Heightened Focus on Security and Information-Sharing Strategies

Article Summary
Information technology plays a critical role in Homeland Security efforts in the United States. Within the U.S. government, the Internet and data networking technologies are helping the Department of Homeland Security to unify a variety of agencies and departments within a single IT infrastructure. In the public sector, these technologies have enabled public safety agencies to share information, to communicate, and to respond to emergencies more effectively. And in the private sector, firms are using the same technologies, combined with the latest network security tools, to monitor and safeguard critical U.S. infrastructure against unauthorized access or attack.

Background
Information technology has long played a role in the defense and public safety sectors of the United States. Organizations from the Central Intelligence Agency to local police departments depend on computer systems and databases to manage records, communicate via e-mail, and share information. In the private sector, information security has grown into a billion-dollar industry as more firms recognize the potential financial consequences of an attack on—or the disruption of—their IT systems and intellectual property.

A National Wake-Up Call
Today's emphasis on homeland security, however, has increased the need for better networking. In the wake of the September 11 attacks, for example, investigators discovered that information about the hijackers' activities was available in a variety of federal, state, local, and even private-sector databases—yet there was no way to correlate the data or even to share it effectively. Furthermore, security experts warn that hostile groups could exploit network security flaws to inflict financial or possibly material damage without even having a physical presence in the United States.

Just as it has in the past, information technology can help both the public and private sectors manage network security risks. In some cases, this means using the Internet and networking technology to link disparate IT systems, facilitate the flow of critical information, and allow public safety personnel to communicate more effectively. In others, it means using the latest network security technology to protect IT systems from attack, including the systems that manage and maintain much of the nation's critical physical infrastructure.

One Organization with One Mission
The U.S. Department of Homeland Security (DHS) represents the largest government reorganization since the 1940s, involving 22 agencies and more than 170,000 employees. Many agencies that will be merged into the DHS have existed independently for decades, and all of them have developed independent, often incompatible, computer systems, networks, databases, and other IT systems.

Folding this patchwork into a single, interoperable IT infrastructure will be one of the Department's top priorities—and also one of its most difficult. "The DHS is currently doing a complete IT inventory," says Dean Rogers, senior alliance manager for Homeland Security at Cisco Systems. "They have already identified 2,500 critical systems, and they're only 40% through the process." The ability of the DHS to network these systems effectively, Rogers says, could play a major role in determining the organization's long-term effectiveness.

According to Chris Miller, a technical advisor to the Homeland Security group at Cisco, the benefits of a single, standard network infrastructure extend beyond technology. "The DHS leadership has to make sure these agencies feel like they're one organization with one mission," he says. "Communication is a huge part of that process—having a common infrastructure, such as a single e-mail system or Web portals, that reinforces the idea that each group's mission is aligned with the organization as a whole." Without this sort of cultural reinforcement, many agencies could retain a "silo" mentality, treating information as a source of bureaucratic power rather than as a shared resource.

Speaking the Same Language
Agencies working in different jurisdictions and at different levels of government will also have to rethink their communications and information-sharing strategies. An emergency at the local level could quickly escalate to the point where public safety agencies require state or federal assistance, and the ability to coordinate such assistance quickly and effectively could have life-or-death consequences.

Even within the same jurisdictions, incompatible communications systems can lead to confusion and grave mistakes—as the communications failures between New York City police and firefighters during the World Trade Center attacks demonstrated with tragic results. Yet with more than 87,000 local jurisdictions in the United States, the ability to establish shared voice communications, live video, or data feeds will be a challenging task.

In some cases, however, the technology for establishing this infrastructure is already partially in place. A proposal from Homeland Security Office CIO Steve Cooper, for example, would use the National Guard's 3,000-node, coast-to-coast GuardNET network as the foundation of a national security information network. The network would establish a single architecture and set of standards for public safety and criminal justice organizations at every level of government, making it far easier to integrate and share critical information. Another example, the state of Pennsylvania's JNET system, allows dozens of city, county, and state criminal justice agencies to share public safety data over secure Internet connections.

"The important point is that all of these solutions rely on the availability of an Internet Protocol infrastructure," Rogers says. "Whether you're talking about border and transportation security, video surveillance solutions, or biometric identification devices, the data these systems require will flow over an IP-enabled, integrated network." In the future, technologies such as mobile IP (in which data sessions can be initiated to mobile users while they roam) and voice over IP could even extend the same shared infrastructure to voice communications, allowing first responders and other public safety personnel to work together effectively, regardless of their jurisdiction or level of government.

Private Firms and Public Safety
Private corporations control nearly 85% of the nation's critical infrastructure. Attacks on facilities such as dams, power plants, water and sewer treatment facilities, financial and communications networks, and chemical plants would not just affect one firm—they could disrupt the nation's economy, cause massive property damage, or even loss of life.

According to Rogers, a single infrastructure attack can also cause a "cascade" effect that multiplies the damage many times. "Harm a power plant, and you can also affect water and sewer treatment systems," Rogers says. "Attack a dam, and you can cause flooding for miles downstream."

Protecting critical infrastructure today, however, requires more than just physical security. Private firms routinely control such facilities through networked computer systems and applications; in this environment, every server, switch, router, and network connection represents a potential source of vulnerability. Such attacks also go far beyond the IT systems themselves, since they could give attackers physical control over a facility (such as a dam or chemical plant) and allow them to manipulate it at will.

John Stewart, director of information security for Cisco, states that both the nature and the potential source of such attacks requires firms to think beyond the perimeter security measures, such as firewalls and intrusion-detection systems, that many firms still rely on for their information security needs. "You have to change the way you think about network security," he says. "Every device has to be able to protect itself, and your systems have to be intelligent enough to anticipate and respond to completely new types of attacks." New technologies that can instantly recognize and stop a potential attack, such as intrusion-prevention software, will play an important role in this strategy, as will established technologies such as firewalls, virtual private networks, and identification and authentication solutions.

Putting the Pieces Together
Organizations are also placing a new emphasis on sharing security-related information between the public and private sectors. Private sector cooperation with law enforcement is certainly nothing new, but the ability to share critical information over a single network infrastructure adds a new dimension to the process. Police viewing a live video surveillance feed from a private facility, for example, could quickly determine the scope and nature of a potential emergency.

Although the U.S. government has no plans to impose homeland security technology standards in the private sector, many organizations clearly feel a new urgency to adopt such standards wherever possible. In February 2003, for example, the American National Standards Institute created a Homeland Security Standards Panel to develop a national set of security and emergency preparedness standards. The panel has already established a high-profile membership that includes government agencies, academic and research organizations, and private firms—including Cisco and several other information technology companies.

According to Miller, it should come as no surprise that so many organizations in both the public and private sector consider standards and interoperability issues such a high priority. "When you're addressing critical infrastructure protection, vulnerability analysis can be an important tool," he says. "But to do a vulnerability analysis, you need a baseline, and that requires you to agree upon a set of standards."

What Cisco Offers
The Critical Infrastructure Assurance Group (CIAG) is a Cisco team focused on securing critical infrastructures through strategic efforts such as research, workforce development, and information sharing policies and procedures, along with raising awareness in those areas. In addition, the CIAG plays an important role in helping Cisco achieve its objective of developing industry standards for security worldwide.

Further Reading
The U.S. Department of Homeland Security has published several documents about critical infrastructure protection. Perhaps the most important is "The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets." The 96-page document, published in February 2003, includes recommendations about information technology, Web security, and critical infrastructure protection issues.

The Critical Infrastructure Protection (CIP) Project is another important source of information for industry, academic, and government professionals concerned with CIP issues, in particular those dealing with information technology and Web security. The organization's CIP Report, a monthly electronic newsletter, routinely focuses on CIP-related technology issues relevant to particular industry sectors, such as telecommunications, banking, and transportation.

See Also:

• The Center for Internet Security
• Networking Solutions: Security and VPN

About the Author
Matthew McKenzie is a freelance writer living in San Francisco.

May 5, 2003