When someone asked her friend if he'd heard of "this thing called InfraGard," Phyllis Schneck was thrilled. As chair of InfraGard's national executive board, Schneck believes the random question shows that the organization is on its way to fulfilling her ambition for it to become a household name.
Since its inception in 1996 as an FBI pilot project in Cleveland, Ohio, InfraGard has grown into a national entity dedicated to sharing information between private industry and the U.S. government in order to protect the nation's critical infrastructures. InfraGard has around 10,700 members and 79 chapters across the country.
While there have been many changes since InfraGard laid out its strategic plan in 2001 – such as the creation of the Department of Homeland Security (DHS) – Schneck believes the group has moved a long way towards meeting its goals. SC Magazine caught up with her to talk about the group's accomplishments, objectives and challenges ahead.
Back in 2001, much of Infra-Gard's information-sharing strategy revolved around working with the FBI's National Infrastructure Protection Center (NIPC). With the creation of DHS, NIPC last year was transitioned to the Information Analysis and Infrastructure Protection (IAIP) directorate, which is charged with identifying and assessing threat information, issuing warnings and taking protective action. But the FBI and InfraGard's private-sector members worked to keep InfraGard as an FBI program, recalls Schneck. InfraGard's chapters are centered around FBI field offices.
"We didn't want to disrupt the trust and relationships that were being built nationwide," says Schneck, who started with InfraGard in 2000 as founding president of the Atlanta chapter. She was elected national chair in 2002, and was re-elected last June. She says InfraGard plans to receive information analysis from DHS and is meeting with IAIP leaders to "determine the best fit for InfraGard within the infrastructure protection architecture being created."
The creation of DHS hasn't affected InfraGard's operations, maintains Schneck, who has a Ph.D. in computer science. "The migration of NIPC over to DHS IAIP has opened up a whole new world of opportunity," she says. "It's giving us the opportunity not only to reach so many others, especially in the small and medium businesses that other organizations don't reach, but it's also causing everyone to rethink how this model should look and say 'let's build it from the ground up the right way'."
From the FBI's perspective, the shift of NIPC to DHS was a huge change, but not one that altered InfraGard's basic mission, comments Brett Hovington, FBI supervisory special agent and InfraGard program manager.
"If anything, it's broadened the InfraGard mission," he says, describing how its early emphasis on cyberthreats grew to encompass physical threats after the September 11 attacks. "Now people are looking for attacks on their buildings as well as their system networks."
InfraGard is also working with other agencies, such as the National Cyber Security Division's US-CERT within IAIP and the U.S. Secret Service Electronic Crimes Task Force. "We're focusing on how we work with the different agencies, so we can truly define working together," says Schneck. "Many people use the phrase 'working together,' but we are actually trying to do it." She adds that InfraGard is a pioneer in private- and public-sector collaboration.
Patrick Morrissey, assistant director for law enforcement with the National Cyber Security Division in DHS, says increased cooperation and information sharing across existing federal infosec programs is a major theme of the National Strategy to Secure Cyberspace.
"InfraGard is one important venue where people are collaborating and sharing dialogue on cybersecurity issues," he says. "Good relationships already exist between InfraGard, the FBI and NCSD and we're optimistic that we'll continue increasing our collaboration with InfraGard and a wide variety of public and private-sector venues for information sharing and collaboration."
The size and demographics of InfraGard's membership have put it in the ideal position to achieve the goal it set out in 2001 of becoming the designated private-sector group to partner with the government on information sharing, contends Schneck. The volunteer organization's membership has more than doubled in the past three years.
"InfraGard is the only private-sector organization with outreach that ranges from Fortune 500 executives to medium and small businesses," she says. "The smallest companies can be aware of the largest vulnerabilities and InfraGard is able to reach them while others do not. Our membership demographics span all critical infrastructure sectors and all company types and sizes, making InfraGard an excellent information gathering and dissemination mechanism."
What's more, with members required to pass an FBI background check, InfraGard is the only organization to have a vetted membership, claims Schneck. This fosters the trust that's needed for divulging data about infrastructure threats and vulnerabilities.
She's proud of the information sharing that's happening at the local level, but adds that there is room for improvement. "It means constantly adding value and evolving with the different needs and organizations in Washington."
For InfraGard members, the vetted status and local chapter meetings are keys for overcoming reluctance to talk about security incidents. "The beauty of these meetings is you get to meet these people face to face," says Don Withers, founding president of the Maryland chapter. "You create a relationship with them, you know who they are... Then you start to share information you might not have shared otherwise. People still hold things a little close to their vest, but we're trying to open that up."
What might look insignificant on its own – such as attacks on a company's web server – might collectively paint a bigger picture, says Withers, CEO of TheTrainingCo., a provider of security training and conferences. "That's what the FBI is looking for – advance information." He adds that the FBI can help by imparting what it's seen.
Joseph Concannon, president of the New York City Metro InfraGard Chapter, and a retired New York police captain, says the goal is "to set up a communications mechanism that reduces the anxiety level on both sides, the private and public." Hence, chapter meetings feature law enforcement officials from a range of agencies. From his 22 years with the NYPD, he knows that communication is essential in crime prevention.
"If you really enhance communications, if you get timely and accurate information out to people, you can do some amazing things with it... If we can engage the community and corporate America to get involved in this program, we can do a lot to protect our national infrastructure," he concludes.
For the FBI, InfraGard has allowed members to meet FBI agents and feel comfortable calling them about many issues, states Hovington.
The San Francisco Bay Area InfraGard chapter – which has nearly 300 members – meets quarterly and has greatly expanded its members' professional networks, says Jeff Klaben, chapter president and senior manager of enterprise architecture and global information security at Applied Materials. He's met with DHS Secretary Tom Ridge and says InfraGard has the ear of other DHS officials. "I think they've got a respect for the grassroots element of the organization. They know these are the folks who are actually confronting the problem on a daily basis," he says.
Schneck has done a good job in establishing connections for InfraGard in Washington, D.C., observes Klaben, adding that she serves as a role model with her high level of energy and commitment. Withers also praises Schneck's leadership, which he says provided much-needed stability during NIPC's transition to DHS.
In addition to shepherding InfraGard through a changing federal landscape, Schneck also led InfraGard's global efforts, travelling with Hovington to Tokyo last year to address the Japanese government on information sharing.
Looking forward, Schneck says InfraGard plans to reach out to more small and medium businesses and make sure that it has its organizational structure in place in order to establish partnerships with other agencies. Another high priority for the group is information exchange with DHS and the various industry sector Information Sharing and Analysis Centers (ISACs).
Challenges on the road ahead
There are plenty of challenges ahead for InfraGard, acknowledges Schneck. She acknowledges that setting up an architecture so 10,000 people can get timely and accurate information while maintaining the integrity of the organization – "letting it grow big enough and yet keeping it a special population" – is no small task.
InfraGard – which is incorporated as a non-profit organization on its private-sector side – also needs to tackle funding and is looking to both the private and public sectors. Currently, it receives support from the FBI, including an information infrastructure that provides members with services such as VPN access to a secure website, the participation of agents who serve as InfraGard coordinators, and a small budget for the national board.
Local chapters, many of which have incorporated as non-profits, have received support from private firms. Nationally, InfraGard plans to announce its first corporate sponsorship and launch a campaign for additional sponsorship.
With so many groups focused on critical infrastructure protection and information sharing, marketing is another challenge, says Schneck. "We are very, very different," she asserts, adding that InfraGard strongly discourages vendor sales pitches at meetings.
Meanwhile, the ISACs differ from other groups because they've developed a 24x7 system to communicate with each other on cyberthreats and infrastructure vulnerabilities, says Pete Allor, director of operations for the IT-ISAC and director of X-Force intelligence at Internet Security Systems.
"InfraGard is a great networking community," says Allor, who is a member of the Atlanta InfraGard chapter. "You get to meet a lot of people in your local area. The contrast would be that they're not as operationally focused as we are [ISACs]. They are very local... We are communicating to each other so that's sector-to-sector in a very timely manner."
The ISACs also have a means to communicate with the federal government, but aren't centered on a government agency like InfraGard, he notes. The ISACs are broadening their reach to smaller companies.
For the federal government – aside from the FBI – the ISACs probably have a stronger role than InfraGard, says Michael Rasmussen, an analyst at Forrester Research. Still, he's impressed by the organization's survival. "It's going strong. I thought it was going to fail through all the transitions that happened with DHS, but it seems like it's still moving forward," he says.
Given that InfraGard was an FBI creation and the FBI kept it when NIPC moved over to DHS, the organization has succeeded in being a good source of information for the FBI, says Alan Paller, director of research for the SANS Institute.
But Steve Crutchley, CSO at consulting firm 4Front Security, says he doesn't think institutions like InfraGard are very effective overall: "Since I've been here in the U.S., I have not experienced or seen collaboration between private and public-sector agencies... of any substance."
Rasmussen notes that much of InfraGard's value comes from its local chapters – there are excellent chapters but he's also heard of weak ones.
Some InfraGard chapters have fallen by the wayside then come back, mainly because of the difficulty in putting together meeting programs, believes Paller. The challenge for the chapters is to continually have interesting meeting content that draws people.
"You start to run out of topics. What you get are vendors and consultants who are hungry for a chance to talk to potential clients. One time, that's OK, but if you run out of great users to talk and you get these guys who are trying to sell the audience something, you start to lose the wonderful energy that comes from these kinds of meetings," warns Paller. He adds that InfraGard is very successful when "users get together and share stories about things they're learning."
Many InfraGard members are driven by a strong sense of patriotic duty. Pete Lindstrom, analyst at Spire Security, observes that people involved in InfraGard are happy with the organization and eager to participate. A Philadelphia-area InfraGard meeting he went to in January drew a crowd of 200.
"There were a lot of folks wanting to do their patriotic duty, who are concerned with terrorists, particularly how terrorists might leverage the communications infrastructure of computers," he recalls.
Patriotism runs deep in Schneck's family, too – one of her first memories was when her family moved to New York from Maryland in July 1976, and her father rushed out to buy a television so she could watch the Bicentennial parade. "I believe in InfraGard – in the tremendous capability and responsibility of the private sector to work with the government to collectively protect our infrastructure, our country," she declares, adding that working with the group is an honor and has been one of her most rewarding experiences.
Explaining why he donates his time to InfraGard, Withers of the Maryland chapter says: "I do it because I'm American, and I feel like if you're in this business, you need to be a good corporate citizen and you need to be a good citizen in general."
Security boils down to implementing a culture in business – one that views security as a business enabler and assigns companies responsibility for protecting their assets, advises Schneck.
"Homeland security is going to help with that by providing as much information as it possibly can, but it really is up to us in the private sector to use that information and to help [DHS] help us," she says. "That's why we're working so hard to work together. Look at the 10,000 members. We're all volunteers. The time is put in there because we know how important this is."