Advanced Cyber Security Services (ACSC)
This is an audio file.
MIKE ECHOLS: All right. Next, representing ACSC, we want to bring Mr. Mick Costa to the stage. Mick is the Assistant Vice President of Network Security Services at the Federal Bank of Boston. In this role, Mick is responsible for protecting networks against cyber threats across the entire Federal Reserve system. Mick?
MICK COSTA: So good morning. So I am Mick Costa from the Federal Reserve Bank of Boston, and as was mentioned, I’m responsible for network security across the 12 districts of the Federal Reserve. The Federal Reserve is not government, except for the Board of Governors in D.C. with Janet Yellen, but the rest of us are dot-orgs, and we’re sort of this quasi-government organization.
I’m here today to talk about the Advanced Cyber Security Center. Again, it is one model of cyber threat sharing of an ISAO, I guess you would call us, and I really want to talk about sort of this model—there are a lot of models of sharing—and a little bit about what the ACSC is all about.
So it’s a—I guess we’d call ACSC a national model. It’s cross-sector, and I’ll talk a little bit about that. And it’s focused on New England and primarily within Massachusetts. So we are a regional organization and really there to support information sharing amongst other activities.
So there are three areas that the ACSC is associated with. One is information sharing, which is really about, I guess you would say, most relevant to the ISAO conversation in terms of how we share cyber threat intelligence; R&D and education, about promoting research and development, working with universities to bring up a cybersecurity workforce; and then policy development, again, how do we promote good government policies to help support information sharing, cyber threat sharing. It is a nonprofit consortium supported by the Mass Insight Global partnership. Again, it’s a Massachusetts-based organization.
So the ACSC and what I am going to talk about today is really about information sharing. The other areas, even though they are parts of the ACSC, I am really here to talk about cyber threat sharing and the initiatives there.
So I was thinking, as I was putting these slides together, how do you carve up cyber threat sharing, information sharing in these areas, and there’s a lot of ways to slice and dice it. And I wanted to talk about sort of the context of what the ACSC does amongst other kinds of threat-sharing models. I guess one model I was thinking about is sort of the producer-consumer model. So you have an organization that produces cyber threat intelligence. They produce the information. They are the clearinghouse, and they provide it to consumers. Now, consumers might be people who pay for the product or just participants in cyber threat sharing, but they really get the information from their producer. It’s a one-way flow of information.
Another model that I was thinking about is producer—I guess redistributor, and again, I’m just making up these terms; I’m sure there’s plenty around—where you have, again, an organization that produces cyber threat intelligence, again, gets that information from whatever sources it can, but it also has a set of consumers that are also producers. So I think about these organizations or these companies that do gather cyber threat intelligence. They delivered it to their consumers, but they are also looking to the consumers to bring information back to them. So either they are reporting back on incidents. Maybe they have sensors that have been delivered to them that are collecting information about them. So it’s a two-way—you know, it’s a two-way path of information where the producer is also a redistributor of information, usually anonymizing it and giving it back to the consumers.
Third, I was thinking about sort of the facilitator redistributor, so where you have sort of an organization that does not produce its own cyber threat intelligence. It doesn’t collect the intelligence. It’s not the place that is generating intelligence information. It’s is really providing more of a facilitator role with the consumers and producers. So you think about organizations that are participating. They have threat intelligence, and they are going to share that threat intelligence. They work with a facilitator to facilitate those discussions and those interactions amongst each other and also help to redistribute that information back to the consumers.
Next is the, I guess, purely facilitator role, which his really organizational. So you have the consumers and the producers sharing information. The facilitator really plays a role in terms of just making sure that they are communicating with each other, sort of provides that—just a pure facilitator role, but not a redistributor.
And then last, I was thinking about peer to peer, and I have been in security, in the security area for many, many years. And that was the first model that I actually participated in. It was a group of organizations, different organizations, different CEOs, different structures, and we sat around a table a few times a year to talk about our security programs, to talk about what we were doing, and it was purely face-to-face, physical, with no NDAs in place, nothing in place except for the fact that we trusted each other, that we were going to talk about what we were doing, and trusted each other that we would not divulge or use that for any nefarious purposes.
So I think about the ACSC, I would say we’re pretty much in this facilitator, redistributor role. So the Advanced Cyber Security Center itself does not produce cyber threat intelligence information. It doesn’t have its own sensors. It doesn’t go out to different place to go collect the cyber thread information. It really is partnering with the consumers and producers to collect that information from them, to share that information, and help redistribute it amongst the different participants. So that’s really where the ACSC, I guess, would fit within this set of models, and again, there are plenty of these kinds of models out there. We can talk about how participates, the makeup of the participants, the scope in terms of geography or reach or different sectors, lots of different ways of slicing and dicing it, but I thought from an ACSC standpoint, it would be good to talk about just sort of how we interact.
Now, as part of the Federal Reserve, you would consider us as one of the consumers and producers, and each organization that participates is also in that role to different degrees. And I’ll talk about that in a little bit.
So the Advanced Cyber Security Center—so we talked about sectors. We talk about participation. We talk about who does what. So here’s how the ACSC works. One, it’s cross-sector, so there’s multiple industries. It’s financial. There’s technology industries. There’s health care industries, governments, sort of this pure government organizations, and FFRDC. So MITRE is definitely a primary participant and organizer within the ACSC, and in fact, what we do is we have meetings twice a month. So every 2 weeks, there’s an ACSC face-to-face meeting. It’s held at MITRE on one week and held at the Federal Reserve in Boston 2 weeks afterwards, and actually, there’s one occurring this morning that I would normally be at if I wasn’t here.
The participating organizations are primarily within Massachusetts, and the biggest reason for that is—we talk about trust. We talk about information sharing. We talk about having a dialogue. These are facilitated by the ACSC, these meetings. I’m a chair of the meetings. There are other people who share those responsibilities too. And they’re face to face. We sit down across a table with all of these organizations participating, and we share information. We share information about what we call threat landscape presentations. So threat landscape presentations are presentations that organizations will give about incidents, about indicators, about TPPs, about basically the kind of things that we’ve seen. And the good thing about this kind of dialogue is that the information is real. So if we think about getting a deluge of information that you can get from lots of places, these are things that have been—this is usually information that’s been vetted. It’s been seen. We talk about which indicators are actually finding these actions and which indicators aren’t, so what’s really working, what’s not working.
We also have discussions about our programs, our projects, our approaches. So we talk about how we do risk management, the kind of products we’re using, the kind of architectures we’re talking about, the designs we’re using, what’s working, right? Because we all have security programs. We’re all making investments. This is big money we’re spending. What’s working? What really are people doing? What are they thinking about? Sometimes it’s throwing spaghetti at the wall. It’s saying, “We’re looking at going down this path. Is anybody else thinking about doing these things?”
We also bring external parties into these conversations. We’ve had presentations from commercial vendors, from other organizations, from government. People will come in that are invited to come in to talk about what they’re doing, what their approaches are, and it’s good for all of us to hear those things, and then we have a portal for information sharing. Again, that’s part of that redistributor facilitator role that the ACSC plays. It is really a clearinghouse for the information that we’re sharing on a biweekly basis.
So the benefits—again, we talk a little bit about that during the day. The face-to-face in-person meetings establish trust, and it takes time. So we’ve had people who have been in the ACSC since the beginning, and we have new participants who have been coming in over time. And you do see that sort of emerging trust from the new participants as they join. Those of us who have been there for a while understand how it works, understand the model, understand that the information we’re talking about is to be shared amongst the participants. We don’t attribute any conversations outside of the ACSC. So there definitely is a large willingness to share, to collaborate, and again, we filter the information that we’re talking about to those things that we think are really actionable and really useful to each other. We usually don’t go in there and talk about things that really aren’t going to affect our ability to better protect ourselves.
Now, with that said, there are legal agreements. I mean, if you work at the Federal Reserve Bank of Boston, pretty much everything we do has to be bound by a legal agreement, and so there are NDAs in place to formalize the protection and the participation there. But really, the benefit is from the face-to-face conversations.
Cross-sector participation does highlight the different views, perspectives, approaches, and priorities. I guess when we think about cross-sector, we can sort of wave our hands and say, “It’s a good thing. It makes sense,” but why does it make sense? I think what we see within the ACSC is that there’s a diversity of opinion, of approaches, of environment. When you talk about having a government organization come in with one view where you have an organization like MITRE who has a different view, the Federal Reserve definitely has a different view, right? So we all are looking at protecting different things. Our priorities are different. I know from the Fed’s standpoint, you know, we have an enormous amount of transactions that go through the Federal Reserve on a daily basis that we need to protect. So those things, we think about integrity. We think about keeping service available. We think about protecting information. When you have other organizations that may have different priorities, universities have different priorities. So our ability to get together and talk about what we’re focused on, what we’re doing, and getting those different perspectives really helps us all, right? So we’re not all the same school of thought. We’re not all coming from the same place and saying, “You know what, we’ve all heard the same thing from the same people year after year, and we’re all doing the same thing.” Here we are definitely getting a diversity of opinion.
And then we get the benefits of small groups. Again, once you get an enormous group together who is trying to share information, you start getting sort of that—I don’t know—an unfiltered set of information that may or may not be useful to you. When we get small groups, we can really question each other. We can test each other. We can poke at each other, and our ability to really sort of filter things down to information that’s useful is really, I think, much more achievable when you have smaller groups.
What that right size group is, I think we’re still working through. The ACSC started very small. I don’t know the number of participants, but it definitely has grown over the years, and so you really have to think about how many people you want in a room before it becomes too large. And again, we have that ability to ask questions and have conversations.
Now, so those are the benefits. The challenges sometimes we get from a group like ACSC is that not everybody comes in—and again, this is with any group. Not everybody comes in with the same level of experience, with expertise, with an ability to contribute. So you may have people who are clearly experts in the field who know how to manage incidents, know what to look for, and they tend to be the leaders within the ACSC, and they are really—you know, they are mentoring I think some of the other participants. Other participants come in, and they are much more in a learning mode. They are there to learn from each other, ask questions, but they may not have the ability to really, I guess, drive the conversations as much as others. So when we think about what the ACSC does or any sharing group, we really have to think about who the constituents are and what the expectations are when they come into that organization because it’s very difficult to bring people together and invite participation and then manage the fact that not everybody is going to be at the same level and is going to be at the same level to actually get things done or participate or educate each other. So those are things we constantly work towards when we even think about the small group approach for ACSC.
In terms of feedback, this is surveys that were done a while ago. The vast majority, I would say from ACSC membership is that they are getting actionable intelligence. So again, they are not just learning about neat stories and things that are going on and saying, “Hey, that was interesting. I heard a great story. I’m going to break it back and tell people.” It’s actionable intelligence. It’s things that they can go back and do, and part of that is what we’re learning about in incidents, what we’re learning about in terms of sharing what our programs are, what we’re doing in terms of technologies where we’re deploying, anything that we can talk about to say “Hey, this works” or “This doesn’t work.” People are bringing that back and using that within their organizations.
You know, people are saying that this is helping them with their security posture, helping them to defend themselves, and they feel that their organizations are more secure. And as you’ll see, 63 percent believe that their skills are getting increased by participation. Again ,that goes back to who the participants are and what each one of them are getting out of it. So certain people are coming in there, and they are definitely helping to drive the conversation and educate others. Other people are really getting the benefit of having their skills increased.
In terms of recognizing the value of the ACSC model—and I am definitely not going to read through all of these things, but, you know, we are getting more recognition in terms of that small team model where we are looking at getting more conversations with our participants, feeling that we are really getting actionable intelligence out of this, out of the organization. And again, this is small scale. I know that there are organizations who are looking at replicating this kind of model within other geographic locations because, again, part of what we’re looking at is those face-to-face meetings between people. And once you start having large geographies involved, it makes it more difficult. Even if you’re starting to do it over video and across the country, it’s still more difficult when you do that than when you have people in the same room. We take breaks. People congregate. People can talk about different things, even informally. That’s a hard model to do when you’re not doing it physically.
And I think—I know we have a short time, so I think that’s pretty much it. Charlie Benway, who could not be here today, he is the Executive Director of the Advanced Cyber Security Center. So I’m leaving his contact information here. It should be made available. So if you have an interest in learning more about the Advanced Cyber Security Center, definitely contact Charlie. He’s local, here, but obviously he’s available at any time.
I wanted to talk about the ACSC and participation in the ACSC, but also to talk about the model, so how is the ACSC organized, how does it work, and is that something that other people could walk away with and think about when they’re thinking about ISAOs, what they can do in those kinds of areas. Again, if you’d like to talk to me, again, we’re a participant. We definitely chair the ACSC organization. If you’d like to contact me and talk further about our participation and how the Federal Reserve gets benefits out of that, definitely contact me. I’d be more than welcome to invite any conversations.
If anybody has any questions, I know that we’re short on time, but if anybody has any questions about ACSC or small groups? Yes.
ATTENDEE: With all respect, how much money does it cost to run the organization, and where does your money come from? If you can’t say—
MICK COSTA: So there is a fee to participate in the Advanced Cyber Security Center, and I’ll let Charlie talk about what the actual costs are. So the ACSC, I believe, is funded partially out of Mass Insight, which is a local organization, but it’s primarily through the membership of the participants.
ATTENDEE: What’s the cost?
MICK COSTA: I actually don’t have that cost information on me. I’m going to leave that to Charlie because I’m not sure. I think it depends on different levels of participation, but I am not sure of the costs.
ATTENDEE: Again, I’m not trying to pry but—
MICK COSTA: Sure.
ATTENDEE: —ball park? Is it like a million dollars a year?
MICK COSTA: It is much, much, much less than a million dollars a year.
ATTENDEE: Is it 500,000?
MICK COSTA: It’s much, much less than $500,000 a year. No, really, because when you think about it, we have—you know, even though I know you think about the Federal Reserve and maybe we’re printing money to go join this—
MICK COSTA: Which we don’t print money. But you think about we have universities. We have Boston University. We have MIT. We have Northeast, and we have UMass. So, I mean, we have organizations there that do not have the size wallets to be able to spend big money on this. So this is something that has participation from—I would say from organizations that don’t have giant pockets.
I will say that a couple months ago, I gave a talk at actually the North Shore Chamber of Commerce, so one of the chamber of commerces that’s local, and that’s much smaller organizations, right? And one of their questions was “How do we get the benefits of an ISAO? Right? So we’re small. We’re mom-and-pop. We’re not a university, or we’re not certainly the Federal Reserve. We’re not a giant organization,” and that’s a difficult question to answer. So we’re definitely not at the level where we can have a three-person company come in and join us, for they probably couldn’t afford it, but also it doesn’t take a JPMorgan, Chase, or a Federal Reserve to join either.
ATTENDEE: So the answer to that gentleman’s question, it is posted online. So I feel like I can say it to folks here.
MICK COSTA: Sure.
ATTENDEE: [Speaking off mic.]
ATTENDEE: [Speaking off mic.]
MICK COSTA: So I would say if we think about the Advanced Cyber Security Center—and they sort of have those three pillars of what the ACSC does—one of those pillars is a cyber threat sharing. Other ones, another area is R&D. It’s education. The other one is legislation. So there’s—the funding for ACSC isn’t just to do the cyber threat sharing. So it is to cover the entire bulk of what the ACSC does. If you were standing from an organization that was purely going to do the cyber threat sharing, the cost model would probably be different.
MIKE ECHOLS: Thank you.
MICK COSTA: Thank you.
MIKE ECHOLS: Thank you, Mick. All right. Thank you very much.