Last year during Mardi Gras, a local parish’s sheriff’s department contacted the Louisiana State Analytical and Fusion Exchange (LA-SAFE) to ask for help. Its phone lines were being flooded with 200 calls per minute, leaving its 911 call center and dispatch unit unable to make or receive calls. Every time someone answered the phone, the callers demanded payment for a bogus debt.
LA-SAFE compiled an advisory with all the facts about the telephone denial-of-service attack and pushed it out to its national network of municipal agencies, critical infrastructure, private businesses, federal law enforcement and other fusion centers.
“Immediately, we started getting hits back from all across the country saying, ‘Oh, yeah, we saw this too,” recalls LA-SAFE Director Capt. Chuck McNeal. None of the victims had reported it, though, because they thought theirs was an isolated incident. “So one parish reaching out to us and sharing what happened to them allowed us to identify a threat to the entire nation.”
With about 500 such attacks identified across the country, a national task force has since been created to aid victims and find those responsible. It’s just one of many cases that illustrate the value provided by the cyberprograms at state and regional fusion centers. Formed in 2009 to respond to the fast-spreading Conficker worm, LA-SAFE’s cyber division is one of the oldest of its kind in the nation. At a time when the U.S. Department of Homeland Security warned of rising cyberconcerns nationwide, leaders recognized the need for local coordination of cyberthreat analysis and sharing.
“We did a great job after 9/11 on the physical threats that may lead to a terrorist event,” says Mike Sena, president of the National Fusion Center Association and director of the Northern California Regional Intelligence Center (NCRIC). “We know what to do if someone pulls out a gun and shoots at someone, but we don’t really know how to respond when somebody tells us, ‘Hey, my bank account was hacked.’”
Of the 78 state and local fusion centers, about half now have cybercomponents whose primary function is to gather and share information about online threats. Many formed in response to the National Governors Association’s recent call to secure critical infrastructure systems — everything from banks to dams to the electrical grid.
“Protecting critical infrastructure is job one,” says Shawn McCarthy, research director for IDC Government Insights. There are government sites that are hit hundreds or even thousands of times a day by hackers, he says. “Just understanding what’s happening and picking up on patterns is helpful.”
The biggest challenge facing fusion centers has been gathering data in an age of heightened concern about privacy. “Because of the sensitivity of the information, you have to build trust. Everybody gets suspicious, and rightfully so,” says McNeal. “They don’t want us sniffing around in their network.”
But that trust is central to LA-SAFE’s mission. “We can’t sit here in a vacuum and collect information,” says McNeal. “If they don’t report it to us, we won’t know about it.”
So LA-SAFE’s cyberunit initially spent the bulk of its time working to gather and share useful information with businesses, law enforcement agencies and critical infrastructure facilities (ports, refineries, plants) to show that they were committed to helping them. “It was word of mouth and literally knocking on doors,” says McNeal. “We’re a traveling sales team.”
Eventually, local businesses and agencies began telling LA-SAFE about what they were seeing on their networks. That enabled LA-SAFE to pick up on patterns locally and report them to fusion centers around the country and federal partners such as the FBI, the Secret Service and DHS, rather than just consuming information.
Not only does that cycle of national and local data alert entities to the threats out there, but it helps them understand them. “Is it an isolated attack on a specific sector or network, or is it Internetwide with no target?” poses McNeal. “That determines how we approach an investigation.”
The national network of fusion centers is also helpful for agencies such as LA-SAFE, which have limited staff and resources. Like many other fusion centers, they rely on the Cyber Intelligence Network (CIN) for additional expertise.
Consisting of about 200 allied federal, state and local public-safety agency partners, CIN includes personnel from among 2,100 fusion center employees around the country. It supplements and supports the work they do and provides expertise that smaller fusion centers need to keep their communities safe. Members collaborate on a daily basis. “If they see a trend, they’re the ones communicating with each other and developing joint products that they can distribute nationally,” says Sena.
Such partnerships have fueled the fusion centers’ growing knowledge base. The New York State Intelligence Center (NYSIC) has been operational since 2003, but it just launched its cyberanalysis unit in January to serve law enforcement customers and protect critical infrastructure. Because it colocated a few months earlier with the Center for Internet Security (CIS) in East Greenbush, N.Y., where the Multi-State Information Sharing and Analysis Center (MS-ISAC) is also housed, the fusion center has gained access to information, expertise and best practices from these agencies, which serve other public entities. “Their monitoring capabilities are fantastic,” says New York State Police Capt. Robert J. Poisson, who took over as director of NYSIC in November. “We rely on them to pull back the curtain.”
Tools of the Trade
NCRIC’s Sena emphasizes the importance of having the right tools to combat cyberthreats. His center purchases commercial products such as firewall monitoring tools and honeypots.
In addition to adding servers to support increased data collection, LA-SAFE has created homegrown tools that it shares with other state fusion centers. For instance, one program collects data from multiple sources, converts it to a unified format and flags areas of interest for analysts. Another strips identifying information from records to protect the privacy of those who report incidents.
One of the biggest technology challenges for fusion centers is data integration: collecting files from various systems, converting them between machine-readable and human-readable formats and providing some consistency to the data.
The National Fusion Center Association is working on a pilot with six fusion centers and several federal partners, including the White House’s Program Manager for the Information Sharing Environment, the FBI, DHS, CIS and the International Association of Chiefs of Police, to develop a fine-tuned reporting mechanism that can be used by agencies around the country.
There are 18,000 law enforcement agencies around the country, says Sena, and while there aren’t quite as many records management systems, “there are a heck of a lot more than we probably need in the world, and they don’t all talk to each other,” he says. “That lack of unification is what the folks who want to cause us harm take advantage of.”
From the FBI and Secret Service to regional computer forensic labs and 18,000 law enforcement agencies nationwide, plenty of organizations deal with cybercrime. The fusion center’s role is not to duplicate their efforts, but to support them.
In addition to collecting and disseminating data about cyberthreats, fusion centers serve as triage centers, directing public and private entities to the agencies that can help them.
“The biggest complaint from private-sector people is they don’t know who to call,” says Mike Sena, president of the National Fusion Center Association and director of the Northern California Regional Intelligence Center. “We have connections to everyone. And although we can’t solve everyone’s problems, we can find people who oftentimes can help them.”
Fusion centers also work with other state departments and local law enforcement to build their knowledge. For instance, the Michigan Department of Technology, Management and Budget disseminates interactive computer training videos to make state employees aware of the types of cyberattacks that could victimize them or their colleagues. In addition to outreach and education, fusion centers spend a lot of time on prevention. For instance, the Michigan Cyber Command Center (MC3) might go out to a power company and perform vulnerability testing on its network, says MC3’s Commander, 1st Lt. James Ellis.
The state also has the Cyber Range in Ann Arbor, where partners can simulate cyberattacks by inserting malware and viruses into systems. They have created an entire town, complete with a power grid, hospital and city hall, to prepare for real-world attacks that could take place at businesses or critical facilities.