Summarize and discuss Information Sharing and Protection

POST

Information Sharing and Protection is a vital part of the National Infrastructure Protection Plan (NIPP) and the Guide for CIKR at the State, Regional, and Local Levels (Sept 2008) gives direction on how to accomplish this. All levels are considered including regions, state, local, and private sectors. This discussion will look at the guidance on how information concerning CIKR should be shared, fusion centers' roles in the protection of CIKR, and then how CIKR information should be protected.

Owners and operators of CIKR assets have a vested interest in keeping their investments from harm. Private sector individuals and companies want their facilities and personnel protected while at the same time cannot afford to waste limited resources on every possible threat they may face. Partnership with the federal government grants them a much better picture of what is the current threat level in their locality/localities and what types of threat level their industry is facing on a whole. States and local governments are well suited to act as the go-between in the vital communication processes between federal agencies and owners and operators.

The federal government also benefits by gaining insight into what types of intelligence products would most benefit owners and operators as well as any reports on suspicious activity they may have observed. One important tool used in this exchange of information sharing is the Homeland Security Information Network (HSIN). Its network is designed off of previous lessons learned from the Department of Defense (DoD) and other federal organizations (DHS, 2008, pp. 23-24). While an unclassified network, it is still a secured network due to the sharing of Sensitive But Unclassified Information on it and allows many capabilities including alerts, training, Global Information Systems mapping, secure messaging, instant messaging, web conferencing, and document storage (DHS, 2016, paras. 1-2).

Fusion centers are one method utilized by states (along with other governmental agencies such as the two Maritime Intelligence Fusion Centers utilized and operated by the US Coast Guard (Richardt, 2006, pp. 8-9)) to act as enablers of the conduits of information flowing amongst the protectors of CIKR. Fusion centers may also develop their own intelligence analysis and reports in addition to acting as "all source" clearinghouses (Sauter and Carafano, 2012, p. 176) and providing increased understanding of threats, vulnerabilities, and consequences of disasters or attacks on CIKR within their area of responsibility. Furthermore, fusion centers should be funded and equipped with resources that allow them to not only collect and share CIKR information accordingly but also to share best practices, standard operating procedures, and emergency information necessary for all levels including owners and operators (DHS, 2008, pp. 24-25).

Information protection is the last area that is addressed in the realm of information sharing and protection in the DHS guide for CIKR. While it is vital that information gets in a timely manner to those levels and organizations that have the desire or even duty to protect CIKR assets, it is also extremely vital to exclude those that would use such information for nefarious purposes and those that might discuss or disclose CIKR information unknowingly or haphazardly (those without a "need to know"). DHS reminds all levels involved in information sharing that everyone involved is responsible for protecting information about CIKR and reiterates that every plan and program should contain information detailing who is granted access to the information and how they obtain that restricted access. A program that exists to help safeguard information is the Protected Critical Infrastructure Information (PCII) Program.

This information may include personal identifying information, vulnerability reports, risks, threats, asset identifiers, and proprietary information for private industry. The PCII program acts in that if the information is shared with the government and validated as qualifying as PCII, it gains protection from federal law and then becomes exempt from public disclosure. A final category of CIKR has gained its own new specific standards under federal law. Chemical facilities now operated under the Chemical Facility Anti-Terrorism Standards. Chemical-terrorism Vulnerability Information is generated and utilized to meet those standards and to share information at the local and state levels to help ensure that the chemical facilities are adequately safeguarded (DHS, 2008, pp. 25-27).

Information about CIKR must be appropriately shared while at the same time protected against those that would exploit it to attack our homeland. Systems and tools such as the HSIN and fusion centers have been developed to allow easy access, storage of information, analysis of threats and vulnerabilities, and collaboration amongst the many partners involved in protecting CIKR. As we have recently seen in this last election year, even government systems and networks used by politicians and members of our federal government are not immune from attack and penetration by individual hackers, hackers acting on the behalf of foreign governments, or trusted individuals that leak information knowingly (or even unknowingly). DHS has recognized that CIKR information must be protected and given guidance and tools such as the HSIN to help meet that goal.

1 PAGE