The Nation’s 24-Hour Cyber Watch Center Still Has Some Empty Seats

The watch floor of a national center that monitors hack attacks aimed at 16 critical U.S. industries is still missing analysts from 75 percent of those sectors.

The reasons for low attendance have little to do with controversies over sharing customer and business-sensitive information. 

The main problem is insufficient capital to put boots on the ground at the National Cybersecurity and Communications Integration Center – or NCCIC (pronounced "N-Kick").  

Established in 2009, the space in a nondescript Arlington office tower is where technical analysts from the government and industry can exchange cyberthreat intelligence. 

At a speech there in February, President Barack Obama described the place as "one of the critical lines of America’s cyber defenses," adding that "these men and women work around the clock, 24/7, monitoring threats, issuing warnings, sharing information with the private sector and keeping Americans safe." 

But not everyone in the private sector is on board yet, including the public transit and electricity industries. 

Only four of the 16 designated critical-infrastructure sectors have dedicated analysts onsite, the National Council of Information Sharing and Analysis Centers tells Nextgov.  

The representatives are from the financial services, aviation, and telecommunications industries, along with state government. The financial services representative doubles as the health care representative as needed, council members say. The information-sharing centers, referred to as ISACs, are sector-specific nonprofit groups that tip off businesses within their industry to cyberthreats.

"We're not on the floor at all," said Scott Algeier, executive director of the Information Technology ISAC, whose members include Juniper Networks, Intel and Oracle. 

The likely reason for the absence of some industry groups is because “it’s a serious resource commitment to put a body there all the time,” said Mark Weatherford, the former Department of Homeland Security deputy undersecretary for cybersecurity, who oversaw the center up until 2013.  “You are basically funding a body to go sit outside your organization.”

Most of the ISACs, which are bankrolled by membership fees, federal grants, and private subsidies, cannot afford to support that person.

The nonprofits “have good leadership --- but this is a part-time job for most of these folks,” he added. The electricity sector sends someone to the center “periodically,” said Weatherford, who once worked for the North American Electric Reliability Corporation, a self-regulatory industry organization.

Currently, DHS does not have money to sponsor industry specialists, either.

There were discussions about paying for an employee from each organization to participate when Weatherford was at Homeland Security, he recalled. 

"I think it's probably one of the things that I would have liked to have gotten done while I was there, but I just wasn’t successful at,” said Weatherford, now a principal at consulting firm the Chertoff Group.

It’s possible, though, that some sectors would not have even accepted the money, he said.

“Because any time you take funding from the government, there’s strings attached to it," Weatherford said. "There are performance measures you have to meet; there are reporting requirements you have to make."

Homeland Security officials on Monday said the department collaborates with public and private sector partners every day to make sure they have the necessary information and tools to protect vital systems.

Currently, “every sector is welcomed to have a representative at the NCCIC at any time,” DHS spokesman S.Y. Lee said in an email.

Facebook to the Rescue?

The months- and sometimes year-long process of obtaining security clearances for analysts to see classified intelligence can be another turnoff, said Algeier, who also serves as the vice chair of the National Council of ISACs. 

In 2012, after finally credentialing an IT ISAC specialist to enter the center, the group discovered the facility’s super-secure setup prohibited communicating with colleagues back at the ISAC.

"He was cut off from the outside world,” Algeier said. “If he wanted to talk to my operations team, he had to leave the floor and go outside and call on the cellphone and talk to the operations team." 

Since then, issues at the communications center seem to have improved.

Many private sector representatives cleared to access the NCCIC can work from “designated hotel spaces,” where visitors connect through their own, independent wireless networks to handle corporate and proprietary matters, Lee said.

Facebook recently opened a virtual information-sharing hub for all sectors that is expected to loop in ISACs. But reportedly, the government is not allowed in at this time.

The online community, called ThreatExchange, will not permit agencies to participate "until there is legislation that clearly defines how information from sharing platforms can be used by these parties,” Mark Hammell, manager of the Facebook threat infrastructure team, told Passcode.

As of Thursday, seven industries -- technology, security, insurance, financial services, higher education, defense and Internet Service Providers -- were comparing notes on, for example, malware and suspicious IP addresses, according to a Facebook blog post.

Face-to-Face Communications

Virtual conversations, however, aren't as intimate as those on the center’s floor, say individuals who have been inside.

“Having someone sitting in there -- it’s just a melting post of information. The value bubbles up out of that,” Weatherford said. “Somebody in one sector who hears a conversation might say ‘Well, wait, we saw that a month ago’ or maybe, ‘We haven’t heard that yet, but we are going to look into it.’”

Administration officials -- in testimony before Congress, in speeches about the hacks at Sony and federal employee background checkers and almost all other "cyber"-related remarks -- plead for industry to provide more threat information.

The 2014 Federal Information Security Modernization Act put the center up on a pedestal, deeming it a "central federal information security incident center" and permanently placing it inside DHS.

Former FBI special agent Andre McGregor, who often liaised with the center, said the analysts there are a special breed. 

“I would brief the NCCIC floor on the threats that were being tracked by the FBI and you would get those granular, deep-dive questions that required an understanding of technology to be able to answer that,” he said. “It was refreshing to be in a room of my peers that understood all levels of the threat, not just the 30,000-foot view." 

The specialists quickly understand the ramifications and gravity of each incident, said McGregor, now a director at cyber firm Tanium.

Hackers Don’t Need Security Clearances

IT ISAC officials say it actually might be beneficial to have one of their analysts at the briefings, if only to tell the government how much of the classified intelligence is actually useful.

For example, “We don't need to know how you got the information,” Algeier said. “But sending these three or four sentences or these 150 indicators, whatever they maybe, getting that part of this classified document out to industry would be helpful.”

Still, the eligibility requirements for entry into the building need to be lowered, he says.

"The bad guys are moving faster," Algeier said. "They are more rapidly sharing the malware with each other and the exploit code. They have less hurdles to go through than we do."