In early 2008, President Bush signed National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/HSPD-23) formalizing the Comprehensive National Cybersecurity Initiative (CNCI). This initiative created a series of classified programs with a total budget of approximately $30 billion. Many of these programs remain secret and the their activities are largely unknown to the public. Forbes reported in April 2008 that “Bush’s cyber initiative will spend as much as $30 billion to create a new monitoring system for all federal networks, a combined project of the DHS, the NSA and the Office of the Director of National Intelligence. The data-sharing plan would offer information gathered by that massive monitoring system to the private sector in exchange for their own knowledge of cyber intrusions and spyware.”
One of the main programs in this largely secret initiative is an effort to encourage information sharing between the public and private sector called “Project 12”. According to March 2008 article in Newsweek, “a group of unnamed private sector executives representing industries including banking, telecommunications and energy have been meeting with the DHS to find ways to more efficiently swap data on cyber intrusions and digital espionage. The DHS wouldn’t share any details of the classified meetings, known as Project 12, which began in February and are scheduled to continue through May. But the goal of the conferences, according to one former government official, is to build a better system for sharing classified cyber-threat data with private companies.”
Public Intelligence has recently acquired the key report from the Project 12 meetings: Improving Protection of Privately Owned Critical Network Infrastructure Through Public-Private Partnerships. This 35-page, For Official Use Only report is a guide to creating public-private partnerships that facilitate the implementation of “actionable recommendations that [reflect] the reality of shared responsibility between the public and private sectors with respect to securing the nation’s cyber assets, networks, systems, and functions.”
Using the National Infrastructure Protection Plan (NIPP) as a guide, the report recommends that critical infrastructure and key resources (CIKR) be brought into federal cybersecurity efforts through a variety of means. The promotion of public-private partnerships that legalize and facilitate the flow of information between federal entities and private sector critical infrastructure, such as telecommunications and transportation, is highly stressed. These partnerships have been the subject of recent promotion by entities like the quasi-governmental, CIA-connected Business Executives for National Security.
The ultimate goal of these partnerships is not simply to increase the flow of “threat information” from government agencies to private industry, but to facilitate greater “information sharing” between those companies and the federal government. In fact, one of the stated goals of the Department of Homeland Security in the Project 12 report is to achieve “real-time cyber situational awareness” across all eighteen CIKR sectors:
The distributed and complex nature of the decision-making environment for CIKR cybersecurity makes development of common real-time situational awareness a logistically and financially daunting task. Many sectors have thousands of institutions, all with competing business models, differing perceptions of customer service, and varying trust relationships. A single picture would have to accommodate such realities-multiplied across all 18 sectors-and would have to be built upon an architecture capable of handling massive amounts of information at the high speeds required for real-time awareness. Designated industry representatives would have to be selected to represent their sectors as a whole and would have to be trusted to uphold security markings and classifications, answering to the U.S. Government as well as to the company that employs them. The cost of scoping and building a tool that meets the requirements for cyber real-time situational awareness is likely to be significant and would be a high-risk investment of Federal funding. Before making that investment, the U.S. Government and its information sharing security partners must define a clear scope and mission for the development of common situational awareness and should evaluate a variety of interim or simplified solutions.
In order to facilitate this sort of “real-time” awareness, the report states that government resources must be co-located with private industry, either virtually or physically, to help monitor security:
As experts and advisors have noted in previous studies-such as the Early Warning Task Force of the 2003 National Cybersecurity Summit and the President’s National Security Telecommunications Advisory Committee in 2006-the pervasive nature of cyber infrastructure throughout the 18 CIKR sectors creates the need for co-location (either within a virtual or physical environment) of industry and government resources into a single expanded USCERTINCC operation center.
The physical or virtual operations center would allow the CIKR sectors and sub-sectors to volunteer operational subject matter experts to coordinate with each other and the U.S. Government on a variety of cross-sector cyber incident-related efforts. A fundamental goal of the co-location would be to collect and analyze cyber-related information and then escalate that analysis through appropriate channels. Co-location would integrate the analysis generated by industry participants, government partners, US-CERT, and NCC staff and would allow such information and analysis to be compared with results from commercially available services, CIKR-provided information, and information sources. This information would provide an important source of data for fusion in the National Cybersecurity Center (NCSC). It also would provide the needed vehicle for CIKR input into National Cyber Response Coordination Group (NCRCG) decision-making process. Physical or virtual co-location would maximize the U.S. Government’s investment in network protection by facilitating collaborative analysis and coordinated protective and response measures and by creating a feedback loop to increase value for private-sector and government participants. Another key outcome would be stronger institutional and personal trust relationships among security practitioners across multiple communities.
Another goal that is defined in the report concerns the development of Information Sharing and Analysis Centers (ISACs), commonly referred to as fusion centers, for each sector of critical infrastructure. In fact, the report states that eight CIKR sectors already have a functioning ISAC:
Under the NIPP, each sector was to designate an operational information sharing arm. Some CIKR Sectors rely on ISACs, while others rely on ISOs or other established processes designed specifically for a sector or company for the immediate exchange of operational information. Among the CIKR sectors and sub-sectors, eight have functioning ISACs-Communications, Information Technology, Financial Services, Electricity, Water, Emergency Response, Public Transit, and Surface Transportation (rail)-operating at varying levels of maturity and with differing focus on cyber versus physical security issues. Other sectors have additional mature operational cyber information sharing mechanisms or have designated distinct ISOs to analyze and disseminate threat and vulnerability information throughout the sector. The U.S. Government should continue to recognize and use these entities for cyber information sharing and collaborative analysis on behalf of their respective sectors.
Project 12 participants have been reportedly meeting as recently as January of 2009 to map the progress of the report’s recommendations. It is unknown to what extent these recommendations have been implemented.