With its new Cyber Warning and Information Network, the Department of Homeland Security finally may have hit on the right model to ensure that the private sector shares cyberattack information with the feds—by getting information from security providers instead of the victims.
First proposed in 2001 by former cybersecurity czar Richard Clarke, the program provides an information collection and dissemination network for government agencies and private-sector information security companies that clean up after cyberattacks. When a security breach occurs, network members have agreed to report the details to the network (run by DHS), which in turn would alert via e-mail and a telephone hotline others that may be at risk. It all comes at a good time because attacks are on the rise. According to one network member, vendor Internet Security Systems, the number of serious security threats will more than double this year compared with last.
As outlined by the Bush administration, the network differs from previous initiatives in that it doesn’t depend on victims to notify the government of an attack. As such, says Alan Paller, research director with the SANS Institute, it avoids a major shortcoming of earlier efforts at cooperation that relied on companies to volunteer information. Officials, instead, obtain information about security breaches from the security service providers most large companies have on contract. As a model, think of the Centers for Disease Control and Prevention, which collects health information from doctors, rather than patients. The network is already live, says DHS spokesman David Ray, and was used to exchange information during the Northeast blackouts in August.
Right now, says Peter Allor, manager of X-Force Threat Intelligence Services with Internet Security Systems, the government is choosing which vendors get to join—a factor, he says, of the high cost for DHS to connect new members to a private network that is not connected to the Internet. Unfortunately, because end user companies don’t participate in the service directly, CIOs will be able to benefit from it only if their security providers are members—for now leaving CIOs whose providers are not part of the system out in the cold when a serious attack occurs. Meanwhile, CIOs who have contracts with an approved network member need to make sure that their contracts include language that allows the contractor to report any security breaches that occur.