Feds ink deal for info sharing with states

NASCIO

The federal government will begin exchanging information with state chief information officers about potential cyberattacks and other security threats under a deal signed last week by federal and state organizations.

The memorandum of understanding between the federal government's National Infrastructure Protection Center (NIPC) and the National Association of State CIOs formalizes the information sharing that already occurs on a state-by-state basis. According to the agreement, states will receive quick notification of general and specific warnings about cyber and physical threats, NASCIO officials said.

The agreement also is the first step toward forming an Interstate Information Sharing and Analysis Center (ISAC) that would help both the federal and state government anticipate and respond to security threats.

The NIPC, an interagency group based within the FBI, works closely with many public and private organizations to issue alerts on infrastructure threats. Those alerts will usually contain details about the threats and how to prevent, respond to or recover from specific attacks.

Government officials and security experts say the agreement marks the beginning of much needed cooperation between federal and state governments.

States need to take a more aggressive approach to heading off security problems, according to a NASCIO report issued last week called "Public-Sector Information Security: A Call to Action for Public-Sector CIOs."

Without intergovernmental cooperation, "it would be hard to implement fully this 'call to action,' " said Don Heiman, former Kansas CIO, who wrote the report. "What you're really doing is you're creating that tight linkage between the states and the feds."

States interested in receiving NIPC alerts will sign agreements with NASCIO, said Rock Regan, CIO of Connecticut and NASCIO president. "I think we're going to get virtually every state. Every member will probably sign up," he said. "This really formalizes a better process to make sure we're getting information on these alerts."

As part of its call to action, NASCIO also endorsed the ISAC concept. With the federal government's encouragement, several industries, including the financial and agricultural sectors, have set up ISACs to share information internally and with other organizations.

An Interstate ISAC would make it possible to pool and analyze security information across states, providing more data for security experts that might reveal security problems. "There's a lot of information that we all capture on a daily basis...but there's not a great deal of sharing between the states," Regan said.

The Interstate ISAC could also help federal cybersecurity efforts. States oversee networks that attackers often probe, so they could be a valuable source of information about security threats. For example, many of the computer viruses and worms that caused so much damage in 2000 started in part because of malicious code planted on university systems.

Providing information on the threats at the state level is critical to the overall goal of the ISACs, said Shannon Kellogg, vice president of information security programs at the Information Technology Association of America. "The states have a very important role to play," he said.

NASCIO is developing the ISAC proposal and talking with several federal agencies to get support, be it money, people or other resources, Regan said. "We're looking for some help, particularly to get it started," he said.

The ISAC is expected to be self-supporting, with states signing up to participate on a subscription basis. The NASCIO executive committee is working to get support from the states and expects to put out a request for proposals before the end of the year for one of the many private-sector companies to provide the center's support staff, Regan said.

NASCIO's decision to use a contractor to support its ISAC is wise because so many other ISACs are already up and running, Kellogg said. Industry has a great deal of expertise in collecting and analyzing threat and attack information for this purpose, and states can benefit from industry's experience, he said.

***

Share and share alike

One expected offshoot of last week's agreement between the National Association of State Chief Information Officers and the National Infrastructure Protection Center is the creation of an Interstate Information Sharing and Analysis Center (ISAC).

President Clinton first urged the creation of sector-specific ISACs in May 1998 when he issued Presidential Decision Directive 63, which requires federal agencies to secure the information and physical systems that support the nation's critical infrastructure, such as banking and transportation. The Bush administration has continued to support the formation of ISACs to cooperate with the Critical Infrastructure Protection Board, created by executive order in October 2001.