The Cyber Security Early Warning task force, which includes representatives from businesses, trade groups, and academia, has issued its first set of recommendations. First is a call for the creation of an Early Warning Alert Network (EWAN) that would work with existing public-private information-sharing organizations to establish "trust communities" across industry sectors that would receive critical alerts on vulnerabilities, attacks, and exploits.
Funded both by the Department of Homeland Security (DHS) and stakeholders, EWAN would look to create a "network of early-warning networks" by involving a wide variety of players, from critical infrastructure information sharing and analysis centers (ISACs) and the FBI's InfraGard program to the DHS's US-CERT.
The task force, formed at last year's National Cyber Security Summit, has as its mission finding better ways to share, integrate, and disseminate cybersecurity threat information. EWAN is not meant to replace existing information-sharing groups, says Greg Garcia, vice president for the Information Technology Association of America (ITAA), an IT trade association that serves as secretariat of the task force. "There aren't any systems in place that tie all existing ones together," he says. EWAN will answer the question of how to get such information disseminated quickly to a wide group of trusted users.
While the task force hopes to begin beta testing of the alert network in October, with a proposed launch date of December 3, the first anniversary of the summit, these dates are "best case scenarios," says Garcia.
The task force also envisions a National Crisis Coordination Center (NCCC), "a single physical center that pulls together public and private sector constituencies for full crisis prevention and response coordination," complete with backup power, a hot site, and a full-time staff assigned for tours of duty by members of each critical infrastructure and government sector.
Garcia says NCCC would be "a cross-disciplinary organization in which, working side by side, were representatives from intelligence agencies, law enforcement agencies, the private sector, academia, all working together in a collaborative environment" that focuses on a host of cyber and physical security issues.
Garcia says that the goal is to "establish rapport and trust among those who can bring a better perspective, an integrating perspective between industry, law enforcement, and the intelligence agencies."
Recognizing that the NCCC is "a recommendation of substantial complexity, both substantively and organizationally," the task force admits that implementation "will take some time." It urges Congress to deliberate the concept this year and next "to result in a workable concept, either through authorizing legislation for funding and/or executive order."
Despite good intentions, the task force's recommendations will likely run up against the same problems that have plagued numerous similar ventures, including the ISACs, says Mike Higgins, managing director of Tekmark Global Solutions, a managed security services provider.
Chief among those is the private sector's fear of sharing its sensitive information with the government. "There needs to be some reason why private companies would participate and would pass information willingly to the government," says Higgins, whose background includes building computer incident response teams for the Department of Defense.
Higgins says that concerns about the Freedom of Information Act (FOIA) have still not been adequately resolved, despite years of efforts. Of FOIA Higgins says, "There are so many holes still drilled in it that you can't guarantee that the information won't get public in some shape or fashion." Garcia agrees that lack of trust has traditionally been a hindrance to information-sharing between the public and private sectors, but argues that the need to build trust points to the need for an organization like the NCCC.
The NCCC idea has received "uniformly positive" responses from Capitol Hill and some executive-branch agencies, but the task force members recognize that the devil is in the details, says Garcia. Should those details be thoroughly exorcised, in time NCCC could fill a valuable function. As Mike Higgins points out, the most successful information-sharing ventures are built on personal relationships, where the participants are "down in the gutter doing these incidents together, working together, passing information on existing vulnerabilities," because they have established mutual trust.
@ Details of the task force's recommendations are at SM Online.