This is an audio file.
MIKE ECHOLS: Mr. Matt La Vigna, Director of Operations for the NCTFA—I’m sorry—NCFTA. And then Mr. Sam Visner, Co-Chair of the R&D Task Force.
MIKE ECHOLS: Thank you very much. So thank you, panelists, for being here. First, I’d like to go to Mr. Riggi to give you an opportunity to make a couple of statements.
JOHN RIGGI: Sure. Thank you, Mike. First of all, I’d like to thank you, Mike, and DHS for graciously inviting myself and the FBI to participate in this very, very important conversation.
Before I begin, can I just have a show of hands, how many folks we have actually from the private sector, nongovernment folks? Good. More than I thought. Excellent.
So somewhat echoing General Touhill’s comments about the need for information sharing and the FBI and law enforcement in general, Secret Service and our partners at DHS, we understand that to prevent crime, solve crime, we need the public’s assistance, and over the years, to combat, whether it was drug trafficking, trafficking, organized crime, violent crime, even bank fraud, we were very active working with the private sector, financial community, to establish outreach programs and to garner those, as General Touhill mentioned, the cyber-hood—the neighborhood-type watch programs. Well, that was in the physical world, and as General Touhill said, we need the same in the virtual world because those crimes, those acts are occurring on private networks. As you know, they’re not occurring on the streets, in the homes, the physical world.
And in the FBI, we have several programs beyond our individual community outreach programs, which are run by our field offices, that strive for that effective community outreach. On a national level, we have what’s called the InfraGard program. It’s kind of two words combined, “infrastructure” and “guard,” but the “guard” is g-a-r-d, and that consists of 36,000 individual members. It’s not organizational, organizational based. Bottom line, you just have to be a U.S. citizen and not have any criminal history. You can be a member of InfraGard, and that’s spread out through 83 chapters across the United States. Some of those chapters are very active and have developed their own cyber special interest groups along with other special interest groups.
And of course, there’s, organically developed over the years, certain cybersecurity information sharing groups that we promote, support, participate in, including the NCFTA, who Maria Vello is here from, National Cyber Training and Forensic Alliance [sic]—if I get that correct—but it’s a great, great example of the public-private partnership and how we engage directly with private sector academia, and the FBI actually has a full-time unit embedded in that entity. And not only do we have access to our systems, our classified systems there, all our partners there have been given clearances and were able to share and more collaboratively against common cyber threats.
I think you really just—just look at the newspapers during the day, any given day, especially this week, and you will see that the same cyber threat actors that are targeting private sector, such as the health care industry, are targeting U.S. government networks. As you’ve heard about the major breach at the Office of Personnel Management, you see that it’s a shared threat, so it must be a shared defense. So I am very, very excited to be here and be able to participate on behalf of the FBI. Thank you.
MIKE ECHOLS: Thank you. Denise?
DENISE ANDERSON: Thanks, Mike, and thank you for inviting me here to be on this panel. I really appreciate it, and I’m very happy to be here in Boston.
I’m going to give you a little background on the National Council of ISACs. So we were formed in 2003, so we’ve been around for over 10 years. We were created to actually—as an ISAC community, foster between each other, the challenges and opportunities that we had as a community going forward. So we actually collaborate very heavily with each other. We collaborate on a daily basis between our operations centers. We collaborate on—if there’s a crisis, we’re on a call collaborating with each other. We have a list server and a portal where we’re sharing on the list server over 20 or so items per day between the sectors, and then, of course, we actually have presence on several watch floors where we actually also collaborate, including the NCCIC, the National Cybersecurity and Communications Integration Center. So we have a very strong community where we’re constantly interacting with each other.
We also participate in, of course, exercises with DHS in Cyber Storm, and then we have 19 ISACs that are currently members of the National Council of ISACs.
As far as the ISACs themselves are concerned, they’re basically communities of trust, and they actually do a lot more than just information sharing, which is a point that, hopefully, bring out here that information sharing is a tool in the tool box to help us mitigate threats.
So we have strong reach into our sectors. We’re subject matter experts for our sectors. We have a very strong response capability and collaboration capability in response, so that if—and this is a role that has been carved out in the NIPP, the National Infrastructure Protection Plan, where we actually play a role in response, coordinating on behalf of the critical infrastructure sectors.
When it comes to ISAOs, of course, we are an—you know, we are ISAOs because we do share information, and we do analyze it. And we support the movement. Actually, many of us are actually standing up ISAOs for various sectors that don’t fit in neatly into the critical infrastructure. So that is something that’s exciting and that we fully support, but we also want to make sure that the ISACs are recognized for their unique capabilities and their roles outside of information sharing.
MIKE ECHOLS: Thank you. Sir.
RICHARD SERINO: Good morning.
MIKE ECHOLS: How are you?
RICHARD SERINO: Good. I’m Rich Serino. I’m currently at Harvard and not MIT, so I’m actually not sure why I am here. I did spend about 5 years in Washington as a Deputy Administrator at FEMA, and when I say I’m not 100 percent sure why I’m here, I’m honestly saying that because there’s a lot of talking about the ISAOs and the ISACs and every other acronym, and when I was at FEMA, I was involved in a lot of those. But I’m actually going to stray from that a bit and talk about what—the importance it is to have the private sector and government work together. At FEMA, I had the opportunity to help develop something we called “whole community” that a lot of people have heard, and an offshoot of that turned into “whole of government”—and how we were able to bring people together. And I won’t dive in depth into all of them, but quickly, it’s government at the federal, state, local level, but then also how we’re able to bring together the nonprofit agencies, the Red Cross, et cetera, the faith-based community, and the private sector.
And prior to 2009, we did not have agreements with the Red Cross. We didn’t have agreements with the faith-based community, and we certainly didn’t have, working with the private sector. But what we did is brought them in and to be part of the team. In 2010, during the Haiti response, initially, I was in the National Response Coordination Center, their country’s emergency operations center, if you will, and in there, as Haiti is happening, I turned to our director of response and said, “Where’s the private sector?” and he said, “They’re not allowed to be here in the room.” And that to me was rather shocking.
If you haven’t picked up—I mean, I am from Boston, born and raised in Dorchester, and I was Chief of EMS across the river in Boston for—I was there for 36 years before I went to D.C. But during the period of time when the private sector wasn’t there, we had them in Boston quite a bit in our EOC, all the time, 25-year relationships with Boston Properties, with the Hancock. And so when I got to D.C., I was sort of shocked that they weren’t part of it.
So we started, went through a process. Our lawyers told us, “You can’t do that. We can’t have the private sector in the room.” So during a response is not the time to debate that. So about 6 weeks later, we actually looked, and after a bit of discussion, we got a new chief counsel, and it makes things much easier.
RICHARD SERINO: And we have about—had—we have about 200 lawyers are FEMA and had someone who got to “Yes” and figured a way that we had private sector representatives in the National Response Coordination Center within 3 months, and we had that, developing the team, and then from that, we built the ability to have them in there for 3 months at a time. We had started with Target and then Citibank and all the different sectors.
In an outreach of that for a year later, we had something developed called the NBEOC, the National Business Emergency Operations Center, and during a crisis, that was stood up. And there were over 500-plus companies that can be part of that, that they actually will share information that make a difference in people’s lives during an emergency. It’s whether it’s able to have Wal-Mart send water or food, whether it’s smaller companies to understand what’s going on and how they can help protect themselves during whether it’s Super Storm Sandy, whether it’s during tornadoes, during whatever the emergency is. So it really helps make a difference.
And now that I’ve been at Harvard for just under a year now—and at Harvard, with NPLI, the National Preparedness Leadership Initiative, we actually looked at the response to the Boston Marathon bombing, and fortunately or unfortunately, in my role as the Deputy Administrator, I was actually in Boston at the marathon that day after having been the incident commander for the marathon for many years. In looking at the leadership response to that, it actually struck, listening to the earlier speakers, that the response to that was done very well, and you ask who was in charge at that event. And the answer was, if you talk to the governor, talk to the mayor, you talk to the head of the FBI at the time, who was the special agent in charge—you talk to Ed Davis, the police commissioner—not going to say any one person was in charge. It was a shared network of folks, and it was shared because people trusted each other, people had relationships with each other, people had a common sense of mission, and there was no ego and no blame during that period of time for the response during the week. And hearing those four things that the people who studied it came up with very much fit with almost the four things that people mentioned here today: that you need to have trust, a common message, doing this for the common good, and understanding that having those relationships in a crisis truly will make a difference.
I’ll stop there.
MIKE ECHOLS: All right. So there should be no question why you’re here now. That’s exactly the message that we’re trying to promote.
MATT La VIGNA: Hello. My name is Matt La Vigna. I’m the Director of Operations for the NCFTA, the National Cyber-Forensics and Training Alliance. Before I get into that acronym, I’ll give you a little bit of background on myself. I come from—I had a couple different perspectives on information sharing, one from an agency standpoint, a government agency standpoint. I recently retired from the Secret Service, and with our electronic crimes task forces and our community outreach, just like other law enforcement agencies, whether it’s state, local, or federal outreaches, it is extremely important. And some of the differences at a local level are most people will know each other as opposed to a national-level outreach, and so I’ve seen it from a headquarters perspective where most of the time, you’re feeding information out to people, and it’s a one-way channel.
At a local level or, say, on a regional level, it’s a little bit better, so it’s kind of like Information Sharing Lite. You get members. You sign them up. They get into your group. You give them some information. You have some meetings. You encourage them to communicate, but it’s really—a lot of times, it’s hit or miss. Different initiatives are more robust than others.
And now I’m at an entity that I would say is an Information Sharing Plus or information sharing on steroids. The National Cyber-Forensics Training Alliance was created back in 2002, and the issue that was—it was created by thoughts of agents from the FBI and private industry. The issue at the time was industry sharing information with government or law enforcement was good, but it immediately became classified and virtually impossible or difficult to share with anyone. So it was—there, it’s one way. It’s coming in, but it can’t go out, very frustrating. So you have the—in Pittsburgh, you have the FBI’s High-Tech Crime Task Force working with other law enforcement, which is great. You’re in a task force environment. Everything flows. You’re good. But in a law enforcement task force environment, you don’t have industry sitting in there. So think of office space, and you’re in a federal agency, and everything there is classified. And so getting private industry in there is very difficult. How many months does it take to get a clearance? How many times are you going to do that? How much does that cost?
So the idea came up: Let’s find this neutral ground in order to share information in an unclassified environment where we don’t have the restrictions of the government space. We can’t go to private space. The government can’t occupy the space. You know, bank can’t host law enforcement’s office space. We can’t go down that road, but we find neutral territory, and that’s where the NCFTA was formed, so back in 2002.
When it was created, it was—and it still is—a clearinghouse or a safe harbor for sharing information, so personally and physically sharing information. In-house, we have federal law enforcement agencies, an entire FBI unit that is embedded there in our office space. Secret Service is there. Homeland Security Investigations is there, Customs and Border Protection, U.S. Postal Service, the National Crime Agency out of the UK, Australian Federal Police. So we have as big a perspective from a law enforcement standpoint as we can, and then we also have embedded private industry. And so we’re able to share information at a personal level with
those that are on-site, but then those that are also off-site.
We achieve our goals by facilitating the sharing and aggregating it across different industries and sectors, so it’s not just sector-specific. We’re able to share that information across the different sectors and across law enforcement. Believe it or not, government agencies and law enforcement don’t always talk to each other, and the reality of it is that government agencies are in competition with each other. Sometimes their lanes will overlap. A lot of times, their lanes will overlap, and there needs to be that de-confliction. There’s plenty—to be honest with you, there’s plenty—we all know there’s plenty of work for everybody out there. So all we really need to do is find a way to de-conflict, stay in our lanes, work with each other when we can and when we need to, while serving the needs of private industry.
There’s a lot of things that have already been discussed, and I know we’re going to talk about a lot of things like trust and facilitating the sharing of that information, but one of the things that’s critical is just being a member of, say, an organization is not the end because—I call them a “Looky Lou.” You’re just going to look and read, and you’re just going to absorb this, but it’s the two-way sharing that’s really important. Trust is what builds that two-way sharing capability, but it’s the two-way sharing that is really critical in order to make any of this work.
And so I’ll leave it there. I know I usually will keep going if you let me, so—
MIKE ECHOLS: Sam?
SAMUEL VISNER: Thanks. I’m Sam Visner. I’m actually here in—and although I run a cyber P&L for a company called ICF, I’m here representing the Intelligence and National Security Alliance for whom I’m co-chairing the Cyber R&D Task Force, which is working on both trying to strengthen a national cyber R&D strategy and build a national cyber R&D ISAO.
And by the way, as we were all sitting down here, Matt, as we were trying to figure out how we would get all of us at the table, he said we’re going to need a bigger boat. I saw that movie recently. I think what they really needed was a smaller shark.
SAMUEL VISNER: But they didn’t get either. It ended badly for most of them.
What I really am hoping to talk about today is what we will do to improve information sharing for cyber R&D. So first, the why of it, and the why, I think is that while I agree absolutely with Deputy Assistant Secretary Touhill that there is a huge risk component to the cybersecurity problem, I think there is also a larger component that relates to our nation’s global role, global standing, and global power. Other countries are using their ability to impair our cybersecurity, to conduct exploitation and attack, to change the global order, to diminish our global role, our global standing, and enhance their own. They look at cybersecurity as the security of bordered sovereign cyberspace in which they intend to become preeminent, and they’re pretty clear about their objectives there.
We see more and more complex cyber operations representing the intersection of advanced cybersecurity technology plus really patient, disciplined, effective, well-resourced trade craft on behalf of state actors and organized cyber criminals. So that interaction of great trade craft and great technology in the hands of adversaries, cyber criminals, and state organizations is more than—it goes beyond public safety, and it goes beyond risk. It goes to the very—to our nation’s very standing in the global order and our role in preserving both national security and international security. So that’s what I really think is at stake here, and that’s why I think this issue is critically important.
That’s why when we talk about cybersecurity information sharing for R&D, I look back to other issues, other problems, and, Mike, challenged me to be robust in my comments. So hopefully, I will rise, Mike, to that challenge.
But when I think about other problems in which our global standing and global role was at stake, nuclear energy, aerospace science and engineering, which allowed us to become preeminent in aerospace and eventually get to the Moon, these were areas in which we built national strategies for R&D, for nuclear science, for aerospace science. And having built those strategies, we started to build real information sharing architectures in the post-war era, and then eventually, we began to build information sharing, not only information sharing architectures, but organizations.
And so my contention and the contention of those with whom I’m working in the Intelligence and National Security Alliance, that if we’re going to be effective in cybersecurity, we need a national cyber R&D strategy to be able to deal with problems like securing critical infrastructure and SCADA systems and industrial control systems and highly virtualized systems and systems that run where workloads are allocated to different cloud environments, which expend—systems that extend all the way from your mobile device all the way through the shop floor on a shared infrastructure and possibly a virtualized and cloud infrastructure. We need to be able to do that, and we need to be able to do that if we are going to preserve our global role. And that means building up some kind of an information sharing organization for cyber R&D.
So the “what” of it, I think is the future of our country, not just our safety, which is important, not just mitigating risk and buying it down, which his vital, but going beyond that to preserving our role on the global order. And the “what” of it is building up the strategy, which I think OSDP is charged with doing, but probably I wouldn’t say the results there have been as robust as we need—going from a strategy to an information sharing architecture and a real Information Sharing and Analysis Organization that gives us in cyber what we got out of nuclear energy, what we got out of aerospace, what we’re getting in some areas of biotech, but we now need in cybersecurity for our own national interests.
Let me stop there. I think I’ve gone on far enough, and clearly, we’re not going to get a smaller shark out of this, so we really do need a stronger boat.
MIKE ECHOLS: Great. So we have a very opinionated and learned panel, and so I’m really interested in hearing your insights on some of these subjects. As you can see, we’re trying to stretch the subject here so that we don’t miss an opportunity when we get in these workshops later, and we don’t want to paint ourselves in a corner. We want to think broad. We want to understand those things we need to be considering as we stand up a standards organization and we start looking to best practices and how we roll out an ISAO paradigm that takes us to the level that we need to be at for cyber protection going forward.
Sir, Mr. Riggi, your teams are out all over the country talking to people. You get to see the inside after an event. From a law enforcement and national security perspective, why is information sharing that important pre and post incident?
JOHN RIGGI: So pre incident—and as was repeated here over and over—really the primary function is to establish that trust. I can’t say enough how important having that preexisting trusted relationship with law enforcement, whether it’s the FBI—or government in general, having that person you know in that government entity that you can call during an incident. Obviously, the other benefits are that when there’s robust exchange, you do have the ability to prevent, identity, and disrupt, perhaps, threats that exist, and as we often find, that government, whether it’s law enforcement, FBI, or the intelligence services, the national security such as NSA, CIA—we may have pieces of the puzzle of that cyber threat puzzle, but often it’s the private sector that has the remaining pieces of that puzzle, those clues and evidence that help us when we combine our information intelligence, help us form a picture of the adversary, what their intent and capability actually is. Again, this is unlike any other threat that the government has faced, that the nation has faced, where the majority of the activity is occurring on private networks, and contrary to what Eric Snowden has misled the American public to believe, the government does not see that traffic. Over 80 percent of the networks are in private hands. As I said, the intelligence and evidence lies on your network, and we have to combine that information.
The fact that the section I run in Cyber Division exists, it’s an outreach section. It’s the only operational division, Cyber Division in the FBI that has a permanent dedicated outreach section because we understand the value of the private sector information, and we have moved progressively—and I would say rapidly—to declassify information when necessary and push that out to the private sector. We understand that to defend private networks is to defend the nation.
I think I’ll give a little bit of an opinion here also. So post incident, you need to know who to call. You need to have that trusted relationship, and then there’s all types of local- and national-level resources that the government, DHS, Secret Service can leverage and be able to respond and help that entity.
Post incident—well, let me get that. One sec. So post incident, we understood that for the private sector to call, whether it’s the FBI or government in general, that they need assurances from us that they will not be treated as someone who has caused harm to themselves. They need to be treated as a victim, a victim of crime, and that is in fact how we treat victim companies. When we do respond to an incident now, not only do we send our trained investigations, our computer scientists, but we send outreach specialists. We send victim witness specialists. Often these major companies have had their employees’ personally identifiable information compromised. They have to deal with reporting to their local police departments. We help them through that process. We also deploy internal and external communications specialists in helping the company message this out. We say this often, but we are not regulators, on the law enforcement side, whether it’s FBI or Secret Service, and we don’t call the regulators. We leave that decision to the companies, their attorneys, and the regulators to understand what their reporting requirement is. So we treat the company like a victim of crime. That engenders the cooperation and trust.
Going back to the FOIA Act regarding the creation of the ISAOs, I think the challenge will be for the group, how do you create an ISAO without creating another layer of bureaucracy which may inhibit those direct personal relationships that we need with companies? So that’s a collective challenge, I think, just as the challenge is to defeat the cyber threat. You know, I’ve heard the expression from Mr. Serino today about it’s a whole-of-government approach. I’d like to even expand that and say, look, this has to be a whole-of-nation approach. It has to be private sector combined with government. Thanks.
MIKE ECHOLS: So let me go right to you, Rich, then. All of these challenges that we’re talking about, all the comments that I receive, they may be related to cyber threat indicators, but they’re the same challenges that I heard about information sharing over the last 15 years, right? So what are some of those best practices? What are some of those challenges, and how did you guys get over them as you form this information sharing?
And if you guys didn’t know, Rich helped build the emergency management for Boston. He was integral at FEMA in building some innovative programs to share information and to get better data.
RICHARD SERINO: Well, thanks, and, you know, it’s a little interesting now after 40 years of saying “I’m from the government and I’m here to help” that it’s—sometimes people say that jokingly, but quite often they are. But the best way to help and the way that we did it was actually something perhaps unique, was listening, actually going out and listening to people and then listening to what they said and taking action after that. And I think that that’s really important to do, whether you’re dealing with a disaster that’s happening, but preferably you’ve done that beforehand, you’ve gone out and built the relationships as you’re starting to do now and have been doing for a while, is build the relationships with the people that matter, with the people that matter, is something that we changed the word from calling people “victims” to calling people “survivors.” And we did that very consciously to change how people view themselves. If somebody is a victim of a disaster or a victim of a cyber event or a victim of a car crash, that presents it in a certain way. We consciously changed that to calling people “survivors,” that if you’re a survivor of an incident, whether it’s a flood, tornado, a fire, whatever it is, you have a much different view in how you view yourself and how the public views you.
And that led us to going down and looking at the whole of community, how we bring a lot of different people together, but I think the most important part is to listen to what people have to say. I spent in every region, in mostly every major city over 5 years, talking to people in small groups, talking to survivors after disasters, talk to people before disasters, to build that trust, to build those relationships.
And for folks in the room and folks who are listening, I think one thing that’s important is to make your voices heard, and if Mike doesn’t listen to you, go to the next level, and if the Deputy Assistant Secretary doesn’t listen to you, go to the Assistant Secretary. And if the Assistant Secretary doesn’t listen to you, go to the Under Secretary. That’s where I was. I listened to a lot of folks, and believe it or not—I know this may be a shock to you—with every level that I mentioned, their information gets filtered. I know that may be a shock.
RICHARD SERINO: But trust me. Unless those individuals make an effort to go out and listen or you don’t reach out to them, they may not hear it. I can guarantee you that some direct correspondence to an Assistant Secretary, Under Secretary, maybe even the Deputy Secretary—it took me a while to figure out the chain there, but getting to them will make a difference. Make your voices heard, and assume that the next level up filtered what you said. So take the opportunity to continue to get your message out, and make sure your voices are heard because that’s what will change it. That’s what it’s going to take for participation.
MIKE ECHOLS: Thank you, sir. So, Denise, we know that ISACs or ISAOs—I’m going to get you all T-shirts to say that, but ISACs or ISAOs. With that being said, ISACs have existed—you guys have been doing this for a long time. What is the difference between an ISAC and an ISAO really, in your perspective and in the perspective of your members?
DENISE ANDERSON: Okay. So an ISAC and ISAO—and actually, I want to, if I can, circle back—
MIKE ECHOLS: Sure.
DENISE ANDERSON: —to some success that we’ve had as ISACs. The majority of the ISACs have been around for over 10 years. So as was mentioned earlier, FS-ISAC, who I work for, was formed in 1999. Many of us have been around actually 16 years and been very successful, and I think it becomes very clear when you talk to each of the ISACs that they are meeting the needs of the members of that community that they serve.
But where we—you know, we do information sharing, and we do do it fairly well in many cases, and I’m going to point to a couple examples in a minute to answer back to some success stories. But the ISACs also do much more than information sharing, and then again, what is information sharing? It’s not just indicators of compromise, as many might think, but it’s also sharing best practices. It’s sharing lessons learned. It’s asking questions of each other about how you’re doing things and how things work, and that’s what we see with our members. They’re not just sharing indicators of compromise, an MD5 hash or some kind of IP address or anything like that. They’re also sharing much more than that. And they truly are communities. So what we also do is we’re charged with incident response.
The other thing we also look at is we’re not just cyber. We’re all hazards, so we’re looking at physical and well as cyber. And I mentioned the NCCIC, but we also participate in the National Infrastructure Coordinating Center, and we have a role there. We have a seat there on the floor, which actually is pretty revolutionary, I would like to say. I’m coming from the private sector side. I’m saying it on the part of government. We used to have a seat actually at special facility where you had to have a clearance and go in, and we would go in there representing all of the critical infrastructure, not just our sectors, because we wore our National Council of ISACs hat on. But we came to an idea. One of us had an idea, “I’m going to approach the Assistant Secretary of Infrastructure Protection and say, ‘Hey, we have one of our ISAC operating centers here nearby. Can we not just have representatives from the NCCIC come to us and we all work together in the room?’” And she said, “That’s a great idea,” and supported it, and so now we have that in place, and we’ve drilled it.
So we have a response mechanism where all the ISACs come together. Whether it’s a cyber or a physical incident, we’re coming together. We’re saying, “Here’s the capabilities that we can bring to the table. Here are our needs as sectors, and how can we help each other?”
For example, one of the things that we did during—this is not a cyber incident, but it does use transactional data. During Hurricane Sandy, one of the things that we’ve operationalized as the FS-ISAC is we are able to take credit card transaction data and use that to make sense of certain things. So during Sandy, if you recall, fuel was needed, and there were many gas stations that didn’t have electricity. There was people, just boots on the ground, could not respond. What we did was we took credit card transaction data that was actually transaction-at-the-pump data, and we could take that. We supplied it to the NCCIC. The DHS then mapped it out geospatially, so that they could show what gas stations were actually operating and were actually pumping gas, so boots on the ground had that, and that got huge use and recognition across. So that’s one of the ways that we can bring those capabilities to bear.
To circle back on the success-in-sharing side of things, because I think we’ve done it pretty well for a long time, I’m going to point to the FS-ISAC, and when we had the DDoS attacks of 2012, 2013 that affected the financial institutions, we—I like to say our members opened the kimono to each other, but in the case of the DDoS attacks, they not only opened the kimono, they gave each other massages. And the sharing that happened was just incredible.
DENISE ANDERSON: I know it makes them uncomfortable when I say that.
The sharing that happened was very—was just amazing, phenomenal, and incredible, and what we did was we had a select group, those institutions that were being attacked, and they were sharing real-time information with each other. We actually were sharing real time within the NCCIC, so government got all of our individual as well, anonymized, so that’s the beauty of an ISAC. We can anonymize and aggregate and give the sector perspective.
And basically, we also had a window into some of the bots, so we had a 15-minute heads-up when an institution was about to be attacked, and so you would say, “Heads up, Europe. Bank A, you’re about to be attacked.” And there were a lot of lessons learned from that, not just necessarily technical lessons, but a lot of best practices that came out of that. But basically, there’s three things, I think, with information sharing. It’s value, it’s trust, and it’s infrastructure, to provide the information.
And just as an example of information sharing at its finest, we had an institution—so what we did was we took that small group that was being attacked. We took the information, aggregated it, and pushed it out to the rest of the sector and also other sectors and our government partners. And the last day of the last phase, there was an institution that had not been attacked before that was attacked and had virtually no impact, and so I went back to them afterwards and said, “How was it that you were able to have no impact?” and they said it was because of all the information that was shared beforehand, all the best practices, all the IOCs, everything that had been put in place. They took it. They put it in their infrastructure. They were able to mitigate, and they had virtually no impact. I think that says it finer than any other thing.
MIKE ECHOLS: Thank you. Sam, you talked about the cyber R&D strategy, okay? So if we could progress science for information sharing the way that we did after, say, the Second World War with nuclear, what would that look like?
SAMUEL VISNER: Well, I think the existing ISACs are largely based on specific industries, but the new executive order talks about moving beyond industries into functional areas. So we’re going to setting a precedent here. This will be a different kind of information sharing organization for cybersecurity.
I think, Mike, we’ve got to do a couple of things first. We’ve got to define who is going to be in the cybersecurity R&D community, and if I go again back to historical precedent, because we’re trying to set a new precedent here, I think of who was the nuclear energy R&D community in the ‘40s and ‘50s, key government agencies, key industrial partners. FFRDCs were stood up for some of this work. The National Laboratories were stood up, key universities—MIT; Harvard; Columbia; University of Chicago, where Stagg Field, where the first self-sustaining nuclear reaction took place. So the first thing that had to be done was to establish who would comprise that community, and I would submit that we haven’t really done that yet. We need to.
The next thing that I think ought to be done, Mike, is we’re going to have to establish a list of the key R&D problems we need to address. Cybersecurity is a huge field, but we’re not going to do everything at once at the same speed, nor would that necessarily be wise. So after having established who comprises this community, we’re going to have to establish something of a list of key problems that are going to need to be solved. For example, I’m going to speaking next week at a NATO cyber conference in Istanbul about the problem of detecting and characterizing cyber weapons tests because we’re not absolutely clear that we know when tests are taking place and when somebody is trying to figure out how effective their weapons are, what our response might be. And if we’re going to deter cyber attacks, we need to be able to detect them, and if we’re going to detect them, it would be useful to detect the development of those weapons. We don’t know how to do that. That might be a key problem.
As we move to the next generation of critical infrastructure in this country—and Smart Grid, Smart Roadways—I live in Washington. We have a long way to go before that gets very smart, I can tell you. But we’re going to need to understand some of the key issues related to securing the big data analysis that makes that work. That might be a problem. Smarter people, people who are much smarter than I am are going to have to establish—are going to have to establish that list.
And then finally, the information sharing organization probably ought to play a role in maybe helping allocate effort against those key problems so that not only do we know who comprises the community and what are some of the key problems in order that they might solve, but something about the role that Microsoft might play or the University of Wisconsin might play or DHS’s cyber R&D under Doug Maughan might play, and begin to allocate some of those problems along with some of the milestones. And I think that the goals that we set for information sharing in cyber R&D can’t be one bit less comprehensive and ambitious than that, and I think that’s the direction in which we need to come.
MIKE ECHOLS: Thank you. So, Matt—and you get the last word here, as time permits—for all the comments that I’ve heard, for all of the submissions that I receive and the ideas that people have, a lot of them surround things that you guys have already overcome. This idea of having foreign entities and law enforcement and private sector in the same room sharing information, how have you gotten over those challenges, and how does that all work?
MATT La VIGNA: Well, from back in the beginning, it as overcoming that classified environment, and then once you did that, it’s building trust. So we’ve heard that. We’ve only just started today, and we’ve heard that how many times? That’s got to be the capital-letter word of today, building the trust. You build the trust by establishing those personal relationships and then walking the walk. So what you say you’re going to do, you do. You don’t break that trust, number one, and you act on the information that you receive.
In the trust, obviously, somebody is going to join an organization and “Hey, we think you should join our organization. Here is what we’re going to do,” blah, blah, blah. Okay. Sign me up. But initially, they’re not going to openly share information. They don’t know what it’s about. They want to take a look first, “Let’s see what’s going on,” and see results. So is there information coming back to me? So they are going to—and this is just the human factor. They are going to see is there something of value here and am I getting anything out of this. Do I see something coming back? Well, what’s coming back is not necessarily—and what we’ve done is—not necessarily coming back from us. It’s coming back from other partners, other members. They are sharing the information amongst themselves, “Here is what we see. Here is what we did about it. Does anybody else see this? Is anybody else affected by this?” Now, that could be within a certain communication channel, but by having the human factor again conduct the analysis—so you have the information sharing and then the analysis on top of that information that’s being shared—you’re able to cross that from different communication channels, different subsets, sub-organizations, working groups, focus groups, what have you. The analysts that do the work have to be able to see across all of those sectors to know that this information that came from one is similar, same, or affects information in another, and then those correlations have to be put together and then pushed back out. Obviously, it’s in a timely manner. We hear back from industry all the time that it has to be timely. If it’s not timely, it’s just not information. The incident is over. It’s gone. “I missed it. Thanks for sharing, but it’s too late.”
The other thing is that it has to have context around it. So when you are sharing information, the analysis puts context around the information that was received, not just “I’m getting hit by these IPs,” or I’m getting his by this or this is happening. It’s “Give me some context,” and again, this is what we hear from industry, is “Give me context around what you’re telling me.” And so that’s critical.
So it’s earning the trust. I think over the years, what has happened is it’s earned the trust. I can say that from a government side—so obviously, we have industry, and we have government, cat sleeping with dogs in one place here. The government side, it was only the FBI when it started, so that’s just one agency. If we had one agency and one industry, we’re not really doing too much, but over time, the trust was built amongst the law enforcement agencies that are there. That was 2002. Now it’s 2015. Secret Service just embedded last year, 2014. That took 12 years. So it does take time. The relationships were there. I can say the trust was there at a local level, so we built that trust up. Before that, there were multiple law enforcement agencies that joined, and it was building that trust that was just critical.
MIKE ECHOLS: So this brings our panel to a conclusion, but I want to give Mr. Riggi the last word here, our FBI partner.
JOHN RIGGI: I appreciate that. First of all—well, let me just say, I forgot to mention, I am from Boston, but when the FBI sent me to Birmingham, Alabama, 27 years ago, I started to pronounce my r’s, but—quickly.
JOHN RIGGI: Again, the themes here, echoed here today, wholeheartedly agree. It absolutely needs whole of government, whole of nation. The discussion, we need to hear from the private sector. Be critical of how the government interacts with you. Tell us what we’re doing wrong. Tell us what you need. Be aggressive on your request for information. We do have a saying here in our section, “Share till it hurts,” which goes against many of our operational components, but understanding we learned—we the government learned after 9/11 that the emphasis must be on preventing harm, and we learned after 9/11, you just declassify information and push it to the public, to the private sector, who are truly your partners, to help prevent harm, national security harm, public and safety harm, and economic security. That is the way. Even we learned how to take declassified information in the government, downgrade it, push it out, or create unclassified information for prosecution purposes. So we understand it must be emphasis, must be placed on preventing harm, and that’s where we’ll need to engage with the private sector to do that collectively. Thank you.
MIKE ECHOLS: Thank you. Than you, panel. Appreciate it.