With a handful of exceptions, state intelligence fusion centers have failed as yet to enlist private sector owner-operators of critical infrastructure, due mainly to a “lack of appreciation” of the information they could provide, failure to prioritize infrastructures based on risk, and the absence of detailed federal guidelines on how fusion centers can incorporate private sector data. That’s according to a report from the Congressional Research Service, Capitol Hill’s public policy research office.
“Very few of the state and regional fusion centers have an infrastructure sector representative detailed to their organization,” states the report, which does not name states and sources. It goes on to say that to get information about threats to critical infrastructure facilities, the states rely in part on open-source information and on data provided by the federal government or from contracted data vendors.
The authors, however, acknowledge that the greatest obstacle to robust information sharing by private sector entities is a reluctance on the part of business to share information because of a concern over the security of sensitive information about the companies and their customers.
The report suggests that state and regional fusion centers might do best to engage industry-based information sharing and analysis centers (ISACs), which already gather the information from member companies and serve as nodes connecting industry stakeholders to each other and to the federal government.
John Sabo, of CA Inc., president of the IT-ISAC and chairman of the ISAC Council, says critical infrastructure leaders see the nation’s growing network of fusion centers as a work in progress, as is the country’s new National Infrastructure Protection Plan, which itself calls for enhanced public-private information sharing.
“The CRS report recognized the fact that we have a whole new model of protection for critical infrastructure, and we still haven’t come to terms with how that model’s going to function,” Sabo says.
As for information sharing between fusion centers and ISACs, Sabo says that among stakeholders there is a potentially “daunting” volume of data to be shared—ranging from raw, unanalyzed information to refined intelligence—and a manageable, scalable framework must be created before formal sharing can occur.
The CRS report recognizes these challenges and suggests the need for a national strategy focused on the goal of full fusion center and private-sector sharing of information.
While CRS did not name any standout successes or failures, states publicly acknowledged as leaders in private sector engagement include Georgia, Illinois, and Washington. And they are doing it the old fashioned way—by meeting face to face with their counterparts toward the critical goal of establishing trust.
The Illinois Infrastructure Security Alliance (ISA) seeks to engage private-sector participants—more than 70 companies—by linking them to the Statewide Terrorism and Intelligence Center (STIC) via the Homeland Security Information Network (HSIN.) ISA’s program manager, Edie Casella, engages the private sector through professional associations like ASIS International. (See “The New Need to Know,” September).
Casella says that public- and private-sector leaders in Illinois took a simple, but significant, step by formalizing their initiative and giving it a name. Further, her own personal background as a retired state trooper and current member of the private sector engenders trust in her often-wary audience, she says.
Washington State has benefited from the leadership of two of the country’s biggest companies, Microsoft, headquartered in Redmond, and Boeing, which manufactures airliners at its plant in Everett.