Jul 27, 2004 (12:07 PM EDT)
Report: Private Sector Too Wary Of Sharing Security Information

Read the Original Article at InformationWeek

The Department of Homeland Security and private industry aren't doing enough to exchange information related to threats to critical infrastructure such as IT and telecom networks, the banking system, or the food supply, a report issued Tuesday finds.

A Government Accountability Office report offers recommendations to the Department of Homeland Security to improve the protection of national critical infrastructures in 13 sectors. GAO, the research arm of Congress formerly known as the General Accounting Office, suggests developing a plan for information sharing that more clearly describes the responsibilities of DHS and of private-sector information-sharing centers, which were created to pool data on the threats and vulnerabilities most relevant to each critical industry. The report also calls for establishing policies and procedures for agency interaction and the coordination of information sharing.

"Sharing information between the federal government and the private sector on incidents, threats, and vulnerabilities continues to be a challenge," the report says.

The report notes that the private sector's approach of collecting data through information-sharing and analysis centers, or ISACs, isn't working because companies fear the data will become public. "Much of the reluctance by ISACs to share information has focused on concerns over potential government release of that information under the Freedom of Information Act, antitrust issues resulting from information sharing within an industry, and liability for the entity that discloses the information," the report says.

To address such problems, DHS is developing a road map tracing information-sharing relationships among the agencies involved, a set of goals for improving those relationships, and metrics for measuring improvements. No timetable has been announced, but the plan is expected later this summer.

The report comes at the request of Congress, which sought these recommendations following an April 21 GAO report, and GAO testimony about on the status of private-sector ISACs and their efforts to help protect the nation's critical infrastructures.

Such problems aren't new. John Pescatore, VP and research fellow at Gartner Research, notes that shortly after DHS was formed in November 2002, he recommended that the agency take steps to improve information sharing, such as having secure E-mail for intraagency communication. Almost two years later, he says, it still doesn't have that. Pescatore says that while the report gives DHS some good marks, it has mostly dealt with the easiest problems. "They've attacked some low-hanging fruit," he says. "We really have not seen them develop from separate organizations into a coordinated agency."