Information Sharing and Analysis Centers (ISACs), the main channel for industry and the federal government to exchange security information, are the focus of renewed debate about their usefulness amid continued complaints by business executives that the Department of Homeland Security and other agencies fail to provide adequate and consistent support for them.
Proponents of the ISACs say that their mission, to provide 24/7 threat warning, incident reporting, and analysis and protection of private industries’ sensitive and proprietary information, is vital because it is something that the government itself cannot accomplish.
Recently, however, 9/11 Commission member and former Deputy Attorney General Jamie Gorelick charged at a security conference in San Francisco that the industry-led ISACs are ineffective, saying that the concept should be abandoned or reformed if national security is to be safeguarded.
At the same forum, former White House security adviser Richard Clarke referred to the ISACs as “version 1.0,” saying that four years after al-Qaeda’s deadliest attack, the centers were “still getting started.”
“I don’t think the model of ISACs works,” Gorelick said. “Asking industries to fund their own ISACs as they wish and in a disorganized fashion will not get us where we need to go.”
Gorelick added that the centers ended up having to “pass the hat” to raise operating funds. “You need personnel who have their job from year to year, and don’t need to beg for their salary from constituent members.”
Several ISAC spokespeople consulted by GSN vigorously disputed Gorelick’s characterization, saying that her views were outdated and misinformed. “I don’t believe she’s been active in this community for some time,” said Guy Copeland, president of the Information Technology ISAC, “and therefore is really not up to speed on the accomplishments we have achieved.”
“The ISACs have developed differently, they have different missions and different maturation cycles,” noted Don Rondeau, director of the Highway ISAC. “As people start to look at and understand the goals and capabilities of each individual ISAC, they will understand that no one statement can speak to all of the ISACs.”
Creation of the ISACs grew out of Presidential Decision Directive 63, issued by President Bill Clinton in 1998, which named them as a means of fostering critical infrastructure sector cooperation, including information-sharing, with the federal government.
After the terrorist attacks of September 11, 2001, the ISACs shifted their principal focus from cyber security to broad concerns over the threats posed by terrorists to the physical infrastructure of the more than 80 percent of the U.S. economy that is privately owned.
Today there are more than a dozen ISACs for sectors ranging from IT, telecommunications and financial services to food, water, chemical, energy and surface transportation. Although they vary in terms of funding, organization, and relations to the federal government, all of the centers seek to directly and rapidly bring together expert members to examine vulnerabilities, threats or incidents as these rise to levels that require sector expertise and coordination.
The centers' often cutting-edge contributions to critical infrastructure protection, ISAC proponents say, include their reach into the maw of the sectors they represent. Thus, they able to help both industry and the government detect and analyze real-time and potential security threats, as well as create and sustain the trusted relationships needed for cross-sector information sharing.
The deep and broad bench many ISACs bring to analyzing threat information cannot be matched anywhere in the federal government, ISAC defenders say. Nor can the government, hobbled by various pre-9/11 laws and regulations mandating the public disclosure of information, guarantee the protection of sensitive and proprietary data.
The Highway ISAC, which operates under a cooperative agreement with the Transportation Security Administration and the Office of Domestic Preparedness, is an example of the extensive network within a sector – transportation -- that serves as the robust foundation for receiving, analyzing and disseminating threat information, Rondeau noted. “We see these emerging threats as they happen.”
Located within the Transportation Security Operations Center in Herndon, VA, the “connectivity” between the Highway ISAC and its industry peers, Rondeau added, has been a boon for its non-sector partners as well. “We get a lot of information that may have to do with the surveillance of an infrastructure that may have nothing to do with highways,” Rondeau said, “but it is a member of the highway community that is reporting a potential surveillance on chemical, a potential surveillance on water, things of that nature.”
The Electricity ISAC proved invaluable for determining the causes and the reach of the August 14, 2003 mega-blackout, recalled Louis Leffler, a spokesman for the ISAC. “We literally had almost 200 people working on a detailed analysis to figure out exactly what had happened. You may not always need that many people, but you do need to reach out to industry to find the people who know what is going on to understand it,” he said.
These positive achievements, however, must be weighed against other recent developments that appear to have provided Gorelick’s comments with resonance.
Despite the ISACs’ contributions to critical infrastructure protection, their operators and proponents appear to be dogged by funding realities. While the Financial Services ISAC reported a 1,300 percent growth during the last year, money remains an issue for many ISACs. Gorelick’s comments, for instance, came just weeks after the nation’s Public Transportation ISAC announced it was in danger of folding after federal support dried up.
“Jamie (Gorelick) said that they are not funded properly -- and they are not funded properly,” said Suzanne Gorman, president of the ISAC Council, a coalition of all the ISACs. “Part of the problem is that the sectors’ sponsoring agencies for each of these ISACs have to become engaged again. I do not think that a lot of them are.”
Gorman’s remarks echoed a report issued last August by the White House’s National Infrastructure Advisory Council, which recommended -- to date without much success -- that DHS “recognize and endorse” the ISACs.
Instead, as recently as late last year, DHS officials were offering industry groups PowerPoint presentations that emphasized perceived limitations of the ISACs, including service fees which many believe stymie the recruiting of new members, and interoperability and cost issues that inhibit cross-sector information-sharing.
One slide claimed that the ISACs were “not effectively resourced for information collection, analysis and dissemination of sector-specific incident and vulnerability trends.”
ISAC defenders counter by saying that the DHS criticisms risk becoming a self-fulfilling prophecy. The ISACs’ attempts to develop self-funding models and grow their private-sector memberships are hindered by the government’s inability or unwillingness to voice its support of the centers and develop clear information-sharing protocols that recognize their value.
DHS’s failure to use its “bully pulpit” on behalf of the ISACs comes amid continued confusion and turmoil over the centers’ relationships with the federal government. Some ISACs have been able to maintain strong ties with their sector partner -- the Financial Service ISAC’s longstanding liaison with the Treasury Department is an example of a rock-solid relationship. Others, such as the Water ISAC, labor with increasing frustration to get any useful information from DHS, despite having received a $2 million shot-in-the-arm in the fiscal 2005 omnibus appropriations bill (PL 108-447).
The ISACs have also struggled to retain their roles among a jumble of private sector information-sharing programs within the federal government and private organizations whose mission is also to promote the sharing of security-related information.
What’s more, when DHS created “sector coordinating councils,” designed to drive sectors’ overall infrastructure strategies and policies, it cut the operational ISACs out of the loop regarding its plans to create the parallel policy organizations until the decision already was made, according to several ISAC sources.
“The growing pains of organization and reorganization within DHS definitely inhibits some of the information sharing on the private side,” noted Rod Nydam, associate director of private sector programs at the George Mason University’s Critical Infrastructure Projection Project. The university’s critical infrastructure program forms part of a contract with DHS under which George Mason offers support services to both the ISAC Council and the sector-coordinating councils.
“In general, the ISACs play a very important information-sharing and related operational role, one that cannot be played by the government in every sector,” Nydam added.
“The ISACs bring analytical expertise than cannot be replicated anywhere else,” said Paul Wolfe, vice president of EWA Information and Infrastructure Technologies, Inc., a Herndon, VA, firm that manages three ISACS. “They are a wonderful gift that was presented to the nation.
“They just need to be used.”