Why is Kristi Noem asking governors to build SCIFs?
Homeland Security Secretary Kristi Noem has been clear about her vision for the future of the Cybersecurity and Infrastructure Security Agency. It includes no work policing disinformation, a stronger focus on protecting critical infrastructure and a considerably smaller budget.
Less clear, though, was why at a cybersecurity conference in San Francisco last month she mentioned new work with governors to establish sensitive compartmented information facilities, better known as SCIFs. “The quicker we can set up communications, the better,” Noem told the RSA Conference.
As highly secure rooms designed to prevent surveillance of the government’s most sensitive materials, SCIFs are considered a generally reliable way to limit information leaks. But some analysts and former state officials questioned whether there was any call for such a tool in state governments that need a way to quickly share information about emerging cyber threats.
In a letter sent last month to Connecticut Gov. Ned Lamont, Noem recommended he “put in” a SCIF for the purpose of communicating securely with the federal government during emergencies. She also asked him to purchase and “regularly travel with” a satellite phone “to ensure you have a reliable mode of communication from any location.”
“While there is no federal funding available for this, this is a need for secure communications and something every state should have access to,” she wrote in an April 7 letter obtained by StateScoop.
Other states received similar letters. The Department of Homeland Security did not respond to requests for additional information about its recommendation that each state house a SCIF.
Several states contacted for this story, including California, Connecticut and South Dakota, told StateScoop they already have SCIFs, some operated by their law enforcement agencies. A spokesperson for South Dakota Gov. Larry Rhoden, who was Noem’s lieutenant governor until he replaced her last January, said he supports her SCIF initiative and is “working with his cabinet on overall infrastructure resilience that may add additional locations in the future.”
‘Might not be the best method’
Erik Avakian, a former chief information security officer for Pennsylvania, said states that have National Guard units inside their public safety departments are especially likely to have SCIFs. He said the facilities are sometimes used for sharing sensitive cyber intelligence, but noted that not all IT security information requires such a highly secured environment.
“In fact, it is widely known that most cyberattacks require immediate response and remediation,” Avakian, who now works for Info-Tech Research Group, wrote in an email. “Information related to such attacks could be relatively simple (e.g., a phishing source IP address). An argument could be made that a SCIF might not be the best method for sharing these types of incident response-related information between states, which generally require a timely and rapid approach. A SCIF may also not be in a physical location that is in close proximity to cyber analysts needing to respond to cyber incidents.”
Until recently, states had a well-funded and effective method of sharing cybersecurity threat information through a channel authorized by the federal government. The Multi-State Information Sharing and Analysis Center, which in March lost more than $8 million of its federal funding, and the Election Infrastructure ISAC, which in February lost all its funding, were universally popular among state and local cybersecurity officials who needed extra support for protecting their networks and election systems against adversarial nation-states and ransomware gangs. The MS-ISAC continues to provide services thanks to gap funding provided by its operator, the Upstate New York nonprofit Center for Internet Security.
Avakian said the MS-ISAC has over the years enabled government organizations to share timely security information “extremely well.” He pointed to its use of the Traffic Light Protocol, which allows users to set sharing restrictions on information, without the need for a SCIF. But he suggested that, still, it’s possible SCIFs could be given a useful role in states’ information-sharing schemes.
“There could be an opportunity to establish additional mechanisms for Real-Time Threat Sharing and Response,” Avakian wrote. “Secure Facilities could provide the capabilities to provide a way to share information related to rapid operational response to active cyber threats through secure communication with DHS and CISA without the need for classified designation.”
‘Reinventing the wheel’
Justin Miller, a University of Tulsa associate professor who led electronic crimes task forces and breach investigations for the Secret Service, said Noem’s suggestion illustrates that the Trump administration is “kind of doing things backwards” on cybersecurity.
“If they were going to build a secure communication network, CISA would be the group that I would be using to make that happen,” said Miller. “But they just cut all that funding. You need all that expertise that’s sitting in CISA.”
Waves of cuts and staff reassignments at the Department of Homeland Security have in recent months led to disorganization among some of its units and stimulated confusion among many of the state and local agencies that have relied on its cybersecurity division. In February, CISA cut about 130 employees from its staff of 3,300, and has continued to make cuts. DHS won’t share the current total of cut positions, a figure thought now to be much larger.
Without federal support, states would have to establish their SCIFs alone, but Miller predicted that some won’t have the expertise to establish the facilities recommended by Noem, and that they may need to rely on regional fusion centers or local law enforcement offices in hopes of finding someone with specialized knowledge.
“It’s like we’re reinventing the wheel,” Miller said. “We already have the wheel and know how it works. Maybe we use our current expertise to make the wheel better, instead of rebuild it from the ground up.”
Unclear purpose
Bradley P. Moss, an attorney who specializes in national security and federal employment issues, said states with major metropolitan areas typically have SCIFs. Illinois has one because it has Chicago. California has one because it has Los Angeles. But he said he doesn’t know why the head of DHS would give states such a directive.
“There’s an obvious and legitimate reason for the federal government to coordinate on some aspects of intelligence information with particular states, possibly all of them,” he said. “A certain group of them in particular bear the highest level of risk of external forces, whether it’s a terrorist group, whether it’s private espionage, things like that. But what is not clear in terms of what DHS is indicating now is if they’re trying to sort of delegate the actual power and enforcement authorities to those states to do something, as opposed to keeping them in the loop and coordinating joint efforts.”
Moss speculated that the SCIFs might not be about cybersecurity at all. They could be part of a plan by the Trump administration to push more law enforcement duties to the states. The number of local law enforcement agencies to have been deputized by Immigration and Customs Enforcement under section 287(g) of the Immigration and Nationality Act has grown precipitously in recent months. The 133 law enforcement agencies in 21 states that had been deputized before Trump’s second presidency began has grown to 300 agencies in 38 states, as of Wednesday.
“If they’re using this as a means to simply go after non-criminal illegal immigrants, that gets a little fuzzier on how it is handled legally,” Moss said. “There are certainly things the federal government can do in that context, but it can’t commandeer the states to make them take on federal functions at the same time. That gets into the anti-commandeering doctrine. That gets into 10th amendment, stuff like that.”
‘Make America safe again’
In tandem with her more controversial cyber policies, like cessation of the federal government’s anti-disinformation work, Noem has also voiced strong support for states’ efforts, always with a dash of Trumpian flair. In her letter to governors, she remarked that she “look[s] forward to fostering great relationships with partners such as yourself so we can make America safe again.” During a fireside chat at the RSA conference, she remarked on the federal government’s “responsibility” to support states, but warned that departments like hers can’t “solve every single person’s problems.”
“There is millions of endpoints of information that a state holds and many times states don’t have the money to invest in protecting those systems,” Noem said at RSA. “That’s really where CISA can play a big role in helping to support that.”
But the secretary’s supportive messaging has been consistently at odds with the Trump administration’s continued cuts to cybersecurity programs that benefit state and local governments. In addition to cuts to EI-ISAC, MS-ISAC and CISA more broadly, the future of the $1 billion promised by the State and Local Cybersecurity Grant Program, defined by the 2021 Infrastructure Investment and Jobs Act, is also threatened by the current administration, despite widespread pleas from states not only to see the program through its four-year obligation, but to make it a more permanent funding source.
One former senior intelligence official said they found Noem’s letter confusing because it sounds like the SCIFs are intended for governors’ personal use.
“That’s not the way I’d expect law enforcement and national security communications to travel most efficiently,” said the former official, who agreed to speak on the record on the condition of anonymity. “Typically these would go from law enforcement to law enforcement agency, and usually there are established channels set up for that to happen, whether it be through joint terrorism task forces or other mechanisms.”
The former official said the usual method of sharing sensitive information is for a federal agency like the FBI or CISA to downgrade it so it can be passed on in an unclassified form, a practice the former official said “works pretty well.”
“Is there a need to be able to share classified information? And if so, is the governor the right person to share that information with, to which I’m pretty clear the answer is no,” the former official said.
SCIFs have specially shielded walls designed to prevent snooping, they lack communication channels like internet connections and even the officials authorized to enter aren’t permitted to bring devices that could be used to sneak out information. The idea is to completely wall off information that’s so sensitive it could threaten national security if placed in the wrong hands.
SCIFs, said Moss, the national security attorney, are overkill by design.
“I had a client who led a three-person office and their entire workday every day was inside a SCIF that was the size of my first studio apartment,” he said. “It was like 400 sq. ft. and it had four people in there. It was very claustrophobic, but everything they did was so sensitive each and every day that they had to remain in that room to perform that work.”
Inconvenient but secure, maybe SCIFs are part of a future model of cyber information sharing DHS has in mind. Or maybe they’ll just support Trump’s project of deporting immigrants. Moss presented a third possibility.
“I candidly don’t believe anything Kristi Noem says in terms of competence or coherence,” he said. “I don’t think she has a clue what she’s doing.”
