Information Sharing and Analysis Organization (ISAO) Workshop.
This is an audio file.
MIKE ECHOLS: Okay. Good morning. Like all good security meetings, we need to have a security briefing before we start. So if you could give your attention, we’d appreciate it.
VOLPE STAFF: More of an announcement than a briefing. So my name is Carolee Dresha [ph]. I’m Chief of Safety and Security here at the VOLPE Center, so welcome.
Just real quick, there are three emergency exits from this auditorium, one in the back where you entered and one on each side of the auditorium. If you’re disabled, please use the one in the back—these two have stairs—as you exit. In the event of an emergency, you need to exit, please, you know, obviously closest exit and away from the building as far as possible.
When it comes to lunch, there is a coffee shop on the first floor. There’s also a cafeteria on the second floor you’re permitted to use, and obviously, there’s many options across the street. You will be rescreened when you come into the building, but just keep your name tags with you.
Great. Have a good day.
MIKE ECHOLS: Okay. Good morning. Welcome to the ISAO Workshop. We’re happy that you could attend, finally. All right? We’re here to talk about Executive Order 13691. The executive order was put out on February 13th, 2015. It occurred. We’re moving forward. It provides us an opportunity to create a new paradigm for information sharing. What that will look like is highly dependent on the input that you provide, okay?
My name is Mike Echols. I am the National Coordinator for this effort, but I’m also the JPMO Director at Department of Homeland Security, and I have information sharing programs.
Today, we are going to give you some updates on where we are with this process and this project. You are going to hear from some speakers, but the most important aspect of today is your participation. I mean, I look around the room; this is the Who’s Who of information sharing. Most of you in your organizations, I’ve dealt with you for years. You are the right people to help us figure out the path forward.
So we will be in this auditorium until noon. Lunch break is at 1 p.m. There’s a 15-minute grace period after lunch, 12 to 1. We’d like everybody to be back and ready to go at 1:15. You’ll see that in your programs.
Logistics. The bathrooms are right outside of this room here. Please feel free to very quietly move about as you need to.
Our goals for today, we want to spark the type of conversation that needs to occur to advance this opportunity, and I call it an “opportunity” because, in my opinion, the more individuals that we bring into this cybersecurity game, the greater opportunity we’re going to have to win it, okay?
We want to explore some general concepts, models, opportunities. We want to understand the challenges, okay? The idea is not to demean the executive order. It exists, it is, and we’re moving forward. The idea is to understand the challenges that we need to overcome to make it live, to make it sync [ph].
We want to take a deep dive into some subject areas through our breakout sessions, and we want to use the data. We’re going to create a white paper. We’re going to have another session, which I’m going to announce in a minute, at the end of July. From those two sessions, those white papers will be provided to the standards organization. All right.
So relative to our process, the executive order was stood up in February. It instructs us to create a standards organization. That procurement has been put out. I believe it closes on the 17th of July. In that procurement, organizations and entities will advise us as to how they would go about meeting the requirements that are in that procurement. It’s on http://www.grants.gov. It’s a cooperative agreement. I think it totals to $11 million.
The next session will be in July, in the last week. It’s going to be at San Jose State University, and you will be receiving information on that.
I need to advise you all that all conversations that occur in this auditorium will be recorded. They will be put on our website for the public and people who could not make it here so that they will have the opportunity to hear those conversations, all right? We do not intend to put out a list of the names of the people that attended today. If you do not want the name of your organization or entity on a list that we will release, you can opt out. You have a week to send to ISAO@hq.dhs.gov and advise us that you do not want your name or your entity listed there. That’s from my Privacy Officer, okay?
Any question with any of that?
[No audible response.]
MIKE ECHOLS: All right. So without further ado, I’m going to bring up Mr. Ben Flatgard. He is going to introduce our speaker this morning, General Touhill. Ben serves as the Director of Critical Infrastructure and Information Sharing on the National Security Council. Introduce yourself. He’s new to that role. In this capacity, he is responsible for developing policy that will enhance cybersecurity and critical infrastructure and increase the effectiveness of cybersecurity information sharing.
Prior to joining the NSC staff, Ben served as the Senior Advisor of Cybersecurity Policy and Strategy at the U.S. Department of Treasury, Department of Commerce, and the White House. And as Ben comes, the last thing I will tell you is tweet #ISAO. We’re monitoring that. Any insight, any issue, any problem, any idea that pops up from something that’s being said, we want to hear it. So we ask you to tweet, okay? If you’re fumbling with your phone, make it count. Thank you.
BEN FLATGARD: Thanks, Mike. Appreciate the opportunity to be here with you all today. Good morning. It’s great to be here at the VOLPE Center in particular, which advances public-private partnership and seeks to advance learning in all modes of transportation, though given the looks of Boston traffic this morning, there’s a lot of work to be done in that field.
We won’t spend any time on that today, but we will talk about cybersecurity, and particularly, we’ll talk—and I want to spend a few minutes just highlighting the framework that the President has laid out here, which lays the groundwork to create public-private partnerships, importantly, around the field of information sharing and cybersecurity.
So President Obama has been focused on this since the beginning. Back in 2011, you will remember he issued his first executive order on cybersecurity, EO 13636, which amongst other things laid the groundwork and created the NIST Cybersecurity Framework. Just this past February at the White House, the first-ever White House Cybersecurity Summit, President Obama signed Executive Order 13691, which as Mike said started this whole trend toward Information Sharing and Analysis Organizations. The executive order lays out a framework for expanded information sharing, which is designed to help private sector companies work together and work with the Federal Government to quickly identify and protect against cyber threats. The purpose of this order is to create a foundation upon which different communities can and will self-organize. The EO encourages the development of Information Sharing and Analysis Organizations (ISAOs) to serve as focal points for cybersecurity information sharing and collaboration.
Let me tell you four key things that we really hope to accomplish with this EO. First, we hope to make it easier for companies to trust each other when sharing information, private to private, which will expand, hopefully, the scale and pace of information being shared. Second and perhaps most importantly, ISAOs can facilitate information sharing across sectors, from ISAO to ISAO, and regions, preventing information sharing siloes. Third, they provide a partnership structure for DHS and the government to connect with the private sector and to increase the trust and the sharing of information between the government and private sector entities. And last, ISAOs set the stage for future legislation, making key steps, like providing target liability protection, for information sharing more attainable.
Now, established Information Sharing and Analysis Centers should not view these new organizations as competition. In fact, it’s just the opposite. We will continue to look to ISACs to provide standards and best practices that will help new organizations benefit from their long history and their significant lessons learned, and as new organizations come online, the entire community should benefit from greater quantities as well as greater qualities of information. Like any maturing ecosystem, established players may, in fact, also find new innovations from new entrants.
So as we continue to work and as you particularly continue to go out and work to enhance information sharing and unite communities through ISAOs, we in the administration are going to continue pressing on Congress and working with them to make sure that we advance information sharing legislation. The administration remains committed to striking that careful balance between facilitating information sharing and protecting privacy as well as civil liberties. We have been dedicated to working with Congress to craft legislation that reflects that balance and at the same time can pass both houses of Congress. There’s no doubt that the thoughtful approach taken recently in both houses and by both parties significantly increases the chances that we can pass an information bill soon, which the President can actually sign, and we look forward to that.
So we recently supported two House bills that passed with bipartisan support. Both bills do have pieces that we’ll continue to work on, and particularly as these bills move to the Senate floor and the Senate takes up its own version of that legislation, we’ll work very closely to make sure that we can get this to the finish line. So we’ll have a busy summer in Washington to make sure we get this done. I look forward to having a busy day with you all talking about information sharing and ISAOs.
Without any more time, I’d love to introduce General Greg Touhill. General Touhill has had a very distinguished U.S. Air Force career and recently—well, I guess not so recently anymore—Greg has joined the Department of Homeland Security as a really key leader in information sharing and cybersecurity as the Deputy Assistant Secretary there. So, General Touhill?
Keynote: Future of Cyber Threat Information Sharing
Brig Gen GREGORY TOUHILL: Thanks, Ben. Well, good morning, everybody. Happy Tuesday. I’m sure you’re as disappointed as I am that our team scheduled this activity when the Red Sox were not in town.
Brig Gen GREGORY TOUHILL: Well, I thought that would elicit a little bit more reaction. Gee whiz. Did everybody get enough caffeine this morning? Anybody missing caffeine need to get a couple slugs of coffee? If you do, please feel free to go outside the room and enjoy your caffeine.
Today, what I’d like to do is I’d like to give you both an educational and informative discussion on information sharing and how we envision the future of information sharing. Andy Ozment, our Assistant Secretary, was originally scheduled to be here today, but frankly, Ben’s colleagues scheduled something that he didn’t expect to pop up, and he had to cancel, and at the last minute, he told me to grab the flight to Boston and come on up here. And anytime I get to come back to my hometown, this is a good thing.
So, in any case, cybersecurity is all about risk, right? It’s not a technology issue. It’s not an issue just for the server room. It’s an issue that should be a discussion in the board room. It needs to be on every agenda in your companies, but it also needs to be a discussion in every classroom and in every dining room and in every family room because it’s a risk discussion for both the home and the office. And as we talk about information sharing, we’re talking about not just information sharing for the benefit of our business, our government, and the like. We’re talking about risk management across the whole country.
And at DHS, we have three principal missions in our office. The first one is working with the departments and agencies to defend the dot-gov domain, and we do that not only within the Federal Government, but information sharing with the state, local, tribal, and territorial governments to help them get the information that they need, so that they can better manage their risk.
Our second mission set is to help everyone else, harden the private sector, the dot-coms, the dot-nets, the dot-edus, amongst others, and once again, information sharing is critically important.
And then our third mission set is we work with the private sector and other departments and agencies to basically harden and preserve emergency essential communications because without fiber there is no cyber.
So given that mission set, as we take a look at distilling that down, information sharing is a critical component of all of that, and since it’s all about risk, what can you do? What can we do to help buy down that risk? Well, as we take a look at all the different things that we see when our incident responders through the United States Computer Emergency Readiness Team and the Industrial Control System Emergency Response Team—when they go out, the CERTs go out, we see a couple of things that I want to bring to your attention that I think will help frame further discussion in this presentation, and it’s all about buying down risk. And we see, based upon all the different incidents that we respond to, that you can roughly buy down about 80 percent of your risk through implementation of best practices. “Cyber hygiene” is another term that folks talk about. And as we take a look, when we go out and do incident responses, adversary sets are very diverse, and they can be criminal activities. The nation state actors are very sophisticated and get a lot of press, but there’s also just plain stupid that are out there, too, folks that are not configuring systems correctly. You’ve got insiders who will leverage different things and weaknesses in the systems that are out there and the like. You can buy down your risk by implementing best practices.
You can also buy down your risk, we estimate, by about 15 percent by information sharing, and that’s one of the reasons why we’re here. And what do I mean by buying down the risk by about 15 percent? Based upon our analysis and the incidents that we respond to, folks that are going out and looking for certain types of information aren’t doing it in a widespread manner. They’re going serially, one right after the other, toppling like dominoes. If we can interrupt that domino chain through information sharing, then we can stop all the dominoes from falling, to use that analogy. Information sharing proves—has proven itself time and time again to work.
Many of you in the room have been to other presentations that I have given, and you’ve heard me talk about the cyber neighborhood watch. Well, I want to foot stomp it again for those who haven’t me.
And God bless you for that sneeze.
If we look at cyber information sharing like we would a neighborhood watch, we want to make sure that we minimize the threat environment and we buy down the community risk, and through information sharing, we are indeed buying down community risk because a threat to one is a threat to all, often. And for example, if we were all in the same neighborhood and a guy named Greg goes and breaks into Rob’s house, you don’t need to know that it was Rob’s house that got broken into and the inventory of stuff that Greg took. Rather, what you need to know is that Greg comes in while everybody is at work, broke—defeated the lock on Rob’s front door, and, oh, by the way, since it’s the same neighborhood, chances are pretty good the builders went to the same hardware store. And you probably have the same type of lock on your front door. You want to know that that lock can be defeated, so that you can buy—you can adjust and manage your risk by use of compensating controls. Get a deadbolt. Change the lock. Get a big hungry dog. You know, there’s lots of different things that you can do, but it’s all based upon your risk appetite. But if you don’t know there’s a guy that looks and acts like Greg in the neighborhood, then you don't necessarily have all the information you need. So, therefore, we find that information sharing really does work, and it can help buy down your risk.
Then the last part is that 5 percent, incident response. Chances are pretty good, sometime in your lifetime, you will have a cyber incident. Many of you may be having one right now and you know about it, and some of you may be having one right now and you don’t know about it. But incident response best practice is having a plan. Plan for it in advance of the incident. You know, when I talk about it, a lot of folks talk about it, “Give me examples of somebody who didn’t have a very good plan and how could—you know, why—why do I need to make a plan in advance?” Do you want to be that executive who has the microphone thrust in their face after an incident and not know what to say? Do you want to be the CIO or the CISO who sits—or stands in front of the board at attention and doesn’t have a plan, who doesn’t know what the impacts are? I think not. We’re finding that folks who have a plan in advance have better control and can buy down their risk, and this is what we look at as part of the risk management umbrella of activities that you need to keep in mind to buy down and manage your risk.
So there’s some tools out there that we’ve been promoting through the government. Ben mentioned the executive orders. The Cybersecurity Framework has proven itself to be a very valuable tool for most folks, and I would submit to you that it’s not just a—you know, at the strategic level, it’s not just a cyber risk framework. It’s just a great risk framework, period. Identify what you have and what the risks are—threats are to what you have. Protect against those risks based upon your risk appetite. Be able to detect when you’re under attack. Have a plan to respond, and build resiliency in. What a great framework! And we’re going around the country, and we’re working with our partners in both the public and the private sector, with industry and with academia to help promote this framework because it’s a great construct for identifying and managing risk.
We’re also already sharing information through what we call the “C-Cubed Voluntary Program.” Many of you who know me know that I don’t like acronyms, and I don't particularly like briefing off of slides either, which runs counter to what most folks believe about military people. But I really don’t like acronyms, and I would prefer having a conversation rather than slides. But the C-Cubed Voluntary Program, the Critical Infrastructure Cyber Community Voluntary Program is a mechanism for information sharing, and it’s a nascent program. I won’t declare victory on this one right now. I think we can do a better job out of—out of everybody in this room and everybody across America to share information. However, it’s a great start, and we’re seeing some positives. And we are, in fact, getting some good information sharing from some sectors, and we look forward to getting more. But there are vehicles in place, and this is one of the programs that’s out there.
And then finally, risk assessments, this is something that we are working with our critical infrastructure partners, and we are sending folks out through our NCATS, our National Cybersecurity Assessment and Technical Services teams to assist with risk assessments for our public sector departments and agencies in the dot-gov space, but we’re also working with some of our commercial sector critical infrastructure partners to help them identify some of the threats and their vulnerabilities so that they can better manage risk. And we also have a tool that’s downloadable through the ICS-CERT with the Cyber Security Evaluation Tool that has had—well, just this year alone, I believe it’s over 10,000 downloads from around the country—to help folks do it themselves, and it gives the listing of kind of a structured question set, answer these questions to help you identify really where your risks and vulnerabilities are. So there’s a lot of activities that we were already providing, but there’s still some other things that we need to do, and that’s why we’re here today, despite having some best practices identified.
So when we do have an incident, who are you going to call? Are you going to call Ghostbusters? I don’t think so.
All right. So how many folks have heard of the NCCIC before—or actually, how many folks have not heard of the NCCIC? All right. We got one here who has not heard of the NCCIC. All right. Wouldn't it be cool if you had a national center that was fusing all cyber and communications issues? Well, we got one, and we call it the NCCIC, the National Cybersecurity and Communications Integration Center. It’s located in the Metropolitan D.C. Area, and it’s one of the teams that I help direct and oversee. And we are open 24 hours a day, 7 days a week. We have the primary location in the D.C. area, but we also have other facilities, backup facilities elsewhere in the United States so that we can provide continuity of operations. And our mission, as I mentioned, you know, the three main points: defend dot-gov, harden everybody else, and preserve emergency essential communications. And we are deeply involved with incident response, incident information sharing, analysis, and the like.
Many of you have seen some of the products, such as our malware indicator finding reports, or MIFRs, our joint analysis reports. We work with our partners in law enforcement, such as the FBI and the Secret Service, to do joint products, joint information bulletins, and the like. As a matter of fact, we have partnerships where we, out of our team, send liaison officers to the NCIJTF, the National Cyber Investigative Joint Task Force. And I believe, John, you may be talking about that later today. And we also have FBI and Secret Service agents involved in the NCCIC on the floor as well, so that we have information sharing with the law enforcement community as well as others.
In the NCCIC, we have representatives from different departments and agencies, from the Information Sharing and Analysis Centers, from public and private sector partners from all over the country. Not everybody is on the floor at the same time. Folks come in and out as the mission dictates, but it’s the shared situational awareness, and it’s a focal point for information sharing between the public sector and the private sector.
We have two operational teams that are operating out of the NCCIC. The first is the United States CERT, and I know you can read, so I’m not going to read the acronyms out to you. The CERT focuses on doing all of the different analysis and deep-dive type of stuff for common systems, you know, network systems, desktop systems, and the like. These are the incident responders who you hear about in the newspapers often when there’s a very big breach. They’re also operating the Einstein suite of systems, which is the National Cybersecurity Protection system, and because they’re actually operating a system, they’re called a “readiness team” as opposed to a “response team.”
But because industrial control systems, or SCADA, Supervisory Control and Acquisition—what is it? I forget what the acronym is because I’m an acronym jihadist. I hate them. The SCADA systems. Industrial control systems were increasingly vulnerable to attack and exploitation. So a couple of years ago, the Department invested time, material, and manpower to standing up a separate team just for industrial control systems, and we work with the manufacturers and the operators of industrial control systems around the county and around the world to try to harden up the industrial control systems. Let me tell you, this is something that keeps me up at night, and information sharing within the industrial control system community is critically important, and we tell people avoid connecting industrial control systems to the Internet as much as possible. But these are tools and the resources that we’ve invested in incident response, and unfortunately, these folks are very, very busy, as you can well imagine.
So you can read this slide, but for those folks who are on the recorded version, I’ll read it out loud: Why do we care about information sharing? Well, frankly, we all should be caring about information sharing, and that’s why you’re here. But as I mentioned, the NCCIC is the hub of information sharing, and the reason being is, like a lot of different activities, everybody in the Federal Government is very interested in being helpers. But we can’t afford to have different messaging coming from different activities. We have to be speaking with unity of effort and unity of messaging, and frankly, when it comes to information sharing, it’s important to make sure that we have the most contemporary, the most current, and the most accurate information for the public as well as our fellow government partners. The NCCIC was created to do that, and we are working with law enforcement, the intelligence community, private sector, and Federal Government agencies all in one place, so that we can in fact effectively communicate with each other and do it in a manner that’s timely and effective.
Now, I don’t know why this slide was put up there. This is Andy’s slide for achieving circulation. Here’s what I’m thinking. Having been—having served as the NCCIC Director, the NCCIC does, in fact, circulate information amongst everybody, and having everybody with a seat at the table is critically important. And if you think about it, something that may be considered innocuous or “Hey, you know, it only happened to me. It’s only my problem” may be part of a broader campaign, and we’re certainly seeing that with some activities that both law enforcement and DHS has been dealing with over the last 12 months, where seemingly independent activities, we’ve been able to link together through NCCIC analysis as part of broader campaigns. And we’ve been sharing that out through the ISACs and other information sharing partners.
But we need to broaden the foundation, and by doing such, it’s better to share information so that you can manage your risk and better harden your defenses, and trust is a critical factor in that. We’re opening the Kimono in the NCCIC, so that people can see what information we’re getting because, frankly, there’s a lot of folks out there who think that the Federal Government is holding back and we’ve got all sorts of classified information. The NCCIC does operate at the Top Secret SCI level, but all of the partners who are in there—public sector, private sector, and the like—they see everything that we see, and that kind of information sharing helps build trust. Frankly, we’re pushing every day to declassify as much as possible. We don’t want to build a huge classified infrastructure because that sets up the environment of some folks who can build it because they have the resources. Those are the haves, and everybody else who can’t afford that become the have-nots. We’re all in this together. So we’re working hard to declassify as much as possible, so that we can better share information across a broader community set.
But the NCCIC, you can join the NCCIC today by signing up for our CISCP program, our Cyber Information Sharing and Collaboration Program, or the Enhanced Cybersecurity Services, where we provide our information out to commercial providers who have been certified to do managed front-end services. Wouldn't it be cool to use the same type of information that the U.S. government gets from all of its different sources and have bad indicators and the like blocked before it even gets to your company or your entity? Yeah, I think it would be cool, and we’re already working with a lot of different providers to move forward on that with the Enhanced Cybersecurity Services. So we are moving forward to build a nice, solid foundation upon which the country can move forward.
Now, as I mentioned, I’m an acronym jihadist. I don't like acronyms, but I’m going to try to define every single acronym that I’m going to be using in this briefing. If I don’t, I want you or raise your hand and shout out at me and publicly chide me. This is recorded. So I’d like you to shame me if I don’t—if I don’t define something for you in advance, okay?
And with that, let me show you some folks that we are sharing information with, and this acronym here is STIX and TAXII. Wouldn't it be cool to automatically share machine-to-machine information? You know, right now, we’ve had a lot of folks that have grown up, getting used to sharing information, and you get information about an event that occurred like in the fall, but that’s not necessarily fully helpful. We need to get from months to milliseconds, and that’s our goal, is to get from months to milliseconds.
So last year, the Department at the end of a research and development effort launched a prototype of what’s called STIX and TAXII for automated information sharing. STIX stands for the Structured Threat Indicator Expression, and that “X” is “Expression.” Think of that as the payload, about 28 different attributes about an incident. Now, there’s actually about 100 fields, but 28 are the core of the information about an incident. TAXII is the mechanism of getting it to you. Think of it as a protocol like simple mail transport protocol, but we had to have a protocol to get it out to folks. And it’s the Trusted Automated Exchange of Indicator Information. Now, frankly, I think that the guys who put together these acronyms made up the acronyms and then filled in the blanks afterwards, but it works. And the prototype was a success. We are now going to full production. We’ve gone into—from just a dedicated server at one of the MITRE facilities that we had contracted with, we’re going into the Web with one of the famous cloud providers, and we’re already hooking folks up. And the financial services sector has already commoditized STIX and TAXII into their Soltra Edge product and has been sharing information within the financial services sector.
These are some of the folks that we were partnering up with, but as you take a look at information sharing, getting from months to milliseconds is reliance on automation. And with STIX and TAXII, we’ve got the capability that is going to help us leapfrog forward in a manner than we are—that the nation needs.
So here’s the timelines. You know, it was concept in ’13. 2014, yeah, we got into a prototype with a single one. Now in ’15, we’re on the Web, and we’re building it out even more. But what about information sharing through other means? You know, in the past, it’s always been the ISACs as our primary entries, Information Sharing and Analysis Centers, taking a look at those 16 critical infrastructures and getting the like entities together, but you know what, we were getting a lot of feedback from folks who weren’t considered part of the critical infrastructure saying, “Well, Greg, how do I get information if I’m not a member of the ISACs and I don’t have a good fit with any of the ISACs?” Well, the ISACs have been great partners. Some have invested in having people into the NCCIC, but we were looking beyond just the 16 critical infrastructures.
You know, for example, the American Bar Association has got a bunch of lawyers that have all got a lot of information. If you think about a lawsuit—and I’m not a lawyer, nor do I play one on TV. I’m a geek. But the lawyers were gathering up a lot of technical information, and they were proving to be a very lucrative target for folks, you know, who were engaged in criminal activity, such as industrial espionage, and other folks who were looking to seek aggregation of information.
How were we getting the information out to that information sharing organization? Well, we weren’t doing as well as we could, and that’s one of the reasons why, under the executive order, we looked to create these Information Sharing and Analysis Organizations, and frankly, I for one look at the ISACs as a subset of ISAOs, the Information Sharing and Analysis organizations. We can’t just limit ourselves to certain constructs. We need to share with folks who collectively collaborate and communicate because, like a good neighborhood watch, that’s a way to effectively communicate.
So we’re collecting best practices, and we’re trying to share amongst everybody else, but we were also trying to use those best practices as we build the ISAOs. And as we go out and we have these conversations with you all and others, we were foot stomping: Please sign up today for the CISCP program, the Cyber Information Sharing and Collaboration Program. Consider subscribing for services under the Enhanced Cybersecurity Services Program, and go to the NCCIC and download that information that’s out there. And, oh, by the way, for the NCCIC, one of the great sources of information—and there’s plenty that are out there, but the NCCIC is trying to accumulate and fuse them all together. A website to remember, http://www.us-cert.gov. I say it again: http://www.us-cert.gov. Operators are standing by. Go visit it today. Call today. Now, I don’t remember the number off the top of my head very well, but I believe it’s 1-888-282-0870. I double dog-dare you to call it sometime today, and call the NCCIC and just do a phone check. Put it in your cell phone. Make it one of your contact numbers, because I’m from DHS, and I’m obliged to say if you see something, say something, okay?
All right. So CISCP, what do you get from CISCP if you sign up? A lot of folks are saying, “Well, you know, it’s another government program. Why should I bother?” Well, here’s some of the things that you’re going to get, and one of the things, a lot of folks say, “Well, hey, how do I get on a mailing list? How do I get on the list server for your guys?” Well, join the program. Subscribe and you’ll get the different products that are out there, such as these type of things. Will this be valuable to you? I hope so. Will it be valuable to chief information security officers and CIOs? I hope so. Can it help buy down the risk that you and your businesses will have? I know so. Consider joining, and help us be a—join me in being a cyber evangelist. Help pass the word. This is a great program.
Also, if you’re part of a company somewhere and you’re looking at your provider for Internet services, is dollars and cents your only consideration as part of your risk calculus? I submit if it is, then maybe you need to broaden your aperture and take a look at “Am I getting value-added services from my provider?” I would recommend that folks consider including Enhanced Cybersecurity Services as part of their risk calculus and in taking a look at their providers. Am I, in fact, getting some risk management provided by my provider, participating in this program, being able to filter some of those indicators that are already known to be bad and leaving you and your team to manage the things such as behavioral analytics and some of the other things that can help you buy down your risk further?
And then, you know, I already talked about the NCCIC, but we had to throw this up there to prove. The President did come to the NCCIC, which really magnified the fact that this is, in fact, the nation’s integration center for the sharing of public and private sector information. As you can tell here, Secretary Johnson is looking at me right now to make sure that I am talking to you and making sure that you understand that we’re here to help 24/7 in the NCCIC. We’re working for you, and we are looking for you to give us feedback. Help us help you by letting us know what information you want, when you want it, and what format you want it.
Okay. Some of the things that we are distributing through the NCCIC, through that website that I talked to you about, the alerts, the advisories, the bulletins, technical documents, and I mentioned the website, http://www.us-cert.gov. ICS has got a page off of that as well that’s focused just for the Industrial Control Systems.
But one of the things I also want to foot stomp—and Secretary Johnson would be upset if we didn’t—is the commitment our Department has to privacy, civil rights, and civil liberties. Under the Homeland Security Act of 2002, we have what’s called the Protected Critical Infrastructure Information program, PCII, and in essence, this gets back to the neighborhood watch construct. We preserve the anonymity of our sources because your brand and your reputation are critically important, and once that’s gone, it’s never going to get back into the bottle. And the Congress recognized this in the Homeland Security Act of 2002 and created the program, such that if you come to us at Homeland Security, we’re going to treat it with privacy protections to protect your identity and your anonymity. That’s why when you take a look at different products that we put out, we’re not going to say, “Well, this particular piece of code was associated with the attack on this particular company.” We don’t do that because we want to continue the information sharing, and that goes both ways. We protect your brand and your reputation.
And our Privacy Office is established under the force of law with our birthright documents. Privacy is built into all of our processes, and last year, we even got an award from the ACLU for our privacy program. And when was the last time the ACLU ever gave and award to a government agency? Go figure. But I’ll tell you, it’s engrained in what we do. So we want to make sure that we continue to do that and we do regular audits on privacy and the like, and since that law back in 2002, we’ve never busted trust on privacy.
And with that, PCII, if you come to us under the PCII program, critical information—infrastructure information, you are protected from FOIA disclosure, state and sunshine laws, local laws that pop up. That information is protected from use in regulatory actions and from disclosure and civil litigation, which a lot of folks find very attractive in sharing information with us versus other sources. So basically, we’ll take that information for the common good as part of that cyber neighborhood watch. We’ll get that out, but we’re also going to protect you.
Now, that said, if, in fact, you’re controlled under a regulatory regime that does not give you a Get Out of Jail Free card from going to your regulator, you still have to do your regulatory reporting, but for the purposes of cyber information sharing, this has been a fabulous program. And I wanted to foot stomp and make sure that this is available to you.
Now, as we take a look at the nirvana, this is what we want. We want to be a perfect information source for you out of DHS and with our partners in the other departments and agencies, such as law enforcement, intelligence community, and the like. But here’s what we’re looking for in the perfect partner in the private sector. We’re looking for folks who do implement the cybersecurity framework. The fact that you are here today, I believe, is indicative that you are on that path, and you probably are already doing it. We want some—we want partners who are willing to invest in managing their own risk by investing in ECS capabilities. We want partners who when they do detect an incident lets us know about it. We want partners who share information with their peers through Information Sharing and Analysis Organizations. We want information sharing to DHS and peers through our CISCP program. And further, if your resources allow for that automated sharing of information, that
you subscribe to STIX and TAXII information sharing products, and that can be within the ISAO, like the financial services sector is already doing with the Soltra Edge product, or other mechanisms such as subscribing directly to DHS for STIX and TAXII products.
So here’s what I’m looking for. I’m asking you to help me carry the message into taking a look at your options for STIX and TAXII for your companies’ products. I’m looking for you to join the C-Cubed Voluntary Program and implement that Cybersecurity Framework. If you’re not already a card-carrying member of CISCP, our guys from our CIKR team, such as Mike and Azzar, you know, they’re here to help you get into that. And then learn more about the ECS program, the Enhanced Cybersecurity Services program because I think that’s going to be very valuable, and I think in the marketplace, the marketplace is going to clamor more and more for that, and we’re already getting stress within our resources to move forward on that, but it’s something that I think we need to prioritize as well.
So, folks, that’s a quick rundown on what we believe is the future of information sharing from a DHS perspective. At this point, I’d like to open the floor for any questions, comments, queries, or letters to the editor, you may have for me. Are you grabbing the mic? Yes. Okay. It’s better—you might have just kept on walking out.
CHRIS BLASK: I haven’t decided yet, but—so, Greg, Chris Blask with—well, with Webster University Knowledge Center—
Brig Gen GREGORY TOUHILL: My Industrial Control System friend.
CHRIS BLASK: Yes. So we have the ICS ISAC, and the Insurance ISAO now inside Webster, and so just commentating way, I guess I’ll do a Jeopardy and phrase this in the form of a question to get your thoughts.
Brig Gen GREGORY TOUHILL: Okay.
CHRIS BLASK: We agree a thousand percent with the executive order, the proliferation of nodes, so sort of interested in your thoughts of how large do you think that scale is, how many ISAOs or sharing organizations, by what definitions do you think we’ll end up with in what time frames, or have you thought through that?
Brig Gen GREGORY TOUHILL: I’ve thought through it, but I’d like to caveat, Chris, and thank you for the question. I’d like to caveat with the beginning. My views on this are not reflective of the Department’s, the Pope, or the Commissioner of Major League Baseball. They’re mine and mine alone.
I think we may see over 200 different ISAOs pop up over the course of the next 3 years, and they’re going to vary in size from organizations. And I mention the American Bar Association as an example. You know, I think that professional organizations that are very well established and very well organized are going to be a rich source of information sharing but maybe not on the scale with the automated information sharing that we’ve already been fielding, but rather through other mechanisms, such as information sharing that we’re putting out through CISCPs and the like. I think what we as the government need to be prepared for is all flavors, and that’s one of the strengths of addressing the ISAOs themselves as opposed to staying solely within the bounds of the critical infrastructure buckets that we had previously been focusing on.
Now, that said, the ISACs are continuing to provide great capabilities and the like, but as we take a look at our strategic initiatives to try to get out to everybody, we’ve got to be prepared to address large, small, and medium businesses as well as the general population. So we’ve got to be prepared to share with everybody.
SCOTT ALGEIER: Sir, thank you. Scott Algeier with the IT-ISAC. So a question and a comment, potentially. So on the STIX, I guess this is a request for help. Can we get the CISCP team to start sharing STIX files in STIX format? They’re sharing it in a format that isn’t STIX compliant, and it’s making it really difficult for those of us who are trying to consume the information to consume that. So it seems to be some type of proprietary version of STIX that you all are sharing the information in, and it’s very difficult for our members to digest. We raised this with the CISCP team, and we’d like some assistance, if you can, to get that sorted out.
Brig Gen GREGORY TOUHILL: Well, thanks. I’ll take that on with our team and get back with you. If you would, though, before you leave, would you make sure that Mike gets all your contact information—
SCOTT ALGEIER: Sure.
Brig Gen GREGORY TOUHILL: —so we can get back with you directly?
SCOTT ALGEIER: Sure. Mike knows where I live.
Brig Gen GREGORY TOUHILL: Yeah. Okay.
SCOTT ALGEIER: My other comment would be, at least for the IT-ISAC, we share the goal of trying to get information out to more people.
Brig Gen GREGORY TOUHILL: Mm-hmm.
SCOTT ALGEIER: We put proposals together in private to DHS, which has gone nowhere. We’d still like to consider working on those, if we can, at some point. You know, this—there’s some concern out there within the ISAC community. At first, we were assured that ISACs would be grandfathered from the ISAOs, and now, of course, we’re not. And so there’s really a lot of concern out there that what’s going on is going to disrupt the organizations that have been out there working on this successfully for 15 years or more, without any regulation, without any—responding to our members’ needs. So there’s really kind of a concern for many of us out there. You know, again, we’re here today. We want to be good partners. We want to contribute, but we’ve had ideas in the past on how we can achieve the same goals that really haven’t gotten—really been responded to by DHS in the past.
Brig Gen GREGORY TOUHILL: Well, I appreciate that feedback, and, you know, frankly, I don’t know all of the different struggles that you’ve had, but I want to be part of the solution for the future. So before I leave, I’ll make sure that I give you my card, and then you can—you and I can have a conversation a little bit deeper, so I can dig into this and do a better job for you. How’s that?
SCOTT ALGEIER: Very good. Thank you.
Brig Gen GREGORY TOUHILL: Okay, thanks. Any other questions? Comments? Queries?
ATTENDEE: Hi. Just a quick question. You mentioned scaling in terms of small, medium, as well as large-size businesses, and I wonder if you could elaborate a little bit on what you think needs to be done and assess where we are today with regard to some of the outreach in programs you’ve got as it concerns small and midsized business and information sharing as well.
Brig Gen GREGORY TOUHILL: Yeah. Thanks very much. Once again, these are my views. You know, as I go around the country and I’m talking cybersecurity best practices, I’m having the conversation with the cyber neighborhood watch. My teams are going out and doing incident response actions. We’re talking with private sector companies that are assisting companies with private sector incidents and the like. One of the themes that I personally am seeing is the large companies that are out there largely get it, and they have resources to go and harden up their defenses. They’re a bigger target. So I would think that based upon what I’m seeing, the vast majority of the folks that are cyber criminals and crooks and nation state actors are going—when they’re going after a private sector entity, the vast majority of them are going after big guys. However, based upon my observations, more and more times, you know, it’s the old Willie Sutton argument. Do you remember Willie Sutton? Why do you rob banks? Because it’s where the money is. The geek in me goes back to my engineering school days where, you know, it was learn about resistance, and I remember—
God bless you.
I remember my professor talking about resistance, and you take water and then pour it down a display, and the water would flow where the path of least resistance is. The larger companies are investing more and more on cyber defenses. The bad guys still want to go in the Willie Sutton approach. They want to go where the money is. A lot of the large companies are now raising the bar and making it more and more expensive for the bad guys to get into them. So where are the bad guys going now? They’re going in the path of least resistance. They’re going for the medium and the smalls and with increased frequency, and the days of the small businesses saying, “Hey, I’m too small to be a target,” those are long gone.
With automated tools that are out there, I can go on Metasploit. I can do Nessus scanning, and I can go out there and I can find a target set and take advantage of them. We’re at the point now—and I think it’s—the inflection point already occurred a while ago, where the small and mediums need to be paying attention. They need to have the capability, and that’s maybe where managed services come in where folks pool resources. They go to a service provider and the like, and having discussions through information sharing helps raise that bar.
I think small and mediums are under increased risk, perhaps even more so than what they’ve thought they were in the past, and I think as we take a look at the future, we’ve got to make sure that we are sharing with everybody. I hope that answers your question.
I think I have time for one more question, but you’re standing up like I’ve got to go? Or no, you've got the microphone. Sir, over to you.
SEAN MOORE: Good morning. I’m Sean Moore with Centripetal Networks.
Brig Gen GREGORY TOUHILL: Hi.
SEAN MOORE: A little new to this space, and I’m curious if the commercial threat intelligence providers, the Inside CyberLenses [ph], emerging threats of the world, are they interested in taking threat intelligence data, repackaging it, and reselling it, or are they allowed to do that?
Brig Gen GREGORY TOUHILL: Oh, I think there’s already a marketplace, and thanks, Sean, for that question. We’re already seeing a great market place in the information technology business where folks are actually going out there and generating threat intelligence and marketing. I mean, it’s a good business model, and we certainly don’t want to disparage anybody’s business capabilities.
That said, we get—there are many different providers of threat intelligence who, in fact, do share with us, and they package up products that they give to us with the express patriotic interest of making sure that stuff gets out to the general public. And we thank them privately, and they ask us not to thank them publicly. But there is, in fact, a business model out there, and for a lot of companies, we do make recommendations to them, depending on their risk appetite, the type of critical infrastructure environment that they’re in and the like, that they do, as part of their risk management construct, invest in a cyber threat intelligence capability, either organically through their own corporate resources or through subscription or even having companies on retainer. Does that answer your question?
SEAN MOORE: Yes, sir. Thank you.
Brig Gen GREGORY TOUHILL: Very good. Thank you. Larry. Yes, sir.
LARRY CLINTON: Thank you. Larry Clinton, Internet Security Alliance. I sometimes think we talk about a lot of different things together, and I want to kind of separate some of these out. So we’re really interested, as you said—and I agree with you, 100 percent—in getting more participation from smaller and midsized companies because these are increasingly the vulnerability targets. But the issue seems to me to be not so much to get these people as part of ISAOs as much as to make the information that they get more actionable to them, and for them, there’s often a major cost issue here. They simply don’t have the economies of scope and scale—
Brig Gen GREGORY TOUHILL: Right.
LARRY CLINTON: —that the larger guys have, and I’m not clear how we’re envisioning the ISAO process as addressing that particular need, and a sister problem to that has to do with what we’re trying to do here is expand participation, and we’re going to come up with the rules for participation through the standards organization. But it seems to me that there’s a natural conflict between developing a broad rules set of entities to qualify as being an ISAO, yet potentially liability protection, et cetera, and the ability to be an organization that can meet this expanded rules set. And I’m really not clear what the—what the game plan is for that. I mean, the more specific we make the rules and requirements to be an ISAO, the fewer ISAOs we’re going to get, the fewer participants, et cetera, et cetera. So if you could help me think through some of the thinking on this, I’d really appreciate it.
Brig Gen GREGORY TOUHILL: Well, thanks, Larry. There’s a couple of questions in that one, and frankly—and I took some notes here. You can sit down if you’d like.
Brig Gen GREGORY TOUHILL: No. Larry is a friend. I just want to make sure he’s comfortable, and you can come back to the mic if I don’t answer your question. How’s that?
A couple of things. First of all, I think those are excellent questions, and I feel like I’m at a disadvantage because I don’t have my counsel here by my side because some of it falls into the questions of law and the like, particularly when we talk about some of the liability protections and such. And as Ben mentioned, you know, the Congress is working right now with some information sharing legislation that is going to address the liability protections, and I still have a two-dollar bill on the table that they are, in fact, going to get a bill in front of the President for signature by the end of this month. To bill, Touhill. It works. Okay.
Brig Gen GREGORY TOUHILL: But as we were—as the concept of the information standard—you know, Information Sharing and Analysis Organizations was really congealing. We wanted to pay respect to the ISACs as well, but the ISACs, it was well established. The FS, the financial services ISAC was created back in, what, ’99, it was—you know, came into its current form? Is Denise here? I didn’t see Denise here. Yep, there’s Denise. ’99, Denise?
DENISE ANDERSON: ’99.
Brig Gen GREGORY TOUHILL: Okay, good. So the Alzheimer’s hasn’t kicked in yet.
But as we were looking at the model for the broader information sharing organizations, for those who didn’t fit with the standard ISACs—you know, ISACs were functionally aligned across the critical identification, which was designated through a previous executive order. 13636?
Brig Gen GREGORY TOUHILL: Okay. Hey, I am impressed myself. I even remembered the number on that, and I'm not a lawyer.
So we already had a pretty good definition on the ISACs, but who is an ISAO and who is not an ISAO and who do we share sensitive information with becomes kind of a challenge. So the discussion was, well, let’s not play politics with who is in and who’s out. Let’s go to a standards organization to actually go out and define it, and then have an independent arbiter of who is an Information Sharing and Analysis Organization, so that we can best and fairly represent everybody’s equities.
So that in and of itself within the government bureaucracy process has been a big challenge for guys like Mike Echols and the like in trying to go through with a request for comment period and all the adjudication to go through it, and as everybody already knows from their civics class back from sixth grade to twelfth grade, the United States government is not built to be efficient. It’s built to be a fair government. So we’re not moving as fast as everybody wants, including us, but we want to make sure that we’re being fair and we’re being equitable, and that process that we are following with that is just that. We want to make sure that as we are going through that process, it’s transparent, it’s equitable, and it produces a fair product.
Now, that said, having a standards organization help define what exactly are those criteria for entrance into the club is critically important, and we want that to be transparent, but we also want it to be independent. So that’s where we stand on that, and that’s why we took the approaches we did. Does that address the question?
LARRY CLINTON: That’s really helpful. Thank you.
Brig Gen GREGORY TOUHILL: Okay. Thank you, Larry. I appreciate that question, and it’s important to get that out on the table. Thank you.
Are there any other questions before we adjourn for the next session? We have another question. Thank you. And this is the last question, I’ve been informed. Otherwise, Mike, who is a lot bigger than me, is going to whoop me.
CHRIS KREBS: Chris Krebs with Microsoft. Less of a question—
Brig Gen GREGORY TOUHILL: Hi, Chris.
CHRIS KREBS: —and more of a suggestion or an ask. So we’ve already heard today a lot of conversation about ISAOs. We’ve heard about ECS. We’ve heard about CISCP. We’ve heard about C-Cubed. In thinking back—
Brig Gen GREGORY TOUHILL: A lot of acronyms, huh?
CHRIS KREBS: Right. Well, and then all the executive orders dating back even to the National Security—or National Strategy for Information Sharing.
Brig Gen GREGORY TOUHILL: Mm-hmm.
CHRIS KREBS: So when—as these initiatives proliferate, I reach back into my company to, you know, vector in the appropriate technical expertise to feed the request for comments, to feed into applications, things like that.
Brig Gen GREGORY TOUHILL: Yeah.
CHRIS KREBS: What would be really helpful to me is I make that internal sales pitch to provide some assistance here as an overlay. Like I said, we’ve got a lot of initiatives, and it’s not immediately clear to me where each of these initiatives falls or fits and what the unique value propositions of each might be. So if the Department could provide some sort of overlay of—you know, even a one-pager or two-pager or whatever—of what each of these programs represents, what they’re trying to accomplish, the value proposition, and then push that out, that would help companies like Microsoft and I’m sure many, many other companies, and even as organizations contemplate standing up ISAOs, what they can get out of the process and how they can play ball.
Brig Gen GREGORY TOUHILL: Thanks, Chris. That’s really helpful feedback, and, you know, we do have them. And perhaps we just haven’t done a good enough job getting it out to you and others, but I will tell you what. I’ll guarantee you, if you sign up with Azzar and Mike and our team here before you leave today, by the end of the week it will be in your inbox. Is that good?
And special deal for you. I’ll be in Seattle tomorrow. I’m willing to come over to Microsoft and brief, if need be, okay? All righty.
Any other questions? I’ll be out in the hallway for about a half hour before I have to head back. I am flying out to Seattle for my daughter’s graduation, so I’ve got to get back to Washington and pack. But thank you so much for your kind attention, and thank you for the great questions. We look forward to the greater information sharing for the rest of the day, and thank you for being here. Hope you have a good conference.