Report: Private Sector Too Wary Of Sharing Security Information
The Department of Homeland Security and private industry aren't doing enough to share information related to protecting critical infrastructure.
The Department of Homeland Security and private industry aren't doing enough to exchange information related to threats to critical infrastructure such as IT and telecom networks, the banking system, or the food supply, a report issued Tuesday finds.
A Government Accountability Office report offers recommendations to the Department of Homeland Security to improve the protection of national critical infrastructures in 13 sectors. GAO, the research arm of Congress formerly known as the General Accounting Office, suggests developing a plan for information sharing that more clearly describes the responsibilities of DHS and of private-sector information-sharing centers, which were created to pool data on the threats and vulnerabilities most relevant to each critical industry. The report also calls for establishing policies and procedures for agency interaction and the coordination of information sharing.
"Sharing information between the federal government and the private sector on incidents, threats, and vulnerabilities continues to be a challenge," the report says.
The report notes that the private sector's approach of collecting data through information-sharing and analysis centers, or ISACs, isn't working because companies fear the data will become public. "Much of the reluctance by ISACs to share information has focused on concerns over potential government release of that information under the Freedom of Information Act, antitrust issues resulting from information sharing within an industry, and liability for the entity that discloses the information," the report says.
To address such problems, DHS is developing a road map tracing information-sharing relationships among the agencies involved, a set of goals for improving those relationships, and metrics for measuring improvements. No timetable has been announced, but the plan is expected later this summer.
The report comes at the request of Congress, which sought these recommendations following an April 21 GAO report, and GAO testimony about on the status of private-sector ISACs and their efforts to help protect the nation's critical infrastructures.
Such problems aren't new. John Pescatore, VP and research fellow at Gartner Research, notes that shortly after DHS was formed in November 2002, he recommended that the agency take steps to improve information sharing, such as having secure E-mail for intraagency communication. Almost two years later, he says, it still doesn't have that. Pescatore says that while the report gives DHS some good marks, it has mostly dealt with the easiest problems. "They've attacked some low-hanging fruit," he says. "We really have not seen them develop from separate organizations into a coordinated agency."
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.