Garcia Tells Colleges to ‘Plug in’ to US-CERT, with Legal Safeguards
Department of Homeland Security cyber chief Greg Garcia proposed a vastly expanded U.S. Computer Emergency Readiness Team (US-CERT) that would share more information with the private sector than ever. Garcia, assistant secretary of cybersecurity and communications, spoke Monday at a security conference of the higher-education tech group Educause. But he admitted that his idea probably won’t see reality before he leaves DHS -- likely when the next president takes office, in January -- adding that it would leave open many legal questions about organizations’ access to the DHS cyber feed.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
With 40 new slots and a new director in the National Cyber Security Division, DHS is beefing up its commitment to cybersecurity, Garcia said. The agency is reviewing 640 comments on its “essential body of knowledge” cybersecurity draft guidelines, already in use by Florida and Minnesota, he said. Garcia was impressed by the University of Washington when he visited last week, he said. Its Center for Academic Excellence, designated under a joint DHS-NSA cybersecurity program, is linking “practitioners” with students. DHS can compete for talent against higher private-sector pay by offering a chance to joust with cybersecurity challenges that “ripple across the nation,” he said.
US-CERT’s facility, shared with the National Coordinating Center for Telecom, a government-carrier group that handles emergency response communications, suggests US- CERT’s future, Garcia said. He sees the unit evolving into a “central national hub” amassing data from industry information-sharing and analysis centers (ISACs) and synchronizing incident responses, eventually mirroring cybercriminals’ high level of organization. The recent Cyber Storm II exercise showed its value first in 18 months of planning, Garcia said: “It’s extremely important to share your business card now rather than in the middle of a crisis.”
In the short term, US-CERT can’t implement Garcia’s vision, he told a disappointed listener. The unit is focusing on the Trusted Internet Connections program, which seeks to reduce roughly 4,000 federal connections to 50, he said. Agencies’ plans are due in June (WID Feb 15 p2). “That’s all the bandwidth we're going to have for the remainder of this year,” Garcia said. His office has been trying to “carve out some portion of funding” from Homeland Security Grants for private cybersecurity improvements, to no avail, Garcia said, citing an “enormously complicated… and enormously political” process.
As US-CERT maintains a more automated, “real-time” approach, it must juggle the extent to which it legally can share data with entities that “plug in,” Garcia said. The unit monitors not only network traffic patterns but also content -- a dicey subject under federal higher-education privacy rules -- and classified and proprietary information, he said. Despite his short-timer status at DHS, “I'm very eager to get started on that,” Garcia said. -- Greg Piper Educause Notebook…
Blackboard, WebCT and other content management systems raise new privacy issues for colleges, said David Escalante, director of computer policy and security for Boston College. The Family Educational Rights and Privacy Act, historically seen as protecting sensitive student records, could be read to cover in-class discussions increasingly occurring in professor-moderated, access-controlled online forums, he said. Freewheeling discussions between students in the same class online easily can be downloaded by students and posted in more public forums, losing their federal privacy protection, since a university isn’t responsible for re- posting, Escalante said. He said Blackboard had started asking faculty what kinds of privacy features to include in new versions of the software, offering a chance for industry to solve the problem.