DHS utility, manufacturing security protection system blasted as useless in Senate report

Senate report says DHS Fusion Centers failing in mission to identify possible terrorism, cyberattacks

America's system of so-called "Fusion Centers" established by the Department of Homeland Security (DHS) for companies like utilities and manufacturers to report incidents that may have national-security implications is operated in a way that's "shoddy, rarely timely," and "sometimes endangering citizens' civil liberties and Privacy Act protections."

MORE: Who holds IT security power? 

BACKGROUND: America's critical infrastructure response system is broken

Those were the exact words in the report issued last night by the U.S. Senate's Permanent Subcommittee on Investigations that looked into how the roughly 70 state and local Fusion Centers have operated since 2003 when these centers were set up in the hopes of information-sharing between the private sector and government on suspected terrorism or cyberattacks.

According to the report, the DHS overstated "success stories" and kept problems quiet. The Senate subcommittee's review of 13 months of reports that came from the Fusion Centers found none of them uncovered a terrorist threat or did anything to help disrupt an active terrorist plot.

Instead, the investigation says it found that nearly a third of all the Fusion Center reports of that period - 188 out of 610 - were never published for use within DHS and by other members of the intelligence community, "often because they lacked any useful information, or potentially violated department guidelines meant to protect Americans' civil liberties or Privacy Act protections."

The report accuses DHS of storing "troubling intelligence reports" from the Fusion centers on people in the U.S., "possibly in violation of the Privacy Act."

Moreover, the Senate subcommittee says the Fusion Centers, which are in part federally funded, "suffered from a significant backlog." In which sometimes hundreds of draft intelligence reports sat for months before DHS officials made a decision about whether to release them. Many reports were published months late, and even a year after they were filed — making the information appear out-of-date. Most reporting was not about terrorist or possible terrorist plots, but about criminal activity related to drugs, cash or human smuggling.

Last year, the role of the Fusion Centers erupted into the mainstream news in a storm of controversy over a supposed Russian cyberattack on a small Illinois water utility that was included in an advisory from the Fusion center called the Illinois Statewide Terrorism and Intelligence Center.

Though the Fusion Centers strive for absolute silence from anyone receiving the reports, that alleged Russian cyberattack information was initially leaked by a consultant in a blog who had happened to have read it as it was passed along to him. That whole incident at the Illinois water utility turned out to be a false alarm of embarrassing proportions. The supposed Russian cyberattack turned out to be a legitimate contractor who happened to be on vacation in Russia with his family who unwisely logged into the Illinois utility's network from there without informing the utility.

The Senate subcommittee report also criticized some purchases made at Fusion Centers using DHS grant funds, noting that buying "dozens of flat-screen TVs" and "sport utility vehicles" which were given away to other agencies seemed to be unrelated to the mission of a Fusion Center, though DHS said they were allowed.

The Senate report also said interviews directly with some DHS officials did lead to admissions from them that a lot of the reporting was "predominantly useless information" and "what a bunch of crap is coming through."

The Senate report faulted the Fusion Center system for weak training before sending individuals to handle sensitive domestic intelligence and also that officials who routinely authored useless or potentially illegal Fusion Center intelligence reports faced no reprimands.

According to the report, DHS was unable to provide an accurate tally of how it actually granted to states and cities to support Fusion Centers, though came up with estimates that ranged from $289 to $1.4 billion from 2003 to 2011.

The Senate subcommittee report — which also pointed out Congress has to accept its responsibility for the weak system of Fusion Centers and dubious intelligence reporting — recommended that Congress and DHS look afresh at the basis for the Fusion Centers in light of the investigation into it.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com.

Copyright © 2012 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022