Leaders of security information-sharing organisations in
the US have criticised the Department of Homeland Security for
announcing its new cyberalert system without informing the private
sector.
Senior officials from the Information Sharing and Analysis Centers
(ISAC) within the IT and financial services industries said they
learned of the DHS National Cyber Alert System from media reports
that appeared shortly after the announcement was made this week.
The officials still have little or no idea what, if any, new
capabilities the alert system offers, what is expected of the ISACs
or how the private sector is supposed to integrate and co-ordinate
with the DHS on the alerts.
"The government wanted to know how it could get [security
information] to everybody, but It didn't ask us how we could do
that," said Pete Allor, operations director for the IT sector ISAC.
"At least you got a conference call," he said, referring to the
media briefing hosted by the DHS.
Amit Yoran, director of the DHS's National Cyber Security Division,
told reporters that the new alert system "will integrate very
closely with ISAC functions, [and alerts] will be provided to the
ISACS and, in many cases, co-ordinated with the ISACS in advance."
Yoran said that integration will be made possible by the US
Computer Emergency Readiness Team (US-Cert).
That was news to Suzanne Gorman, chair of the financial services
sector ISAC, who said she and others were never briefed on what
capabilities the US-Cert operation provided.
"We talk about partnerships, but it would have been really nice if
they had a conversation with us ahead of making this announcement,"
said Gorman. "The way they did this was poor, to say the least."
Yoran, in response to those concerns, said DHS did conduct
discussions with the various ISACs on what the department could do
to increase awareness, adding that the level of interaction will
increase as the system matures.
He added, however, that the goal of the new system is to give "all
users of cyberspace the information they need to protect
themselves", noting that the DHS alert system does not provide any
sector-specific information. Instead, it offers a national-level
view, which "even all of the ISACS don't cover", he said.
Despite the agency''s characterisation of the new system as "a
fundamental building block of the public-private partnership," both
Allor and Gorman said the initiative seemed to be geared more
toward home users and the small business community rather than than
the medium-sized and large companies that make up the bulk of the
nation's critical infrastructure.
"I'm not clear on how this is going to work," said Gorman. "There
seems to be a lot of duplication of effort."
Allor also questioned the effectiveness of using e-mail alerts to
notify home and small business users of security issues - a key
issue the DHS should have discussed with the private sector, he
said.
"Who are we trying to alert, for what, and what's the best method
to get to them?" adding that it was unclear if e-mail alerts will
be as timely for these users as they are for large enterprise
users.
Dan Verton writes for Computerworld