Workshop Breakouts: Track 1: Forming ISAOs Panel
This is an audio file.
ROMAN DANYLIW: [In progress]—your seats. So I’d like to welcome everyone to Track 1, which is the Forming ISAOs track. Just in case you’re in Track 2 or 3, that’s either in the Learning Center or Room 120.
This is the start of us diverging from talking things in the generally to really rolling up our sleeves and getting into the, getting into the specifics, so with this desire to really get your feedback on the Executive Order, the execution of it, or recommendation you may have. DHS organized all the different topics into one of three tracks. We are focused on things like models for creating ISAOs, how they might be used, and figuring out what some of those lessons learned might be.
Logistically, what we’re going to do is first start with a panel of organizations and individuals that have a lot of experience with information sharing, and they may be your future partners at some point. We’re then going to break for lunch and have two breakout sessions. The first breakout session is going to focus on topics related to what relationships ISAOs could have with their constituency, with the government, and what are the ways in which these ISAOs may ultimately be designated, and how should some of the various baseline standards be defined. And then the last breakout session we’re going to be largely focused on lessons learned, the incentives, and what might be shared visions and other challenges and opportunities to forming ISAOs.
The very key thing to remember here is that DHS wants to hear from you, wants to hear about your opinions on this, and you speaking up is an opportunity to provide that feedback. Everything that is said here is going to be, if it’s in this auditorium is going to be recorded. In the other rooms it will not be. But all of your comments will be aggregated into a white paper, and that white paper will distill the various themes and ideas that were shared here, and the intent ultimately would be to share that a couple of weeks after this event, first, of course, with DHS, with you as the participants, with the general public, and it will be the basis of concrete feedback given to the standards organization.
One logistical piece of help. Good feedback and a good, high-quality white paper is going to come from your comments, but one logistical place that would really help is that my colleague Jeff Apolis, sitting here up front—if you could raise your hand—is going to be helping us with the note-taking, so just in case we might have to find you later, if you could perhaps speak your name or your affiliation. That will help us locate you if there’s something follow-up that we, we might want to have.
And with that I want to turn it over to starting our panel. So chairing our panel is my good colleague, Carlos Kizzee, who is the Executive Director of the Defense Security Information Exchange. Carlos, please come on up and help us get this panel started.
CARLOS KIZZEE: Thank you. Thank you, sir. First and foremost, let me give a reminder to our esteemed experts on the panel. I’m not so sure. I was standing in the back, back there, and especially with the road noise from outside you might want to speak into the microphone because it’s probably a little bit hard to hear in the back. Likewise, if you can’t hear, just give us a signal or something like that, so, so we will know.
So Roman introduced me, Carlos Kizzee. I am the Executive Director of an ISAO, the defense industrial base’s Information Sharing and Analysis Organization for Cyber Security, the SIE. One thing I want to kind of stomp the foot on, as we’re talking about ISAOs—there is nothing new about ISAOs, right? The term has been around since 1998, 1999. I mean, the Homeland Security Act actually has the definition in it, and that was written in 2002, or published in 2002. It was actually written probably around 2000. So information sharing analysis organizations have been defined and have been in existence, and many organizations—Mike Arceneaux right there represents one—many organizations, ISAO organizations, have been around since 1999, 1998, and so on. Mike is the, the Director of the WaterISAC. So ISACs or ISAOs.
And there are today—I’m not sure, Roman, if you would be able to tell me. I know we, the Defense Security Information Exchange, signed an agreement with DHS, and we named our legal and organizational name as the DIB-ISAO, but there are other organizations that today are calling themselves ISAOs and are, are standing up and being established. So I want to be really, really clear that this concept that we’re talking about, not a new concept, and it’s important for us to realize that what we are talking about is not a name or a title. It’s a functional set of activities that have been going on for a long time.
And how do we improve that? Our panel represents two government agencies, an FFRDC and a nonprofit organization, all active in the area of cyber threat intelligence and in partnerships and partnering. I’m the moderator of the panel, and in that role I, I also represent an ISAO, as I’ve said. We’re not here as a panel to discuss or to inform on how to form an ISAO. Odd, because isn’t that the topic of this, this discussion? What we really want to talk about is informing aspects of ISAO formation. We want to talk about what are some of the things that you might need to do, and there’s one particular area that I really, really want to tease out with this particular panel.
When forming an ISAO, a key consideration that you have to decide, and have to come to grips with, is, whom is relevant as your partner? Who should I connect with and why, for what purposes? And I think that that “whom” is one of several very, very important things, because the “who” I’m going to connect with might define what particular models, like the last speaker was talking about, what models for ISAO formation. Am I going to be a distributor to other partners? Am I going to be a facilitator? That type of thing. And so that’s why having a couple of government agencies or entities who partner with ISAOs, with ISACs, and with industry parties is a good idea.
Also, whom you partner with may also define particular opportunities and particular challenges for you, as an ISAO, things that you want to take into account and to consider as you’re forming that organization, as you’re developing and maturing your business processes and operations. And, you know, I don’t want to underestimate what, what Larry asked, you know, the question he asked—how much does it cost? I mean, what is that I’m going to do? I mean, there’s a whole lot of factors that you have to consider. What I want to focus on here is, who are some of the partners? Who are some of the entities that you’re going to connect with, and how should that happen, and what are some of the concerns with making that happen?
So, we have a panel of folks, and I will introduce them, starting from your left, my right. Brian Scully, the Deputy Director for Policy, DHS Infrastructure Protection; Bruce Bakis, Principal Engineer for MITRE; Stacy Stevens, Unit Chief, Cyber Division, Federal Bureau of Investigation; and Maria Vello, the President and CEO of the National Cyber Forensics and Training Alliance, which really isn’t fair because they’re kind of double-dipping here, but they’re worth it. What a great organization. They’ve been a really effective partner for many of us, for years.
MARIA VELLO: I tried to get on three panels.
CARLOS KIZZEE: Yeah. See, and, and if you could be in two places at once you could be in one of these two breakouts.
So what we’re, what we’re going to do—and here’s how this is going to flow, no surprises—I want to give you an opportunity to get to know them. So I’m going to ask two or three questions of them as a panel and let them answer individually, and poor, poor Brian, we’ll start with Brian and work our way down. After I ask those questions, I have a series of questions here that are really boring and softballish and easy for them to answer. If you don’t have questions, I’ll ask my easy, boring questions, but I’d really encourage you to ask some hard, tough questions, because these are really, really smart people, well-seasoned people.
So that, that’s the process we’ll go, and I would like very, very much to—when you ask a question, I don’t know if we’re going to hand the microphone out—when you ask a question please be considerate that the room is big and the acoustics are horrible. So speak up on your question, and, panel members, if we don’t have a good feel that everybody has heard the question, if you don’t think, maybe we could repeat the question when we give the answer.
The last thing I would ask if you do ask a question, please give us, if you’re willing to do this, the opportunity of understanding who you are. Just kind of introduce yourself so the panel knows, you know, what you’re speaking from. And given what Mike has said before about anonymity, if you’d rather not do that you’re welcome not to do that. But I really would like to give the panel the opportunity of knowing whom they’re addressing, so that they can answer the question appropriately.
Does that all make sense and that’s all fair?
So let me now ask the panel, who are you and what do you do? And, sir, I’ll start with you.
BRIAN SCULLY: Great. Is this on? Am I good. Oh, sorry. Pulled it right off. I’m not going to touch. So good morning. My name is Brian Scully. I want to thank Mike for inviting me and Carlos for facilitating the session. It’s a great opportunity for me to, to get out of Washington for a little while, which is, which is always good. So as Carlos said, I am the Deputy Director for Policy and Strategy at the Office of Infrastructure Protection, which is within DHS. We are actually within the same organization within DHS as the cyber folks, so Mike’s team. We’re just a different entity within there. So they’re focused on cyber. We’re a little heavier focused on the physical security side of infrastructure protection.
The reason I’m here today, and, and the core of the work that I’m doing, a big piece of the work I’m doing now at, at Infrastructure Protection, is developing a threat information sharing framework, which is looking across—and we’re doing that in, in partnership with the FBI. I don’t want to throw out all sorts of—so the, the Federal Government has a proliferation of strategies. One of those strategies is the National Strategy for Information Sharing and Safeguarding, which many of you are probably aware of. Within that there’s a, a call to develop this threat information sharing framework. It talks about how the Federal Government shares threat information with critical infrastructure owners and operators.
So DHS, along with the FBI, are co-chairing, a, a—it’s both an interagency and it includes private sector, it includes sector partners, and it includes nonprofits, state and locals, to develop this framework. Essentially what the framework is going to be is more of a guidebook. So we’re trying to identify a niche space. There’s a lot of—everybody’s doing information sharing these days, so what was something that we could do to, to provide some value. So it’s, it’s more of a guidebook in a sense. We’re going to try to identify the existing systems and mechanisms that are used for the Federal Government to share information with private sector owner/operators—well, all owners and operators. We often say private sector but it’s sustainable for governments also, and quite a bit of infrastructure as well as the Federal Government, for that matter.
So how is, how does the Federal Government share information—threat information, in particular—in cyber and physical threats, not natural hazards and things like that, with critical infrastructure owner/operators? We’ve had a few meetings. We’ve invited Mike to, to one of our meetings, and so we’re trying to lay out what the current systems looks like. How do we currently share information? How does it currently work? And the idea is that people can really take a look at this and understand how the Federal Government is pushing the information out and how we’re getting it returned, so if they want to plug into the systems that exist, that there’s a clear and easy way to understand how to plug into those systems. We can talk more about how ISAOs fit into that, which is obviously a clear connection. The ISAOs would be a core part of the framework, as well as the ISACs.
And so that’s roughly what I do. I don’t want to overshoot my time, because we also have lunch following this, so I don’t want to get in the way of that either. Just by way of background on myself, though, I’ve been at DHS since the beginning. I’ve spent 8-1/2 years at FEMA. I’ve also spent 3 years at the DHS Office of Intelligence and Analysis, and I came out of the private sector to join DHS, so just some history.
CARLOS KIZZEE: Bruce, same question. Who are you what do you do?
BRUCE BAKIS: Well, first of all, thank you to the Department of Homeland Security and Carlos for helping to prepare this panel. I am Bruce Bakis from the MITRE Corporation, and I’m a cyber engineer, and I’m focused on—many of our corporate initiatives are relating to cyber, in particular, to helping to form partnerships. Consistent with MITRE’s mission of operating in the public interest, we are helping to catalyze the number of partnerships, similar to the Advanced Cyber Security Center. We’re doing that across the country and even internationally. So that’s really part of our focus.
In terms of the importance of partnerships to MITRE as a corporation, it’s really one of the key pillars in MITRE’s fundamental cyber strategy, which includes threat-based defense, operational innovation, resiliency, and partnerships is really at the cornerstone. And so we believe, much as we’ve heard today, that there’s much to be gained by operating in terms of a team sport type of approach, and MITRE is a member of several defense-related consortia, as well as a number of others. So we probably participate in five or six sharing consortia, and we derive tremendous value from those relationships.
CARLOS KIZZEE: Awesome. Stacy, who are you and what do you do?
STACY L. STEVENS: Well, first of all I’d like to echo my panelists’ remarks by saying thank you to you and Mike for inviting me to be on the panel. I am a unit chief in Mr. Riggi’s Cyber Operations section. It was formed back in 2013, in order to decide how we want to share information with the private sector. Obviously, this has been going on with our field offices, at the tactical level, but what we really wanted to do was enhance the way we work with the SISO, C-suite level individuals from larger corporations in the five, top five what we determined were critical infrastructure, and that would be banking and finance, energy, transportation, IT, and coms. And we also added public health a few years back.
So what we really try and do is reach out to the folks and bring them and give them classified threat briefings, and give them an understanding of what we do and why we do it, and some of the limitations that we have for sharing information. Some of that can be, if it’s an ongoing investigation or an ongoing intelligence matter. But we really wanted to open up the coffers and say, “Hey, here’s what we know about a specific threat. Can you help us and let us know what you know about that threat?” As Mr. Riggi did say, it’s a puzzle, and I know, in the past, we had always gotten the comments that “When we work with federal law enforcement or other law enforcement partners, it’s like a black hole. We give you information; we don’t get anything back.” A lot of that is because we may need what you have out there, in order for us to figure out what really is going on. So that was part of the reason and the strategy behind developing my unit, is to really get out there and say, “Hey, we need your help. You need our help. How can we do this together?”
We also have another unit within the operational division that does outreach, and that’s our Cyber Investigative and Resource Fusion Unit. That sits in the Pittsburgh field office and it sits with the NCFTA, and, again, I know, Mister, or Carlos had said about beneficial it is having the NCFTA, and it’s crucial for us to be a part of it because we’re able to look at national-level initiatives with our private sector partners, with other law enforcement, with academia, and say, “How do we want to prioritize and how do we want to address these threats?” So we do that as far as outreach is concerned too.
We also have the InfraGard Program. We program manage that. We provide resources out to the field offices in order to support the InfraGard Program. Again, that is individually based and as long as you have some sort of affiliation with the private sector, as far as the critical infrastructure sectors or academia, you can become a member.
My opinion is that that’s probably consider an ISAO as well. I’m not sure if, at the national level, we do have a national level program, and then we also have the 83 chapters. So I don’t know if they would be one big ISAO or separate ISAOs. But it is going to be interesting to see how we should form and why we should form these. Is it just to information share? Is it going to be the ability to really work on some sort of imminent threat or look at some sort of national-level cyber matter that needs to be addressed? So it will be interesting to see how these all develop as they form, so I’m looking forward to having a conversation about this.
MARIA VELLO: Good morning. I guess still good morning. All right. We’re still there. I’m Maria Vello. I’m the President and CEO of the National Cyber Forensics and Training Alliance, so NCFTA. The name certainly is not indicative of what the NCFTA does, and I’ll talk a little bit more about that. But Carlos, I would be remiss if I didn’t say thank you for inviting me. My fellow panelists, thanks for being here on the panel, and I’m glad to be here. I’m honored to be working with you. And thanks to the audience for really listening and really taking, you know, an interest in the ISAO and what’s going happen and how this is going to be formed.
But the NCFTA is located in Pittsburgh, Pennsylvania. We are a nonprofit. We’re a 501(c)(3). You know, our mission is really to work with government agencies, academia, private industry to combat cyber crime on a global basis, or neutralize cyber crime on a global basis. So what we do, we’ve been in existence for 13-plus years. I really think that that, in my opinion—and this is my humble opinion—that we are one of the poster child's for, you know, information sharing, and it’s not just information sharing. It’s really resource sharing too, because if we can, say, share information, and we can share resources, then we can save everybody time and cycles also. And I also challenge you to say, when we talk about information sharing, what do we mean, you know? Everyone talks about information sharing, but is it just indicators of compromise? Is it preventative, proactive? You know, because I think it’s too late if we’re looking at this and taking the approach of after-the-fact.
So one of the things at the NCFTA, that we do, is really we look at, you know, identifying the threat, looking at who’s doing what to whom, how are they doing it, where are they doing it from. As Matt mentioned this morning, we get information from private industry. We take that information. We anonymize it. We sanitize it. Our analysts, who a lot of them are multi-lingual, they, you know, look, go search across the Internet through open source social media tools to add intelligence to that information. We turn the information into intelligence that’s actionable. And you hear the word “actionable,” so things that we can give private industry, that they can be preventative and proactive—how do you put up your defenses to prevent something from happening? How do you make sure that you have a flag in your systems, to alert you when something is potentially going to happen?
And then we also, you know, work law enforcement to, you know, give them actionable intelligence. They have their—you know, we save them time and resources. We kind of find the needles in the haystack, to identify where we think the threat is coming from. They replicate. They duplicate. They have to enhance everything. But they’re the folks that they have to go out, seize assets, seize funds, and make arrests. If they don’t do that, then everything we’re doing from an information sharing perspective is for naught. We’ve got to be able to neutralize the crime. You know, we’ve got to be able to stop it from spreading, and the only way to do that is by, you know, putting handcuffs on these people. And you have to have strong prosecution. So I think there’s a number of different areas, though. If we want to be successful as ISAOs, as we start to look at how these form, or what it becomes, what it takes to become one, we have to think about that, that secret success or that recipe for success.
We are cross-sector, industry-based, so we look at, you know, we can see one case of fraud and we can see it touch, you know, six, seven, eight different industries, and because we’re working across industries we can put that piece of that puzzle together. As Mr. Riggi and, you know, Stacy just mentioned, it is a puzzle, you know, and it’s taking seemingly unrelated data, or insignificant data, and putting together all the pieces to put the last piece of the puzzle, to identify, you know, the threat landscape and come up with a solution.
So today, I mean, our model is being replicated around the globe. We have JC3 in Japan. That’s the most actively and has said on their website, you know, they’re using the model of the NCFTA to build their entity, and have built their entity. Singapore, yeah, the Interpol is replicating the model of the NCFTA. You have Canada, you have UK, you have Germany—a number of organizations that are replicating the model of the NCFTA. It’s a global problem that we have, and NCFTA works with not only domestic and, and, as well, private industry and law enforcement agencies, but global private industry and, you know, law enforcement agencies. It’s a global problem. None of us are immune. All the threats don’t emanate from the United States, and certainly all the threat actors, you know, do not come from the United States. So I think we have to be aware of this on a global basis also.
You know, every time—everything we do as we try to be preventative and proactive, we’re actually trying to protect people’s brands, reputation, and the economic impact. This is a—yeah, the problem that we’re addressing is not just, you know, a problem in the U.S. It’s global, and right now it’s challenging everybody’s economic infrastructures. So we need to, you know, look at this very, very closely. Perhaps we need to take a step back and examine what’s working today, and I think that’s what, you know, the DHS is trying to do, but let’s leverage every model that’s out there. Let’s take, you know, the best practices, the lessons learned. As we work with industry and private industry, we are, you know, building lessons learned. We’re bringing in regulators to talk about and bring clarity to some of the rules and regulations around sharing. We’re helping people share tools. If you’ve been hit by some sort of emerging threat or DDOS, if I’ve built a tool let me share that tool with you, so you can protect, you know, not only the enterprise companies that have the time, the resources, the experience, but let’s share that tool down with some of the smaller companies so that they can put up their defenses, because they need help. They don’t have the same expertise that some of us do.
And then I also think, you know, we talk a lot about trust and trusted relationships. You know, I’m a firm believer that you don’t build trust; you earn trust. And the NCFTA, the model of the NCFTA was built on trust and trusted relationships. Matt mentioned this this morning. You know, we’ve earned people’s trust. We say what we mean, we mean what we say, we say we’re going to do something and we do it. If we meet somebody at a conference, we’re not going to just bring them into the fold, because that’s not somebody that we know. You know, the people that we’re working with are trusted entities. They’re people that know each other, have known each other for a long time.
Security community is a very tight-knit, small community. You know, we’re working with subject matter experts around the globe, so sharing, you know, information, best practices, and tools. You know, that’s what we have to continue to do. And, you know, at the NCFTA we tell people when they come to visit the NCFTA, you know, when you come, the enemy is on the outside. It’s not on the inside. We have zero tolerance for competitive behavior. The worst thing that can happen to us as we start to form these ISAOs is that we compete, and we pull people away from each other. It cannot be a fragmented approach. The criminals that are out there, they’re organized, they share seamlessly, they know more about us than we know about ourselves. So we have to be careful in that aspect.
And I also think that, you know, the NCFTA, it is—we have a common goal. When you come we say bring—you know, bring your information, bring your intelligence, bring your emergent threats, share that with everybody. We have a common goal. The enemy is on the outside, so all oars in the water, rowing towards that common goal. So, you know, we have multiple, you know, entities in cross sector that are some of the top brokerage firms, financial firms, you know, pharmaceutical firms, that they’re not marketing. It’s about protecting, and that’s what we do at the NCFTA. We protect. We share information, you know, critical information, because it can be—you know, what do we share? There can be anything ranging from a cyber financial crime to counterfeit goods that are getting into our supply chains. You know, so we have to look at this across many different aspects, plus the botnets and what’s happening from the botnets, that are very, very sophisticated and can move laterally, and they’re very dynamic.
So we tell people, leave your ego at the door. Let’s all work together for the common good and let’s share and focus on what you can share, not what you can’t, and come with the attitude of giving more than you’re going to take, because that’s how we’ll all be successful. The two-way sharing, as Matt mentioned this morning, is critical. I tell people there isn’t any relationship out there that if it’s only one way, that it works. I don’t care if it’s your wife, your partner, your friend. One-way sharing and one-way relationships just don’t work. So I think that’s key, also, to the success of the ISAOs. Thank you.
CARLOS KIZZEE: And now let me point—and we’re going to come back to Brian—I want to now ask the question in a slightly different way. Earlier someone raised—used the term “value proposition.” And so what I’d like each of the panelists to address, if I am an ISAO, a newly forming ISAO, and I want to connect with your organization, can you briefly articulate for me what is your value proposition for connecting with me, an ISAO, and what might my value proposition be for connecting with you?
BRIAN SCULLY: Sure. At the Office of Infrastructure Protection, our mission is to enhance the security and resilience of the nation’s critical infrastructure. So from our perspective, the value proposition we offer—and I think this probably goes for a lot of federal agencies, departments and agencies—is we have access to a lot of information and data that the private sector does not have access to. We have access to intelligence reports. We have access to a large number of subject matter experts. So we have access to information and data set that the private sector may not. So that’s one part of the value proposition.
We can form trusted relationships across different sectors, different entities, so at the Office of Infrastructure Protection we work closely with all 16 critical infrastructure sectors. There are governing mechanisms that allow us to move information and data through those sectors. And so the relationship side of it, we have established governing models, established governing systems, is another piece, I think, to the value proposition that we offer. We can also offer training, technical expertise, and things like that. I could go into the whole IP sales pitch but I won’t. I won’t bore you too much with that.
From the flip side, though, we also recognize that the private sector has a significant amount of expertise, a significant amount of information, and a significant amount of data that would be valuable to use, as the Federal Government, to help us make decisions on resourcing, on policy, on all sorts of things. So, as was just stated, it’s a two-way sharing of information, a two-way relationship that needs to be built. That is critical, and I think we both have something to offer each other. So I think the Federal Government has a lot to offer in terms of data, technical expertise, information, relationship management, governance mechanisms. You look at PCII. We have some ability to protect data and information that is shared through different mechanisms. We have different counsels and legal mechanisms to allow you to share information and bring private sector and public entities together to talk. So there’s a lot of value there, and, of course, as I mentioned, you know, from the flip side, we don’t, we don’t know a lot of things. There’s a lot of expertise and knowledge in the private sector that is of great value to the Federal Government, and we need to be able to tap into that.
CARLOS KIZZEE: Awesome. Bruce, you mentioned that MITRE is a member of multiple consortia and other organizations. Could you talk also—you know, what’s the value proposition for me connecting with MITRE as an ISAO, and for MITRE connecting with me?
BRUCE BAKIS: So MITRE has quite a bit of lessons learned from their—its experience in terms of participating in information sharing organizations, and even more as we help catalyze some of these, really, across the country. So we’ve offered, on our public website, a series of observations that are called “Lessons Learned and Challenges.” It’s in a series that we have under, under the cyber security space, where we’re talking about partners with purpose. And so we’ve captured some of the lessons learned and challenges there.
One of the things, you know, Carlos, you said, in terms of, you know, what is the fundamental role and the essence that, you know, an organization or an ISAO would offer, as simple a question as that is, people have difficulty in articulating that. Maria did a really great job of articulating essentially the value proposition of the NCFTA. As we work with, in other regions across the United States, in particular the larger the region the more difficult it becomes, is to be able to articulate what is your mission or your value proposition.
So what we’re seeing in these large regional, even statewide ISAOs is a little bit of paralysis because they want to be everything to everyone. So they have very, very broad mission visions, which actually go beyond, just, you know, sharing information and analyzing information. And we talk about economic development. We talk about research and—cyber research and development. We talk about sort of influencing policy at a national level, or even a local level. Those are all excellent missions, but the broader the mission, the more difficult it is to get, really, traction on I think why we’re here today, to really focus on the information sharing piece.
So as we talk to organizations, we say you need to essentially be able to articulate what your mission is and your value proposition on a 3-by-5 card in a couple of bullets, and to the extent that you can’t do that, it’s great to think big, but we’re saying to people, “Think big, start small, and move quickly.”
CARLOS KIZZEE: Very good. Stacy, likewise, I mean, the Bureau has a lot of initiatives and programs that, you know, working with DHS and independently as well, in regard. What’s the value proposition for me, as an ISAO, to join, but also what’s the value proposition to you for me connecting with you?
STACY L. STEVENS: Right. So we are in a unique position where we have investigative and intelligence-collecting authorities in order for us to be able to address counter-terrorism matter, counterintelligence matters, and cyber matters. So because cyber is more of a vector, for criminal activity, for terrorist activity, and counterintelligence activity, we’re in a unique position to kind of put all that information together and provide that information out to the private sector. Why are you being targeted? How are you being targeted? Are you being targeted by criminal actors? Are you being targeted by a nation state? Are they changing their tactics, techniques, and procedures? These are the things that we can provide you when you work with us.
Obviously, we’ll need to know what’s going on within your company. Why do you think you’re being targeted? I can give you an example that we recently talked to a company that had recently experienced an intrusion, and they said to us, just an off-the-cuff remark, “Hey, would it be interesting for you guys to note that ourselves and a couple of other companies were getting ready to do some business at a particular nation state?” Bells went off, right? Yes, yes, that would be very good to know, because then we’re able to say, hey, were you targeted because of this? Are you partners going to be targeted in the future? So then we’re able to warn the other partners, or the industry as a whole. So I think that that is a good proposition for the private sector to work with us, is the fact that we can look cross-threat and be able to say, “This is why you’re being targeted.”
In order for us to be able to do that and to collect information, again, cyber is unique. Counter-terrorism or terrorist activity, if you’re a farmer and you sell, you know, something that, that a terrorist may use—fertilizer or something—you come to us and you say, “Hey, somebody just bought a bunch of fertilizer.” Thank you very much. We call that a trip wire. It’s a tip. We don’t really have to come back to you and say, “Okay, this is why this person bought that, and this is what we stopped.”
But in the cyber arena, we need to know what you have and why you think you’re being targeted, because you know much more about your networks than we do. So in order for us to build our intelligence capability and our investigative operations, we need your help. So I think that two-way information sharing partnership, trusted relationship, is essential in addressing cyber threats.
CARLOS KIZZEE: And, Maria, I’d ask this question of you, of NCFTA, probably in a little bit different way. Let’s say that I’m the ICS ISAC or the automotive ISAC, or the water ISAC, or the defense industrial base ISAO. What’s the value proposition for me as an ISAO partnering with NCFTA, and what’s the value proposition to you for me partnering with you?
MARIA VELLO: I’m going to say it depends. I’m going to ask you, you know, what your mission is. I’m going to ask you what your objectives are. I’m going to try to find out more about you and what you do and how you do it. I think that there’s probably going to be multiple ways that, you know, we have—maybe you have skill sets that we don’t have and we have skill sets that you don’t have. How do we share those skill sets and share that resource so that we don’t duplicate efforts with what we’re doing, so we save time, cycle, money? Because we work cross-sector with all the different industries, you know, everyone knows, everyone has networks, everyone has people, everyone has issues. They don’t stay in one industry. They leverage the same tools across multiple industries.
So we’re going to talk to you about what we’re seeing. What are we seeing from an emerging threats, whether it’s with our peers in the agencies, with FBI, Secret Service, Customs and Border Protection, HSI? What are they seeing? What are we seeing? What’s our industry partner seeing—because industry, quite frankly, has the best information. No matter what, they have the best information. You know what’s on your network, you see who’s attacking your network. We’re going to be able to tell you emerging threats, and then hopefully you’re going to give us some of the same information back.
We can’t be all things to all people, but, you know, we certainly want to be laser-focused on, you know, how we can help you. So we’re going to find out a lot more about you, look for ways that we don’t have to duplicate efforts, and save everybody time, cycles, and money, because nobody has enough resources to go around.
CARLOS KIZZEE: Awesome. Very good. So here’s now where I start to ask some questions that are probably too easy and are not as good as the questions you’re going to ask. So if you have a question, I would invite you to just stand up and raise your hand or somehow signal us. I don’t know where our mics are. But while you’re preparing a question that you might have—I see one right there. Sir.
JONATHAN GOLDER: It’s not so much a question, but it’s a comment followed by a request, and I’d maybe question how you guys might answer that. One of the big issues that I run into so just to put—I’m John Golder. I’m with Discover Financial Services.
CARLOS KIZZEE: Thank you, John.
JONATHAN GOLDER: I run our Enterprise Intelligence office that I’m standing up. So I’m used to working in the intelligence community. I’m used to working with intelligence media. One of the things that I really see is going to be an issue is taking this past the security crowd, taking this past the people that are used to dealing with this, and getting it to the see levels, getting to the other guys who are not trained intelligence consumers, they’re not used to having these sorts of fees, and they’re not used to this sort of information. We’re used to—you know, those of us that come out of a government or military background are used to dealing with people that are used to this sort of information.
What I’m asking is, who’s looking at methods to train intelligence consumers, intelligence producers, and intelligence users in these company, because—for example, in my company, I’m trying to move that direction internally, but not all companies are going to have that in-house expertise to do that. So what are we looking at? At steps to try and train people to be effective users and then effective participants and then eventually grow out their own capacity, because it’s got to be a qualified run, and what are the mechanisms we’re looking at for that?
CARLOS KIZZEE: So, for the panel, anybody want to jump on that question?
MARIA VELLO: I’ll take it. So to answer your question and be quite honest, I don’t think we’re doing enough. I think we do some of it. You know, we’ve brought in, you know, when we’ve had different—we’ve done Security 101, you know, for people that really just didn’t even understand, you know, how to spell “firewall,” let alone, you know, what an IDS, IPS and what they should be doing on their network. But that’s only one component. The network is one component of everything that happens.
I mean, you look at, you know, the—so it’s fraud. It’s, you know, emerging threats. It’s new schemes, you know, how are they leveraging, you know, what are they doing with counterfeit goods, how are they hurting your brand or your reputation? So we do some of that. I don’t think we do enough. I think that, you know, we don’t have enough people. There’s not enough people out there right now, in the security field, that really understand, you know, the challenges or understand the, the, the issues that we’re having. But they’re not going to school. They’re not being trained.
So I think everyone has a challenge with resources. I think if you look at what the White House is doing, that’s one of their key challenges. You know, we do human capital development, but we do it more on the intelligence analyst perspective, not on the network security. So I think there’s multiple lanes that we have to look at. I think we have to do a lot of it. I think that’s, you know, where DHS could play a huge role, you know, in getting more people trained and more people educated.
STACY L. STEVENS: And I would like to kind of echo what Maria is saying and give you an idea of the challenges with state and local law enforcement too. So not only is it private sector, it’s state and locals, right? So a lot of them have no experience whatsoever and ignore the cyber threat, because politically, I can be a mayor or I can be a police chief and say, “Hey, I’ve stopped so many robberies, I’ve stopped this.” How do you say you’ve thwarted, you know, a scam that started in one city and is hitting your city? So we’ve provided, within the FBI, something we call Cyber Shield Alliance, where we’ve set up a portal in order for state and local law enforcement be able to get some of the training that they need. So they can go on and sign up for certain things and get training.
Again, we’re not doing it with the private sector as well as we should. A lot of what we do is bring the private sector in and say, “Okay, these are the threats. This is what you should be looking at.” And we have had SISO say, “Thank you. Thank you for showing the CEO that cyber is a real threat, and that we do need to protect against it, and that it’s going to take a lot of money to do so.”
But I do agree with Maria. There could be more, and I’m not sure who should be in charge. I do believe, yeah, DHS would probably be the best place to, to start that, as far as the protection side of the house, but I know it is a challenge for us, and, again, like I said, we’ve got to look at our state and local law enforcement partners, which is a challenge as well.
ATTENDEE: There’s kind of two layers to that piece. One is, yes, at the, you know, building security to be understood as being critical, and there’s a monetization factor that the government often doesn’t think about in that sense. The government is used to approaching security, the same way I’m used to from years in the Army and all the rest of that, as in health and security is its own function that’s well understood as to why you do that. But when you’re trying to present that to a board, they want to know dollars, not just costs but what that offsetting on. And we’re running into some issues in the industry right now where we’ve got two of the sharpest companies in business are telling us, a single lost record is $154.58. I can’t monetize that for my board. I don’t have that kind of information.
And that’s someplace else where the government could help, is to try and develop out, because when private corporations try to calculate that, they’re going off the information that’s available to them, and that’s a much smaller set. If you really want to get corporate board buy-in to security, what I need is the government to come along and say, “We talked with a whole bunch of different companies and our estimation is a lost record is going to cost you $215,” or something like that. It’s something that lets me take that back to them.
CARLOS KIZZEE: Let me real quick riff off of that question for just a minute and ask the panel, you know, so we’re talking about information sharing and analysis organizations, this executive order. How is what we are doing, under this new executive order, addressing this problem, you know, helping to make people more sensitive at the board level, and, and, and making the non-security person sensitive to the problem? How is what we’re doing and what we’re here to talk about addressing that particular problem?
BRIAN SCULLY: Well, just to go back a little bit, to try to answer both questions, I think there’s, there’s a couple of things to think about. So from a federal standpoint—and this is something we try to do regularly—we like, our leadership likes to talk to CEOs. It’s just, it’s, you know, it’s just something they like to do. They’re at an equivalent level. We try to organize those meetings regularly. But there are a lot of challenges with that from both sides, right? So the CEOs have limited time, there’s a limited number of issues. They want actionable issues. I don’t know how many CEOs would want to come in and have the Federal Government train them on how to understand intelligence. We do do a lot of threat briefings, when we send briefing teams out, meet with companies and corporations and things like that.
And so we—there’s a lot more than can be done. We try to do it as best we can. It’s not always successful. I think it’s a two-way challenge. I think the other part of the challenge, though, is, is, you know, we can go out, and we can talk—and this is training, in general, right?—is you can train all you want but if you’re not exercising it, if you’re not using it regularly, if you’re not kind of engaged in those sorts of activities on a regular basis, it’s almost you have to be re-educated each time it comes through. And so, again, there’s, there’s things that the Federal Government can do. We do invite senior leadership from corporations to exercise with us, and we do share intelligence with them. We allow them to participate in decision-making processes. We try to, we try to put all those together, but it’s not easy on either end. So it’s a tough challenge but I think a lot of us are working towards it.
From an ISAO standpoint, I think depending on the level of engagement in the ISAOs, right, if you’re getting C-level, if you’re getting senior level leadership, board level leadership participating in the ISAOs, I think the, the nice thing about ISAOs is that there’s a lot of flexibility, right? You know, depending on how the standards come out, and, and, and things like that, there’s going to be a lot of flexibility in terms of how these are set up, how they’re run, how they’re managed. And so they can be tailored to meet the needs of whatever set of CEOs or industry officials or things like that, or whatever topic, whatever subject is of particular interest. Again, this is—you know, I’m not a cyber person. I’m more of a policy and physical security side. But there’s a lot of opportunity there, I think, in the flexibility of the way the ISAOs could be stood up to allow for this type of activity in a more meaningful way.
I’d say the third problem is just getting cleared space, out in the field, for CEOs to be briefed on such things. I’m sure our intel person may have some more thoughts on that, but that’s it from a policy standpoint.
BRUCE BAKIS: I’d like to pivot a little bit off of that question, actually. It seems to have a number of dimensions to it. But sort of bringing up to the, really, the topic of the day, and from a practical perspective, Mick Costa really talked about the Advanced Cyber Security Center, and so we talk about information sharing, have lots of different dimensions—strategic, tactical, operational—and really down to the technical level.
One of the forums, a forum that was run recently by the Advanced Cyber Security Center, was hosted at the University of Mass in Lowell, and the topic was workforce development. Now, it’s been written up on the, on the ACSC website, I’m sure. I’m not sure there’s anything really that’s, that’s really actionable directly from that single, that single forum. But that’s where members engaged on obviously a very strategic issue that affects everybody, and there was a lot of contribution because their universities were certainly critical and they were involved in this discussion. So that’s the workforce development piece of it.
Then I think that is the topic of discussion in a number of ISAOs, and I just gave you a specific example. So it’s not that there’s a solution, but it’s really part of a strategic conversation where people understand that’s really—there’s a critical need.
The second piece of it, or another piece, is where you’re talking about forming basically an intelligence organization within, within your organization. MITRE has some practical experience there. We’ve—we haven’t always been sort of world-class organization but we certainly are now. We’ve actually captured some of those experiences and that’s available. It’s “10 Strategies of a World-Class CSOC,” basically. And that might help you and other organizations as they try to mature and create an intelligence-based approach.
The other piece we’re talking a little bit about, sort of senior-level executive buy-in, and I think some place—and, of course, we all struggle with that—there’s a substantial investment that we at MITRE have made on the order of many tens and tens, on the order of about 40 full-time equivalent staff devoted to the defense of MITRE’s networks, and the reason for that is, you know, we’re protecting some, some intellectual property, and we’re safeguarding sensitive information on behalf of our government sponsors. There’s a lot there. And plus we also leverage those experiences from our own first-hand defense, and we sort of use that to work with our government sponsors. So that’s one of the reasons why we have such a large defense organization.
But the metrics piece—I mean, and so we have to justify that expense—so the metrics piece, we’ve actually externalized that. I think there’s a, there was a public release piece on that. If you can’t find it then maybe we’ll follow up afterwards and I’ll grab a card and an e-mail, and I can get my hands on it and send it to you. It’s a briefing where, where we focus on really the metrics that we discuss with our executives, and key to that is the notion of a bull’s-eye with, essentially, the sensitive intellectual property in the middle, and we’re letting our executives know how close to the center any one of the threats that we’ve addressed, how close it’s been. And the good news has been that there isn’t anybody that’s been at the bull’s-eye. But that’s an interesting part of the conversation at an executive level, is they’re interested in things like that. And that’s all part of, how come there are so many guys? How well are they doing? So we’ve expressed that in terms of metrics that might be helpful.
CARLOS KIZZEE: So in the interest of time, I wanted to open it up for one or two more questions, and there was a gentleman in the back that had a question. You’re standing?
ATTENDEE: [Speaking off mic.]
CARLOS KIZZEE: So the trust model, the question. Who would like to tackle that?
MARIA VELLO: I think, you know, if you look at other like—companies that do similar things, maybe not for the retails but other, for retailers, but maybe for some other industry segment, you know, getting a group of people that you already have been working with, you’ve already established some relationships, you have some trust, and you start talking, because, you know, your software for service, I mean, you’re going to have some of the same issues. You know, and if you can look at, you know, coding, you know, some of the, where are people trying to sabotage your code? Are they trying to counterfeit, you know, your software? I think you start sharing what’s happening, what you’re seeing, then you guys can help each other, you know, put up your defenses. Maybe you have seen something they haven’t, and vice versa. You have to start small. You have to have a focus, you know, in a small group, and then start to build out, because I’ll know somebody, and I’ve been friends with them, and I trust them, you know, and I’ve know them for, you know, 5, 6 years. I’m going to bring them into the group if you’re adding value, if you’re able to demonstrate results, you know, things that you can leverage, you know, in your tool kit to help you, you know, with your software and service.
CARLOS KIZZEE: I would add to that perspective that, you know, how broadly you share within your community is going to be a function of what I share with you, right? And so someone on the panel said earlier, it depends on who you are and what you’re doing. So, you know, there’s a bit of a function there, I would add.
There was another question right there, and I probably have time for one more up front.
ATTENDEE: [Speaking off mic.]
CARLOS KIZZEE: That’s probably a good question for Mike. In the absence of Mike, I think the Bureau is probably the best person.
STACY L. STEVENS: Yeah. I mean, I would say that the way we partner, in that we don’t turn anybody away. If somebody wants threat briefings, we try and be threat-based to see where we need to focus, based on an imminent threat that we’re seeing or some sort of trend that we’re seeing. So, an example of that is over the last couple of months we’ve been seeing a trend with folks, nation states, looking at personally identifiable information. So what we did was we brought in the health care sector into each one of our 56 field offices, and we had them get temporary clearances and provided them with that threat briefing.
So as far as the ISAOs are concerned, we did have some health care associations that I would proffer would probably be considered an ISAO as well, that were invited to attend. So I think that that’s what we would do is probably leverage our field offices in order to reach out to and establish the partnerships. I’m not saying that we wouldn’t do that at the headquarters level as well, but it would be more threat-based. But, yes, you would have the opportunities to, to meet with and be briefed on whatever information that we would have.
So I think it’s a good opportunity. The ISAOs, the ISACs are a good opportunity to get a lot of folks briefed at one time, or leverage that ISAO to be able to push the information out to their members. So I think that that’s a great benefit. That’s how—one of the questions you had proffered was how do we work with ISACs, and I can say to you that we do have a robust information sharing process with the FS ISAC. We are engaged with them on exercises. We bring them in for our briefings. So that has, that partnership has grown where we leverage them to get information out to the rest of the members. So I think that’s how that relationship with the ISAOs would be, similar to the ISACs.
CARLOS KIZZEE: So what I’m going to do now, standing between you and lunch, is a short, 30-second, last word from each of our panel members, and, Maria, I’d like to start with you and work your way towards me.
MARIA VELLO: Geez, I’ll tell you. Okay. So I think, you know, as we look at what’s transpiring and we look at today, I think one of the key things that I believe we should all do is take a step back. You know, let’s not reinvent the wheel. Let’s look at what’s working, you know, how do we enhance, perhaps, what’s working. You know, we cannot afford to have a fragmented approach to this problem. You know, if we take some lessons from our enemies’ playbook, from these threat actors, they share everything—how-to documents, where we’re vulnerable, how we’re vulnerable. Today we’re going to come out with a paper and we’re going to publicize that paper all about what we talked about today, right? Guess who’s going to read that?
When NIST announced, you know, that they, all the guidelines for NIST, in the underground forums, it was translated in multiple languages, and, you know, I will tell you, I was at a conference presenting and I said, “How many people know about NIST?” About 300 people, about 25 people raised their hands. They know what we’re doing. We should take lessons from them. We shouldn’t, you know, blog, tweet, talk, publish everything that we’re doing. We shouldn’t replicate, you know, or duplicate efforts. We should take a step back and take some of the lessons learned from every one of the models and maybe combine it, and don’t take a fragmented approach. We need a central repository for all this information. It can’t be in multiple little pockets where nobody has access to it and nobody’s putting all the pieces together.
So I think, you know, that that would be my closing thought, and I just want to answer one question. CEOs are more aware. You know, so I’ll take one to digress, and I think focus on brand and reputation, focus on what’s key to them, and that’s more important to them than, you know, how much a record costs. It’s what’s it going to do to damage their reputation.
So, with that, I just want to say thank you to everybody.
STACY L. STEVENS: And I would echo Maria’s comments. It seems like we have the, the same thought processes, maybe because we’re both from Pittsburgh. But I just wanted to say that we do have to take a step back and look at this, because as these ISAOs form, we need to know why they’re forming, what information we need, what information you need. So I know, you know, 2 years ago somebody said, “You’re in charge of information sharing,” and my first question was, “What information?” And so we talk about it constantly—information sharing, information sharing. Why are we doing it? It’s going to be different for what you guys need and what we need. So we also have to have an understanding of, again, you know, what your, what your challenges are and what our challenges are for information sharing, and why we can only, you know, pass some information and not other information, and why you can only pass information, and, and certain information and not other information.
So we’ve got to kind of look at each other and see—get a better understanding of what we all do and why we’re doing it, and what the limitations that we have in information sharing. So those are the two things, is figuring out what we need to share, why we need to share—and I’ll add another one—and how we’re going to do it. And go Steelers.
BRUCE BAKIS: I’ve got just a couple of sort of sound bite observations in terms of, as we mentioned, that we helped catalyze ISAO-like organizations across the country. And what we’re seeing is, again, some difficulty in terms of overcoming inertia. So when people say, “Can you help me a little bit?” this is some of really what we’re telling them in terms of how to get going. So first and foremost—and we did address this—you’ve got to be able to articulate the essence of who you are, and what you are, and what is your mission. And as easy at that sounds, it is very difficult for people to do.
The second piece—and we talked about this a lot today—is what are you going to share? Again, it’s almost a little, sort of—you think it sounds easy but the ability to do that is sometimes really very difficult. So we’re going to start with potentially, you know, indicators, but beyond that what are we going to share—TTPs? Best practices? You’ve got to be able to articulate what it is you’re going to share, and that really dovetails, obviously, with the mission of who you are and what you are.
Sort of the third piece of it is, we also—and this is really one of the questions that Carlos really asked, is what is the value proposition of, really, the ISAO, and, in particular, how are you differentiated from another ISAO, from an ISAC, and how, how do you fit in with the cyber ecosystem in the environment that you’re operating within? One way to look at some ISAOs is they’re a business. And so what I’m saying is really very consistent with if you’re going to form a new business, these are the things that you have to tackle.
Another one of the, the sort of the areas that we asked people that they really need to focus on is, again, it’s essence of, what’s the criteria for membership? Who’s in, who’s out? Are you regional? Are you sector? Are you an affiliation group? You’ve got to be able to understand what are the, what are the attributes of a member that you want? You’ve got to be able to decide, like who’s in and who’s out.
Another one of the things that we tell people that they need to focus on is, again, this issue of trust, but now I’m thinking about it from a hub-and-spoke architecture, where—and Maria’s talking about a centralized repository for information—who runs that? Who operates that? How do they safeguard that? How can that entity really be trusted? So we’ve got to think about the architecture of, really, who’s protecting that information.
The next piece, the next item is—and we talked about this a lot—what is the role of government, in particular, on law enforcement? We’ve seen, in some of the consortia that we’re working with that there is—people don’t want the government fundamentally involved. They want it to be a closed group. In other organizations, they say “We want to share,” and, in particular, that’s really, that’s an absolute requirement of the NCFTA. Law enforcement is embedded and involved. But we see that relationship elsewhere. People are—they, they’re a little concerned about that. So you have to figure out, really, what is the role of the government.
And then, again, consistent with this notion of operating a little business—and we did have the question that was out here—what’s it take to run this? What’s the financial plan? People don’t necessarily always think about that. There’s a lot of sweat equity that goes into actually overcoming the inertia to form these, but you have to figure out what is the financial plan. How are we going to sustain ourselves? Is there a grant someplace to help get us bootstrapped or is it all sweat equity, and then how do we, as we, as we move on, how do we, how do we sustain ourselves? Is it through dues? Is it through licensing, potentially, of some intellectual property that might come out of the research, in particular, research consortium? So it’s the financial plan.
And then, wrapping up, what’s the fundamental sort of leadership and governance of the organization? Who’s going to run it? How’s it going to be run? And then, finally, what are really some of the high-level implementation milestones? You know, Mick Costa was, again, talking about the, the Advanced Cyber Security Center, and he didn’t have time to go through the history, but it was the twinkle in the eye of a number of people in 2008, to form the Advanced Cyber Security Center. It launched officially in 2011. So sometimes these things, without really an implementation plan, they can take a long time.
And so finally—and I said this initially—think big, start small, move quickly.
BRIAN SCULLY: Great. So I’ll be super quick. My colleagues here covered most of the key points. I think the one thing I’d want to say is—and we’ve talked around this a bit and we’ve talked about it directly—that is information sharing is about networks. We are a network approach to information sharing, and so we need to think about it, the way we share as a network. Within that network we have both formal structures, ISACs, ISAOs, fusion centers, we have all sorts of operations centers, but we also have a lot of informal networks, right? When you have a question or you’re hearing something, you pick up the phone and you call a colleague, you go to your Rolodex.
So the question for me, that I’ve been kind of pondering as I’ve been working through the federal information sharing framework is, how do we bring those two, informal and formal, networks together in a way that can strengthen our overall network, our overall ability to share information across the nation, to help us become safer and more secure? So that, to me, is there’s a role for ISAOs in that. There’s a role for ISAOs to bring together both the information and formal networks that already exist, in a way, and bring them together, strengthen the overall network, so that we can do a better job of sharing information across the board.
Right we have, you know, there’s some pockets, there’s a lot of informal networks. When a challenge arises we reach out to the people we know. We build trust that way. So how can we use the ISAOs to expand those trust networks? How can we use ISAOs to build the overall network and strengthen it? You know, there’s all sorts of network theory out there and social network theory on how to do that, but for me that’s the question I’ve been pondering the last couple of months, and I think the ISAOs can play a huge role in really strengthening the overall information sharing networks that exist. So I’ll end with that and let you all go out to lunch.
ROMAN DANYLIW: Before you go out to lunch I’d really like to thank each and every one of you, and Carlos.
ROMAN DANYLIW: This really got the conversation going and seeded things for this afternoon, which is actually going to be all discussion for us, no presentations, no further panelists. So, logistically, we have until 1:15. If you’d like to come back and participate in Breakout Session 1 and 2, we’ll be in Room 120.
Thanks again to the panelists.