A r c h i v e d I n f o r m a t i o n
Expanding Cooperation Between Public and Private Organizations to Enhance Information Security
Talking Points | Related Documents | Acronyms and Related Links
The information assurance (IA) challenges faced by federal agencies are similar, and related to, those faced by industry, educational institutions and virtually all private organizations. As all have become increasingly dependent on computers and the Internet, the sensitive data upon which our government and private institutions rest have come under increasing attack by hackers and others with malicious intent. With growing use of the Internet, technical errors or malicious activity in one organization can quickly infect/disrupt the critical data of multiple institutions simultaneously. All sectors must improve security procedures and ensure that employees follow them. Both must improve the use of encryption, firewalls and other technologies which keep the intruders out.
As the electronic exchanges between government and private sector proliferate, so do the challenges of IA. Federal agency "electronic commerce" with external customers is rapidly expanding in response to demands for better service, and to new laws. The Government Paperwork Elimination Act (GPEA) of 1998 established a deadline of October 2003 for agencies to develop capabilities to permit electronic maintenance, submission or disclosure of information, including the use of electronic signatures. The E-Sign Act, signed into law on June 30, 2000, establishes standards for what makes an electronic document legally valid. Together, these new laws are expected to dramatically increase federal agencies' use of electronic exchanges of information with external partners. Also, as a means of customer service, federal agencies are establishing "portals," or integrated Web sites, that can be used by citizens and private organizations to obtain information and services.
Presidential Decision Directive 63 on Critical Infrastructure Protection (PDD-63), signed by President Clinton in May 1998, requires all federal agencies to identify critical assets and dependencies on external partners, and then to perform extensive vulnerability assessment and remedial activities as needed. PDD-63 created a National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism and a Critical Infrastructure Assurance Office (CIAO) to support the National Coordinator. The CIAO is also tasked with integrating the National Plan; assisting in the analysis of Agency dependence on critical infrastructures; and coordinating National outreach, education and awareness programs. PDD-63 also proposes a public-private partnership to realize this goal and designates Lead Agencies (Sector Liaisons) responsible for coordinating with the private sector.
Pursuant to the PDD-63 "National Plan" (available at www.ciao.gov), federal agencies are facilitating information security cooperation across various economic "sectors." The President's Report to Congress on PDD-63 activities will be made public soon at www.ciao.gov. It will contain information about a range of current and developing public-private partnerships.
Federal contracting with private Information Technology (IT) security/consulting firms is a major form of "public-private partnership" in support in all aspects of IA. The General Service Administration's (GSA) Project Safeguard supports such contracting. However, unlike the Y2K effort, federal agencies do NOT have separate IA appropriations. These IA contracting efforts must compete for limited funding within administrative budgets of all agencies.
Information Security Scholarships for undergraduates and graduate students are being offered for the first time this year by the National Science Foundation (NSF) (FY 2001 appropriation of $11.2 million). Colleges apply to NSF, and then make awards to qualified students. Visit the NSF or CIAO website for details.
Research (e.g., on improving cryptography and new means of countering hackers) is being sponsored by NSF, the National Security Agency (NSA) and other agencies at various universities.
The National Colloquium for Information Systems Security Education (see www.ncisse.org) is a government-industry-education collaboration aimed at improving information security education (all levels) and public awareness of information security issues. NSA is the lead Federal agency.
The Information Technology Association of America (see www.itaa.org) is another government-industry-education partnership that works on introducing/improving the information assurance aspects of course content and curricula at secondary schools through college/graduate school. The Justice Department is the lead Federal agency.
Information security emergency response partnerships:
Federal Computer Incident Response Capability (FEDCIRC), sponsored by the Federal CIO Council, coordinates a collaborative partnership of incident response, security and law enforcement professions in handling computer security incidents. FEDCIRC also provides proactive computer security services such as on-site incident recovery assistance, audit trail analysis, security engineering and guidance for civilian federal agencies.
Carnegie Mellon University's Computer Emergency Response Team (CERT) provides vital coordination and response efforts when large-scale security incidents occur. CERT provides technical guidance on computer hardware, operating systems, applications, and other IT technologies, improving system security and surviving and recovering from cyber attacks. CERT issues regular advisories and bulletins on vulnerabilities to aid in the proactive prevention of security breaches and counter measures. Their Web site is www.cert.org
National Infrastructure Protection Center (NIPC), required/established by PDD-63, brings together representatives from U.S. government agencies, state and local governments, and the private sector in a partnership to protect our nation's critical infrastructures. NIPC serves as the U.S. government's focal point for threat assessment, warning, investigation, and response for threats or attacks against our critical infrastructures, which include telecommunications, energy, banking and finance, water systems, government operations, and emergency services.
The Department of Education is an active partner with FEDCIRC and CERT. In early 1999, we learned first-hand how valuable these services are when the Department experienced several Internet-based incidents in quick succession. Our IT security and internal network staff utilized FEDCIRC and CERT expertise to help analyze our log files and to trace the origins of these incidents. While we did not suffer any loss or compromise of Department data, those events did drive home the ease with which unsavory characters, or just pranksters, can reek havoc.
Acronyms and Related Links
- Carnegie Mellon University's Computer Emergency Response Team
- Critical Infrastructure Assurance Office
- Department of Defense
- Federal Computer Incident Response Capability
- Government Paperwork Elimination Act
- General Services Administration
- Information Assurance
- Information Technology
- Information Security
- Information Technology Association of America
- National Colloquium for Information Systems Security Education
- National INFOSEC Education and Training Program
- National Infrastructure Protection Center
- National Security Agency
- National Science Foundation
- Presidential Decision Directive 63 on Critical Infrastructure Protection