Protecting the Nation

By Stacey McDaniel

Information sharing among government agencies and the private sector has emerged as one of the most critical challenges of the post 9/11 era. A key element of this challenge is that while the federal government is expected to keep the U.S. secure, the overwhelming majority (85 to 90%) of the nation's critical infrastructure is not controlled by the federal government, but is privately held.

In structuring its strategy for security the national critical infrastructure, the Department of Homeland Security (DHS) has been designated as the lead agency and is charged with finding ways to improve information sharing while the IT systems that control the critical infrastructure -- such as telecommunications networks, the electrical power grid, oil pipelines, and water treatment plants -- remain protected from cyber threats.

In early 2005, the Government Accountability Office (GAO) published a report that criticized the DHS for not doing enough to reach out to the private sector. The report asserted that many organizations responsible for the nation's critical infrastructure "are either unaware of key areas of cyber security risks or unprepared to effectively address cyber emergencies. Further, DHS continues to have difficulties in developing partnerships -- as called for in federal policy -- with other federal agencies, state and local governments, and [the] private sector."

Recognizing the vulnerabilities

While information sharing is necessary for critical infrastructure protection, it may also leave participants more vulnerable to cyber attacks. In order to effectively protect the infrastructure, government agencies and private firms must work together, sharing intelligence and technology while simultaneously increasing awareness. According to Andy Purdy, director of the DHS National Cyber Security Division, "DHS has been pushing for more strategic sharing between the public and private sector," he said. "The challenge is for government agencies and private companies to understand the broader purpose and find a way to make it easier to share analysis on malicious activity. We need to keep working together on this and be thinking ahead on how to deal with potential disasters, including cyber disasters."

Former DHS Secretary Tom Ridge has expressed similar concerns. He said Sept. 11 didn't make the nation more vulnerable. "It just exposed us to the fact that we are vulnerable," he said. Since the attacks, the challenge for the public and private sectors has been to manage risk and have appropriate and effective security without interfering with normal day-to-day operations.

While the government has been focused on homeland security for the last few years, Ridge said, "the critical mass of intellect on best practices and solutions is in the private sector, and without a partnership with the private sector the government's mission can't be effective."

The fact that the private sector has a leg up on government agencies when it comes to addressing information security isn't going unnoticed. Before the government can expect the private sector to fully cooperate and share valuable IT information and assets, each agency should be able to demonstrate a secure, resilient infrastructure of its own. By combining the right technologies, processes, and policies, agencies can dramatically reduce the risk of unexpected disruptions, increase their ability to maintain continuity of normal business operations, and tightly align IT to changing business goals.

An approach for resiliency

One approach is designed to simultaneously provide for the security and the availability of information. This balanced approach to information availability and information security is one in which information is kept safe, yet is accessible wherever, whenever, and to whomever the organization's needs dictate. It's an approach that can help keep the nation's critical infrastructure IT systems up, running, and growing -- no matter what happens.

So how would this allow government agencies to maximize security and availability? The short answer: by providing them with a resilient infrastructure. A resilient infrastructure recognizes that information security and information availability are much more effective when addressed together instead of separately. This means that IT and security groups within an agency would use the same tools, speak the same language, and work from the same base of information no matter where they are located.

Agencies can build a resilient infrastructure by taking a holistic view of their information environment and following five interrelated, ongoing steps:

1. Establish a baseline by evaluating information and security systems and assets, assessing established procedures against risks, and then setting up goals and policies for the desired levels of availability and security.
2. Identify and analyze threats (internal and external) and then create a prioritized plan to meet them and minimize downtime. "Meet" in this case means both hardening the defenses against the threat and reducing the negative impact a successful attack might have against the organization by optimizing backup and recovery operations.
3. Deploy proactive safeguards against potential threats to ensure resilience. This allows organizations to protect and back up existing assets to recover from disruptions quickly.
4. Remediate all threats and implement a long-term solution to every vulnerability as it arises, including regularly updated patches, revised policies, and new certification standards for compliance.
5. Finally, all security and information management and storage systems must be proactively monitored in order to provide a clear view of the entire infrastructure and respond quickly to any disruptions to the flow of information.

Specifically, a resilient infrastructure combines advanced administration tools -- patch management, provisioning, installation design, license and asset monitoring, backup, recovery, and reporting -- with expertise in early warning systems, intrusion detection, firewall, virus protection, content filtering, compliance assessment, vulnerability assessment, and VPN. This will leave agencies able to better understand, act, and control their environment.

• Understand means knowing what you need to know about your information environment, both inside and outside your organization. It means being aware of electronic threats emerging anywhere in the world before they reach your organization. It's about identifying possible regulatory compliance issues, assessing the effectiveness of security and administration tools, and constantly monitoring the status of hardware, software, information, and other network assets.
• Act is about responding successfully to both vulnerabilities and new business needs. It includes securing devices, applications, and networks against threats before they happen. It also means  taking steps to be sure information is up-to-date, compliant, and restorable.
• Control is about managing information resources to prevent disruptions and minimize downtime. That means provisioning new applications, managing software patches, and taking other steps to keep your enterprise up, running, and growing.

Securing something as precious as our nation's infrastructure requires a serious commitment to security, and it starts with a secure government infrastructure. The DHS is attempting to address this situation by drafting a National Infrastructure Protection Plan that was released in November. After taking comments through December 6, the DHS plans to approve a final version of the NIPP in early 2006.

Regardless of the requirements of the NIPP, comprehensive security of our nation's critical infrastructure will only happen when everyone involved -- from the federal, state, and local governments, to the private enterprises that maintain the critical infrastructure -- assess their own vulnerabilities and employ cutting-edge security solutions. Only then will the environment be suitable for information sharing among public and private entities.

Stacey McDaniel has been writing about high-tech issues for more than six years.