GAO Cites Critical Factors for Info Sharing

Trust, secure communications and consistent leadership are a few attributes agencies need to successfully share critical security information with the private sector, according to a General Accounting Office study released Oct. 15.

At the request of Sen. Robert Bennett, R-Utah, ranking minority member of the Joint Economic Committee, the GAO studied the practices of 11 organizations that successfully share sensitive or time-critical information.

The report, entitled "Information Sharing: Practices That Can Benefit Critical Infrastructure Protection," identified five factors that facilitate successful information sharing: fostering trust and respect, establishing secure communication channels, establishing top management support, ensuring leadership continuity, and generating clearly identifiable membership benefits

"Trust was critical to overcome members' reluctance to disclose their weaknesses, vulnerabilities and other confidential or proprietary business information," the report said. It noted that companies were often reluctant to share information with agencies for fear it would leak out and damage company reputations and provide an advantage to competitors.

The report also identified several hurdles agencies must overcome to implement information-sharing practices, including developing agreements on the use and protection of shared information, obtaining funding and finding skilled personnel.

In May 1998, President Clinton issued a directive that outlined a strategy for combating the threat of cyberattacks. It included establishing mechanisms for sharing information between agencies and private industry on system vulnerabilities, threats, intrusions and anomalies.

By sharing information, organizations can more quickly identify trends, understand the risks and determine what preventative measures are needed, according to the report.

"Computer-based incidents, such as the ILOVEYOU virus in May 2000 and the recent Code Red, SirCam and Nimda attacks, have caused significant disruptions and damage. In addition, the terrorist attacks of Sept. 11 illustrate the importance of having timely information from others on threats and possible precursors to an attack," the report said.

However, the GAO noted previous reports where it had found the government has been slow to adopt this strategy of information sharing, establishing only six information sharing and analysis centers as of March.

Last month, Bennett and Sen. Jon Kyl, R-Ariz., introduced the Critical Infrastructure Information Security Act of 2001, which would encourage corporations to share information with the public sector through limited exemption from the Freedom of Information Act and antitrust laws.