DHS center could extend classified Pentagon cyber program to nondefense industries

If Congress fails to pass cyber information sharing reforms, the Homeland Security Department could offer all critical industries entry into a little-known facility that circulates classified warnings about threats, similar to the way an exclusive Pentagon initiative works, said a former DHS official who started the operation. The National Cybersecurity and Communications Integration Center, or NCCIC, is a 24-hour crisis center that has been investigating and responding to breaches since 2009.  

“On that watch floor right now you have representatives with full security clearances, up to the Top Secret level, from energy companies, financial services companies, water companies, telecommunications companies, sitting there next to intelligence analysts, sitting next to government cyber analysts, sitting next to Secret Service agents and FBI agents,” said former NCCIC director Seán McGurk, at a talk sponsored by Government Executive Media Group and National Journal.

McGurk became managing principal for industrial control systems cybersecurity at Verizon in May. The telecom firm is one of the critical sector companies stationed at the NCCIC (pronounced N-kick). “They are all sharing the information in near real-time, machine-to-machine speed, not necessarily just human to human, so they can get that overall operational picture to identify cyber risk,” he said.

There also has been discussion of allowing all vital sectors into a more high-profile program that today exchanges classified threat data only within the defense industrial base. The Pentagon recently announced plans for renewing a contract with Booz Allen Hamilton to beef up capacity of the initiative, which currently supports about 15,000 individuals from more than 2,650 defense suppliers.

McGurk acknowledged that NCCIC must ramp up if it is tasked with providing nondefense critical sectors the same services available from the defense industrial base program.

We started the capability -- and now we need to advance that capability and we need to extend it” beyond the currently six or seven active industries, he said. “We need to ensure that the public is aware that this is a resource.”

NCCIC is an outgrowth of a Bush administration presidential directive commonly known as the Comprehensive National Cybersecurity Initiative. Under the initiative, data sharing activities must comply with federal privacy policies for personal information and other protected information.

By “collaborating and sharing classified information, unclassified information, proprietary information, we have a better idea of what the activity is and how the activity propagates through these various sectors,” McGurk said. For example, an oil company executive may spot a danger that could disrupt energy industrial control systems, while a water plant employee may look at the same information and see separate ramifications for that utility.

“And then it becomes actionable because the energy sector person sits there and says that’s important to me in this way and I need that information to protect my sector, which may be different from what the water person sees,” he said. The center is “something that can be enhanced, it’s something that can be expanded but it’s something that currently exists.”

Mark Weatherford, the top cyber official at DHS, increasingly is promoting NCCIC during speeches. “The NCCIC is going to be the nexus of information,” he said this summer. Weatherford, who previously served as chief security officer at the North American Electric Reliability Corporation, which enforces reliability standards for the bulk power system, predicts that eventually businesses in all critical industries “will have NCCIC on speed dial.”