Tracking the institutional response of state and local governments to cyber threats is relatively tough in many cases. Security concerns, rapid changes, and limited transparency all collectively make finding official and primary sources challenging. As such, when there are useful data sources to help understand these issues, they’re worthy of note. One such set of data comes from the Department of Homeland Security’s (DHS) Annual Fusion Center Assessments.
These documents, part of the Fusion Center Performance Program, inventory the progress and focus of the 78 designated fusion centers that comprise the national network of fusion centers. These centers, in states and large urban areas, are a centerpiece of the post-2001 organization and reorganization of homeland security. Owned and operated by state and local governments, these centers serve as clearinghouses for information and intelligence related to locally defined missions; covering either counterterrorism, all-crimes, or all hazards, depending on the center. This variability has lead to the common refrain that “If you’ve seen one fusion center, you’ve seen one fusion center.” This information sharing is both vertical (across levels of government) and horizontal (across states and urban areas). While often treated in the media as DHS centers, they are in fact run by - and today mostly funded by - state and local governments.
One of the most striking stories that come out of these annual reports is about the rise of cyber intelligence and cyber security as a function in these centers. In the 2011 assessment, the word “cyber” is not even mentioned; and while “information security” is mentioned several times, it is done so in the narrow context of protecting a fusion centers internal information, as opposed to the broader sense in which information security would equate to cyber security. In the 2012 assessment, 39 out of 77 (about 51%) of centers reported that they worked on cyber security. In the 2013 assessment, 59 out of 78 centers (about 76%) reported working on cyber security. In the last assessment released, covering 2014, 63 out of 78 (about 81%) centers reported working on cyber issues. This rapid expansion from about half to over 80% in three years is truly remarkable.
It suggests that the expansion of this function has brought a host of new entities and players into the realm of information security beyond “traditional” stakeholders like state Information Technology agencies and Chief Information Security Officers (CISOs). Unfortunately, the information in these reports is not granular enough to assess what stakeholders are involved, and how this growth in the intelligence is changing the complexion of cyber security discussions at the state and local level. There have been some good attempts to collect more granular information, but at this point, those efforts are largely anecdotal and in their early stages.
This growth of cyber in Fusion Centers makes sense in light of several "push" and "pull" factors that might impact organizational and center priorities. The rise of concerns about cyber security has been widespread across government agencies. However there are more concrete items that encouraged that concern to find an institutional place in fusion centers. The National Governors Association (NGA) has explicitly advocated that fusion centers be a key plank in state cyber planning. DHS has offered training to fusion center analysts on cyber issues, and encouraged cyber information sharing. The Multi-State Information Sharing and Analysis Center (MS-ISAC), an information sharing non-profit with states as clients, has embraced fusion centers, in addition to the “traditional” IT audiences - CISOs and IT agencies. Cyber security has also been a focus of the National Fusion Center Association (NFCA), an association that represents these centers, including being featured as part of their strategy for the future of the national network of centers.
All of these factors, plus the understanding that cyber security requires cross-agency and cross-disciplinary coordination, have lead centers themselves to embrace this function. Information sharing is an important first step, and there is still much room to improve that component of cyber security. That said, information sharing by itself is likely to be insufficient to deal with the scale and scope of the problems around cyber security. New Jersey cyber security director Dave Weinstein correctly points out that while information sharing may be a “critical pillar” of US cyber strategy, a more “multi-faceted” set of approaches is necessary. Weinstein also correctly points out that whatever strategy or strategies are embraced, “Washington needs to work more with states and cities to boost awareness of cyberthreats and the adoption of best practices.”