Private, Public Sector Share Data

Thursday, March 14, 2013 @ 06:03 PM gHale

Government has been talking about working and sharing security information with the private sector for quite some time and it seems it is now coming to fruition under the Enhanced Cybersecurity Services (ECS) program.

Under ECS, the Department of Homeland Security (DHS) is releasing cyberthreat information developed by the National Security Agency, the FBI and others to participating American “Commercial Service Providers” in the telecommunications business. Those companies, which the government said include the telecom carriers AT&T and CenturyLink, are in turn eligible to use that classified information to develop and sell a package of higher security protection to qualified companies the government deems to be part of the nation’s critical infrastructure.

Obama Inks Cyber Security Order
Hackers ‘Declare War’ on U.S.
Big Security Push by DoD
Back to Basics: Security 101

The initiative comes in the wake of the executive order by President Barack Obama designed to encourage such information sharing between the intelligence and corporate worlds.

A spokesman for DHS said the “information provided through ECS is generally unavailable today to private-sector entities, and will help the private sector to develop innovative and efficient solutions to mitigate or prevent those risks.”

One former high-ranking U.S. intelligence official categorized the ECS program as a work-in-progress. “They have at least two carriers working on it now. For this to be effective, I think they need at least five,” the official said. “This is all being worked out, and there’s a lot of bureaucratic wrangling going on.”

The government stresses the program, which began in February, is voluntary and DHS “embeds and enforces” privacy protections and transparency in this program and others.

Nonetheless, the effort represents a sweeping new application of classified information in the private sector, and has caused some concern among private firms that it could lead to other, mandatory efforts to police private U.S. corporate intellectual property and communications.

AT&T declined to comment and CenturyLink only confirmed its participation in the plan.

The role of the telecommunications carriers is a hybrid of public and private cooperation. In return for participating in the program, the carriers get access to classified information they can use to build a potentially profitable business. “They’re not doing this pro bono,” said Michael Brown, a retired Navy rear admiral who is now an executive at the computer security firm RSA. “In a year, I would expect a very heavy demand signal from the private sector.”

The program comes from an earlier effort to use similar tactics to protect U.S. defense contractors from cyber intrusions. Companies that want access to the higher level of cyber protection must qualify through a two-step process. First, the government must determine the company is part of U.S. critical infrastructure and the firm must undergo vetting for threats to U.S. national security or operational security.

Leave a Reply

You must be logged in to post a comment.