States Plan Center to Protect IT Infrastructure

Plans are under way among state governments to establish a national information-sharing center to boost network security and protect information technology infrastructures that belong to the states. The information-sharing center would record and report security breaches across state IT enterprises, provide early warnings to other states of network breaches and offer patches to fix violated systems, said officials with the National Association of State Chief Information Officers of Lexington, Ky., one of the sponsors of the center. The center might provide companies with feedback on security products and solutions they can use to refine requirements. It might also stimulate research and development efforts and generate pilot projects that would speed development of next-generation security measures, industry officials said. "Anything that fosters a two-way discussion between agencies and commercial companies is beneficial," said Jim Finn, e-security principal with Unisys Corp. of Blue Bell, Pa.An information-sharing center could assist industry by streamlining communications across a number of clients, said Rick Webb, a managing director with PricewaterhouseCoopers, New York.While organizations such as NASCIO have been able to bring government and industry together for a few days each year to discuss security, the state and local government lacks permanent structures and processes to adequately protect networks and infrastructure, according to industry officials.The Sept. 11 attacks on New York and Washington have forced government at all levels to redouble their efforts to tighten network security and defend their IT infrastructures. In this atmosphere, state officials responsible for making sure systems operate smoothly and no data is compromised or lost from random hacker attacks or Internet viruses are making security and reliability one of their chief priorities. "This is one of the things at the top of our list as a result of Sept. 11," said George Boersma, Michigan CIO and head of NASCIO's security and reliability team. "[States] need both short-term and long-term solutions," he said, referring to the approach NASCIO will take to help states tighten security of networks and data centers. The initiative to create a national information center is a collaborative effort by NASCIO, the Washington-based National Governors Association and the Partnership for Critical Infrastructure Security of Washington, a nonprofit organization established to coordinate protection efforts by the various infrastructures critical to the U.S. economy.About a half dozen information sharing centers already exist in the United States to protect different types of critical infrastructures, including electric power, financial services, IT and telecommunications. Private-sector IT has long been regarded as a key infrastructure, and now government IT is being regarded as critical as well."The main purpose of PCIS is to meet the need of infrastructure sectors," said PCIS President Ken Watson, who also is manager of the critical infrastructure assurance group of Cisco Systems Inc., San Jose, Calif. "As states emerge as another infrastructure sector, we will look to support them."Watson said the input that NASCIO will provide as an ad hoc member will help improve coordination of critical infrastructure protection across all levels of government.For its part, NASCIO is rushing to develop guidelines within 30 to 60 days that would form the basis of its recommendations on a coordinated security strategy.NASCIO wants to work closely with other organizations in the federal government and private sector, Boersma said. He vowed to work "on a rapid basis" through issues such as who will run the center, how it will be funded and how it will be staffed, but said no formal plans regarding any of these matters have been made yet. To be effective, the information-sharing center would need to exhibit "a high-level of confidence" so that it received the support and participation of all 50 states, said Thom Rubel, NGA's program director for state information technology. The analysis center would serve as a central point from which state technology offices would interact with technology companies that provide products and solutions to the government, said Chris Dixon, NASCIO's digital government coordinator."[So] you don't have 50 states or customers contacting the same company, there would be one third-party organization trusted with watching all of this and getting information back to the states," Dixon said. One of the key assets PCIS will recommend state officials quickly protect is key Internet protocol addresses, which provide access to systems and servers. "If a state knows what those are and where they are, then it can better manage the risks [associated with them]," Watson said. States may find through a vulnerability analysis that they need to protect certain overlaps between state government and other government or industry sectors, he said.The initiative may require new laws and regulations for protection of this information, Dixon said. A secure database must be established, which may require modest funding, he said.Those leading the initiative said states may need to revise certain laws they have regarding access to public information. Watson said some states may have to review sunshine laws that mandate public access to sensitive information so it does not fall into the wrong hands. An information-sharing center could prove to be "a highly useful platform" for facilitating communication and coordination of security and infrastructure protection, said Larry Herman, state and local government alliances partner for KPMG Consulting, McLean, Va. Herman said that for such a center to be effective, it would require "new and enhanced levels of leadership funding, confidentiality, privacy and accountability." The information provided by industry and government would be useless if there isn't an organization in place to evaluate, distribute and act on the information as appropriate for a given agency or government, Finn said.