruit," he says. "We really have not seen them develop from separate
organizations into a coordinated agency."

Help InfoSec News with a donation: http://www.c4i.org/donation.html

This archive was generated by hypermail 2.1.3 : Wed Jul 28 2004 - 03:00:58 PDT