Enhancing The Role of Fusion Centers in Cybersecurity, a new “issue brief” from the National Governors Associations (NGA), which scrutinized the actions governors and state policymakers can take to increase the role of fusion centers in promoting cybersecurity and public safety, offers numerous and easily implemented policies and practices to do so.
“Because of the growing number of threats to our cyber infrastructure, looking at adding or expanding cybersecurity capabilities within fusion centers make sense and provides states an important opportunity,” said Michigan Gov. Rick Snyder, co-chair of the NGA Resource Center for State Cybersecurity. “By expanding their role, we protect not only our states’ cybersecurity but the public safety of each of our citizens.”
NGA stated, “States can promote cybersecurity and enhance their capabilities by heightening the importance of cybersecurity as a mission of fusion centers.”
Fusion centers were established in the aftermath of 9/11 to serve as the primary focal points for state, local, federal, tribal and territorial partners to receive, analyze and share terrorist threat-related information. But that role has expanded to include “all hazards” that impact homeland security, including cybersecurity.
Currently there are 78 fusion centers; 53 of which are owned and operated by states and territories.
“Despite elaborate national efforts to share information about cyber threats (National Cybersecurity Information-Sharing Assets), states are not well equipped to contextualize the information they receive and tailor it to meet their own needs,” the NGA’s issue briefing stated.
However, the NGA study concluded that fusion centers can perform this “essential function by providing critical analyses of the cyber threat intelligence they receive and disseminate.”
“In many states, individuals responsible for cybersecurity, such as chief information officers (CIOs), chief information security officers (CISOs), emergency managers (EMs), and homeland security advisors (HSAs), might not have access to the fusion centers, either because they lack the security clearance or are not viewed as having a role,” the NGA report stated.
And this lack of access, NGA found, “bars critical personnel from receiving necessary information and intelligence and impedes a state’s ability to combat new and emerging cyber threats.”
“To remedy that, governors can direct their CIO, CISO, EM, HSAs and heads of state police to create a shared mission that defines roles and responsibilities for using the state’s fusion center to support cybersecurity,” NGA concluded.
Vermont, for example, the NGA report highlighted, “integrated its fusion center into a statewide cybersecurity committee, bringing together the fusion center director, the state’s EM, HSA, attorney general, and CISO to manage a shared cybersecurity mission. The committee meets regularly to discuss challenges and ensure that members are aware of each other’s missions. That design allows state authorities to evaluate system security, effectively implement new policies, and maintain awareness of the evolving cybersecurity threat environment.”
NGA said, “Governors can order an assessment of their state fusion center’s ability to manage a cybersecurity mission. That assessment should identify the actions necessary for implementing the mission. The goal of the assessment is to inventory the state’s assets and capabilities and see which ones can be brought to bear in support of a cybersecurity mission within the fusion center.”
To achieve that goal, NGA pointed out, “governors can direct their CIO, CISO and heads of state police jointly to conduct an assessment of the state fusion center’s ability to manage a range of cybersecurity information and operations.”
An essential step in building cybersecurity capabilities in fusion centers is the development of a business and operations plan, however, NGA said, “that clarifies roles, responsibilities and procedures, sometimes referred to as a concept of operations plan.”
Such a plan, the NGA briefing said, “should include estimates of personnel and other costs needed to support the mission. In addition to those basic elements, the plans should address how the state’s efforts link to the national network of fusion centers and build on sources of critical information within the state, regionally and nationally.”
NGA said that “recognizing the importance of developing effective business and operational cyber practices for fusion centers, the Office of the Director of National Intelligence’s Program Manager for the Information Sharing Environment (PM-ISE), along with the International Association of Chiefs of Police, the Northern California Regional Intelligence Center (NCRIC), DHS and the Multi-State Information Sharing & Analysis Center (MSISAC) launched a pilot project comprising six fusion centers.”
NGA’s issue brief said, “The fusion centers participating in the pilot project are now ‘identifying best practices for sharing cybersecurity information and intelligence among the federal government; state, local, and territorial governments; and the private sector.”
The project — the goal of which is to share these business practices with other fusion centers — highlighted the “importance of establishing a fusion center governance structure with cyber stakeholders and of developing critical policies to integrate cyber into the fusion center’s roader mission.”
To enhance the role of a state fusion center, NGA’s issue brief said a governor can:
- Create a shared cybersecurity mission among homeland security, emergency management, information technology and law enforcement;
- Conduct an assessment of the state fusion center’s capabilities to manage a cybersecurity mission;
- Develop a business and operations plan for the fusion center;
- Implement an outreach strategy to the private sector to identify existing information sharing processes; and
- Establish clear performance measurements for fusion center activities.
“Attacks on critical cyber infrastructure are one of the most serious threats facing the nation, and states must be able to respond appropriately,” said Virginia Gov. Terry McAuliffe, co-chair of the NGA Resource Center for State Cybersecurity. “By implementing these recommendations, governors can effectively use fusion centers as an important asset in this response.”