Report: Private Sector Too Wary Of Sharing Security Information
The Department of Homeland Security and private industry aren't doing enough to share information related to protecting critical infrastructure.
The Department of Homeland Security and private industry aren't doing enough to exchange information related to threats to critical infrastructure such as IT and telecom networks, the banking system, or the food supply, a report issued Tuesday finds.
A Government Accountability Office report offers recommendations to the Department of Homeland Security to improve the protection of national critical infrastructures in 13 sectors. GAO, the research arm of Congress formerly known as the General Accounting Office, suggests developing a plan for information sharing that more clearly describes the responsibilities of DHS and of private-sector information-sharing centers, which were created to pool data on the threats and vulnerabilities most relevant to each critical industry. The report also calls for establishing policies and procedures for agency interaction and the coordination of information sharing.
"Sharing information between the federal government and the private sector on incidents, threats, and vulnerabilities continues to be a challenge," the report says.
The report notes that the private sector's approach of collecting data through information-sharing and analysis centers, or ISACs, isn't working because companies fear the data will become public. "Much of the reluctance by ISACs to share information has focused on concerns over potential government release of that information under the Freedom of Information Act, antitrust issues resulting from information sharing within an industry, and liability for the entity that discloses the information," the report says.
To address such problems, DHS is developing a road map tracing information-sharing relationships among the agencies involved, a set of goals for improving those relationships, and metrics for measuring improvements. No timetable has been announced, but the plan is expected later this summer.
The report comes at the request of Congress, which sought these recommendations following an April 21 GAO report, and GAO testimony about on the status of private-sector ISACs and their efforts to help protect the nation's critical infrastructures.
Such problems aren't new. John Pescatore, VP and research fellow at Gartner Research, notes that shortly after DHS was formed in November 2002, he recommended that the agency take steps to improve information sharing, such as having secure E-mail for intraagency communication. Almost two years later, he says, it still doesn't have that. Pescatore says that while the report gives DHS some good marks, it has mostly dealt with the easiest problems. "They've attacked some low-hanging fruit," he says. "We really have not seen them develop from separate organizations into a coordinated agency."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.