Three Years After 9/11, U.S.

Security Partnerships With Industry Are a Work in Progress

CQ HOMELAND SECURITY TRANSPORTATION & INFRASTRUCTURE

By Martin Edwin Andersen and Tim Starks, CQ Staff July 28, 2004 Just a few hours after bombs ripped through four commuter trains in Madrid last March, analysts at the Surface Transportation Information Sharing and Analysis Center (ST-ISAC) in Herndon, Va., issued a special bulletin to the rail industry and key contacts in other vital infrastructure sectors. That first report, sent out at 5:30 a.m. EST less than four hours after the first bomb exploded at 7:39 a.m. in Madrid (1:39 a.m. EST) put the emerging details of the Madrid attack in the context of the ISACs detailed knowledge of U.S. railroad assets, their vulnerabilities and their potential risk. In a following report, ST-ISAC analysts, working with security professionals from the Federal Railroad Administration, the Federal Transit Administration and analysts from the Transportation Security Administrations operations center two blocks away, assessed how the different constructions of the Spanish rail cars and the U.S. version would affect the explosion. Our trains, our cars, are much more solid, noted Paul Wolfe, vice president of Information and Infrastructure Technologies, the Herndon firm that runs three ISACs, including the ST-ISAC, which is operated on behalf of the Association of American Railroads (AAR). American rail cars, Wolfe explained, have blow-out windows. But what does that do? You can be assured that within that car in the U.S., its more contained, whatever happens, Wolfe said, but the people on it, in that car, are probably less likely to survive than if the explosion rips the whole car apart. But the adjacent cars, theyre probably more protected. Those kinds of facts, Wolfe and ISAC representatives say, are what help set ISAC analyses apart from what the information industries might expect from the federal government. As a result, the still-evolving relationship between the ISACs and their partners in the federal government particularly within the Department of Homeland Securitys Information Analysis and Infrastructure Protection Directorate (IAIP) reveals a glass half full/glass half empty dichotomy between private sector analysts and government officials. The officials, of course, are in the half-full camp. Not a lot of industry analysts see it that way. Honest Discussions Peter Allor, director of operations for the Information Technology ISAC, said in a telephone interview that in the past year, weve had some honest discussions with IAIP and . . . were learning about each other.
1

Its not an easy process, he said. But at least were discussing it. Private sector analysts praise IAIP for providing the financial resources that some ISAC officials say they need to start up or improve their operations. And they single out Bob Liscouski, DHS assistant secretary for infrastructure protection, for playing a key role in making those funds available. IAIP has also promoted inter-ISAC communications by bringing disparate sectors of the economy together under one roof to talk about common problems, providing essential tools for their successful operation. These tools include US-CERT, which coordinates threat warnings and incident response information essential to protect the nations cybersecurity, and the Homeland Security Information Network, which shares terror-related law enforcement information among local, state and federal agencies. New DHS regulations that seek to shield vital private sector communications on critical infrastructure from misuse or public exposure have also won praise from some industry professionals in principle, if not in their implementation. IAIPs Infrastructure Coordination Division, responsible for protecting proprietary business information, also tracks the receipt and validation of critical infrastructure information, while protecting it against unauthorized disclosure or destruction. And DHS-run tabletop exercises conducted successfully with the Financial Services ISAC and the U.S. Secret Services Electronic Crimes Unit, have been praised by participants as some of the best homeland security drills available, in part because they have been developed with industry participation. In a telephone interview, Suzanne Gorman, who is both chairwoman of the ISAC Council an association of 11 major ISACs and head of the Financial Services ISAC, praised Liscouski for arranging similar training sessions for the chemical, telecommunications and electricity ISACs later this year. Senior and mid-level ISAC personnel, meanwhile, say there has been, in the words of one, good success in getting people to collaborate at the tactical level to produce working analyses. Something for Nothing Private sector officials also say they understand that some of the lingering issues that raise concerns about IAIPs effectiveness are not of the directorates making. IAIP, Allor said, is doing a lot of things despite still being short-staffed . . . creating the new, from nothing. Part of the problem is that, unlike other DHS components, relatively few of what in private sector parlance would be called turn-key operations migrated from pre-DHS legacy agencies to IAIP.
2

A recent survey of IAIP conducted by the DHS inspector generals office noted that, when the department opened its doors on March 1, 2003, the directorate inherited only five legacy elements. One of those was the FBIs National Infrastructure Protection Center (NIPC), a national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response office described by a former director as what the private sector was demanding one-stop shopping from the government. The IG report, released publicly in redacted form, noted that personnel shortages also had inhibit[ed] the IAIP integration process. Of 499 full-time equivalent (FTE) positions that the directorate inherited from DHS legacy agencies, only 174 were filled by personnel who actually left their . . . agency and made the transition to IAIP. As many as 325 positions were left vacant during IAIPs first six months in operation. The element that contributed the most to this personnel shortage was the NIPC, the IG office added. When NIPC transferred into IAIP, personnel who actually left the FBI filled only 18 of the 307 FTEs targeted for transfer, the IG said. The other 289 were vacant. It was only last month that the White House Office of Personnel Management granted IAIP the ability to hire 490 full-time employees in intelligence-related positions. Like DHS Liscouski and several ISAC practitioners interviewed for this series, Ron Dick, a former NIPC director and an ex-FBI deputy assistant director for counterterrorism, emphasized in a telephone interview that, to make the public-private partnerships work, the key word is trust. Dick, who now works for Computer Sciences Corp., said the NIPC had developed trusted relationships with the ISACs representing the oil, gas and water sectors, such that we had fairly open lines of communication when the Sept. 11 terrorist attacks put new pressure on them to work together to share information about specific threats. The trust relationship between the ISACs and DHS, however, is still a work in progress, Dick and others agree. In part, private sector appraisals about the positive contributions made by the federal government generally, and DHS and IAIP more specifically, appear weighed down by a cultural chasm that still separates the public from the private rhetoric about partnerships notwithstanding. Efficient and effective processes for sharing both critical infrastructure and security information must address the flow of information within an ISAC, among individual ISACs and between ISACs and government agencies, said a white paper released last May by the ISAC Council. The processes must ensure that the information is available to the appropriate people, while providing reasonable assurance that the information cannot be used for malicious purposes and is not indiscriminately re-distributed so as to become essentially public information, the paper added.
3

The ultimate effectiveness of these processes will be determined by the trust relationships that are established among the organizations participating in the information sharing. The Financial Services ISAC, one of the most successful of the private sector enterprises, is at the same time emblematic of the still-embryonic ISAC-DHS trust relationship. Fear and Loathing Ron Moritz, a founding member of the IT-ISAC and a senior vice president with Computer Associates International, noted that the financial services sector had been sharing information very, very well for years . . . under a format that was initially very exclusive now its more open called the I-4. According to Moritz, It was an opportunity for security executives from various financial services organizations to come together in a room with the door closed, with no media and no vendors the idea that what happens in Vegas stays in Vegas to share the challenges that they faced together with all of the other banks in a non-competitive, non-threatening way. That is something we are looking at as a great model for information sharing that were trying to replicate as we create a broader set of players and we bring in multiple industries that are part of the critical infrastructure, Moritz added. Just how much of what happens in Vegas still stays in Vegas in the Financial Services ISAC, and how the federal government is still held at arms length, is reflected in the organizations Web site, which states plainly, No US Government agency, regulator or law enforcement agency may access the FS-ISAC. Gorman, the FS-ISAC chairwoman, said that even though the Treasury Department recently awarded the ISAC $2 million to enhance its operations, the private sector entity was granting the department access to only a small part of the database, allowing it to see how many incidents have been submitted, what was the turnaround time to get notification out, those kinds of things. Gorman and others in the ISAC community say that even as prior relationships with non-DHS departments and agencies remain strong, the trust problem with DHS is sometimes compounded by a lack of effective communication. I think that sometimes [the ISACs concerns do not] bubble up to the top, and thats probably the biggest flaw at DHS and at the White House, Gorman said. I think what we say sometimes falls on deaf ears. With an administration that friend and foe alike generally characterize as business-friendly, some of the criticisms might appear startling. According to one senior ISAC official, one of several ISAC leaders to give voice to a common complaint, Liscouski recently told an ISAC Council meeting that it would be his way or the highway. He was the one who came out with the comment: If I give you money, I own your data, the official said. To me, thats not being a team player.
4

After Liscouskis comments, said another senior ISAC practitioner, who asked not to be identified because well pay a price for that, the private sectors response was, OK, then I guess were not going to put private, sensitive proprietary information on your networks. One immediate result, this official and third senior ISAC source said, was that when the ISACs began a weekly teleconference call focusing on physical infrastructure issues two months ago, mirroring a daily cyber teleconference to which DHS is already invited, the department was not asked to participate. It was a conscious decision because we wanted to have a free exchange of information and not be worried that anything we said was going to be, without restriction, promulgated through [whatever means] the government wanted, one participant added. Two lower-level ISAC employees also complained about being asked by DHS managers to provide information their ISACs leadership had clearly conveyed was not to be shared with the government. They put it like, Whose side are you on? recalled one analyst. Low Clearance An allegedly lopsided exchange of information with the private sector supposedly offering the government far more than it receives and the slowness with which ISAC employees receive the security clearances needed to operate are also frequently heard complaints. The time necessary to obtain a clearance is also an impediment for state, local and private sector personnel, the DHS inspector generals report noted. The delay affects both the general distribution of threat information and the actual participation of . . . private sector . . . personnel on IAIP analytical teams or in the Homeland Security Operations Center. Although the daily inter-ISAC teleconference on cybersecurity, in which up to nine ISACs participate, is a very good thing, according to one participant, whose version was corroborated by a second participating source, we normally dont get anything out of the government. We are very unhappy with that. The complaints about the type and volume of information the ISACs receive from the federal government, as well as the question of security clearances, which goes beyond DHS, are clearly debatable. I think you have some cross currents running here, said Rep. Porter J. Goss, R-Fla., chairman of the House Permanent Select Committee on Intelligence. Theres got to be information sharing, Goss said in a telephone interview. On the other hand, its how the information is presented, what form, how securely, for what kind of communications. Then there is the whole question of protecting sources and methods. Liscouski, a former director of information assurance for Coca-Cola, says that perspectives on the state of IAIPs partnership with the ISACs are, to a large degree, the result of honest and understandable differences.
5

Where we stand depends upon where we sit, he said. Still, the comments attributed to him in a negative light by others at the ISAC Council meeting, Liscouski said, come from those more established ISACs, the older ones [which] . . . might be more oriented with looking out for the industry, but not protecting the actual assets. Liscouski asserted that it is a fundamental truism . . . in contracting processes, that if the federal government is funding a contractor to support a given entity if we provide money for the ISACs to operate themselves . . . the government effectively owns those systems. What they didnt realize is that the government owns the information to begin with because it was resident on government systems . . . but we have never abused that, and we put the right contract systems in place to protect that information, he said. Although IAIP was always getting requests for the private sector for money to start up their ISACs, Liscouski said, instead of funding each ISAC with hundreds of thousands, or millions, of dollars, DHS approach was how we, as a government, provide a baseline level of communications and storage capability that satisfies the private sectors demand for privacy and communications, but [also] satisfies the governments responsibility to ensure that we are spending the taxpayers money in a way that were not paying for the same thing, 13 times over. The latest IAIP initiative, which Liscouski termed a tremendously good news story, is the creation of the National Infrastructure Coordination Center in Herndon, Va., where ISACs will literally actually have a seat at the table so they can collaborate in a real-time environment or provide connectivity. Well provide them with the ability to collaborate in our space and we will work with them side by side . . . to solve problems, Liscouski explained. Its never been done before. Mick Andersen can be reached via anacasti@aol.com Tim Starks can be reached via tstarks@cq.com Source: CQ Homeland Security 2004 Congressional Quarterly Inc. All Rights Reserved