Workshop Breakouts: Track 2: Analysis—Capabilities
This is an audio file.
ATTENDEE: Welcome back, everyone. This is the Analysis Panel. I introduced David Mussington. He is from IDA, and he’s going to moderate.
DR. DAVID MUSSINGTON: Okay. Thank you. I’m David Mussington. I’m from the Institute for Defense Analysis in Alexandria, Virginia, and we support, like some other FFRDCs do, DHS and other entities who are working actively in this, in this arena, about the information sharing and operations and analysis and OT&E, and in some other things through our support to the National Security Agency.
I had one plan for this panel this morning, but unfortunately that plan collided with the discussions we had this morning. So I think it’s fair to summarize an earlier session by saying that there might be more—less agreement on more things than maybe was anticipated by some other people, so what I think we need to do is begin by trying to capture experienced subject matter experts who have some insights on what they think is currently working, in terms of information sharing and analysis, because analysis is being undertaken for critical infrastructure cyber security currently. And a good place to start for future requirements and for future performance-based standards, perhaps, might be an analysis of what’s working well right now and what future challenges might be.
So with that, that’s sort of what we’re going to do this afternoon, so I’m going to begin by asking each of the individuals to introduce themselves, and then we’ll basically go serially, trying to—again, having our panelists comment on what, what analytical processes or methodologies they feel are currently working well, or at least are promising, and what challenges they think an ISAO might have to meet in advancing those capabilities, or in creating new ones, if the ones that exist currently look like they are of limited future utility.
So if I could start with Ken Stoni as our first speaker.
KEN STONI: Oh, sure. Well, thank you. First I’d like to start off by saying thank you to Mike Echols and his team at DHS for inviting me here today. It’s a pleasure and an honor to be here.
So my, just a bit about my background, I, I’m with a company called ESRI. We are a software company that does geospatial information systems, so the software that provides capability to do mapping—kind of an unusual fit for a cyber guy. So before that—I’ve been with the company for about 2 years. Prior to that I was a U.S. Air Force officer, so I was a cyber planner and strategist throughout my career, for 21 years, but most recently at NORTHCOM and NORAD, and I had the same position down in Special Operations Command. Okay. So based on that experience, really looked at cyber as more of a cultural issue. I mean, there’s a lot of technology involved, but when it got to coming up to a planning at a COCOM level, and, and developing strategy, you really can’t fight—well, you don’t want to fight data point by data point, right? So the idea is to take all the data from all these different realms, integrate it, be able to put it in front of the commander as a campaign, and then start fighting the trends. Right?
So that was really the key. Data integration was important—which is really what drove me to mapping. So when you’re trying to get an Air Force officer and a Naval officer and a cyber warfare person and an IT person to talk together, the lowest common denominator is really mapping, right? You really have to get to the point where there’s a common model, a common understanding, and then discuss deviations from there. That also happens to be kind of the output of the COCOM, is to, to look at all elements of national power and apply it to problems that you face, right? So when you get to applying law enforcement capabilities or military capabilities or diplomatic, that’s also geospatially bound as well, right? So it was kind of a nice fit to be able to, to get cyber, to put it onto a map, to get people to understand it, and then be able to kind of start brainstorming on how we react. You know, how could other operations support cyber, how could cyber support other operations. So that’s what really drove me into geospatial.
Preparing for this meeting I kind of went back and, and looked at the last meeting, and there’s a couple of points I thought I’d make a comment on before getting into the, the opportunities and challenges. I was really kind of interested and happy to see a lot of emphasis last time on information being a means to an end, right, although at the time they said the end was situational awareness. I think I’d propose that really situation awareness is also a means to an end. Really what you have to get to, I think, is consequence analysis, being able to understand what cyber disturbances, or what physical disturbances, what the consequences will be, because that forms a basis for resource prioritization, and I think that’s the key to being actionable.
We’ve heard “actionable” quite a few times already, and the idea really is you want the organization to, to see something, to see that it’s important, important enough that you dedicate resources to it because there’s never going to be enough resources to harden all your devices, right, or respond to every alarm that you get. It’s really just inundating. And, in fact, most of the organizations I worked with, no matter how large, really kind of suffer from data overload and information scarcity. So if you were to define information as the opposite of uncertainty, we end up collecting data over and over again, right, and there’s a cost associated with that. There’s a cost in collecting it and storing it and analyzing it. So if you’re collecting repetitive data and it’s not changing the way you behave, it’s kind of a self-defeating process in that case.
So the really important part is to get to resource prioritization, to be able to integrate that so you can talk to different disciplines, right? So when you go to—at least within the Department of Defense—when you go for resources you’re going to go in front of the commander, and it’s always tough for IT or cyber folks to go in front of the commander and say, “You really need more X rather than another airplane,” right, or rather than another ground, ground unit. So you’ve got to get that—you’ve got to get it right, got to get it into, you know, a format that they can understand, and then we have to really kind of focus what we’re looking for. So, once again, the data—it’s not just about data. It’s about catalyst data, for lack of a better word, right? In the military we call it the golden BB. I guess law enforcement calls is the smoking gun, right, and we see that when we find those things, data sharing and collaboration works really, really well, right?
So if you read the Verizon data breach investigation report back in 2013, it said about 70 percent of organizations learn of a breach from outside, okay? So that means somebody is calling up the organization and saying that the data is already out, okay. When that happens, resources start to flow, companies get called in, things start to happen, right, and I think the question for the ISAOs is how do you get that same response before something bad happens. What’s that data that you need that’s catalytic to being able to get the organization to see the importance and to respond correctly? So if I were trying to frame the issue a little bit, I think I’d frame in those—that, that’s the target, to, to identify and get that data.
This morning I was really happy to see General Touhill say neighborhood watch, because that showed up again, again in my notes, as I was taking, I was doing the research, and I was really worried about kind of offending anybody if I said that, but since the general said it I guess we’re, we’re in good shape.
But, really, that’s what came to me is, is you can get all this, this threat data, globally important. You know, it’s kind of like watching CNN, right? You can get the weather anywhere in the world but the threat is really locally, right? So if you start looking at having to identify anomalous behavior of an adaptive enemy, you really need a local understanding to see what’s different, to be able to talk about it, understand it, and be able to respond to it, okay, and I think that’s the way it’s going, and that neighborhood watch metaphor fits really well, right? The neighborhood watch doesn’t have to know what’s going on in everybody’s house, right? They have to know, kind of get overlapping perspectives of what’s happening in the neighborhood, and they have to know when to call the authorities, right? So if you’re looking at a prioritization perspective, you’re collecting that data, you’re understanding what’s important, you prioritize your own response, but you could also help prioritizing governmental authorities as well, right? If something important, they need to focus on that, then that’s something to, to bring up.
At risk of overplaying the metaphor, the question really becomes what’s the neighborhood, right? So in geospatial terms, the neighborhood is kind of a shared space. Just as a suggestion—and I’d be happy to talk about it—you could almost look at cyber as source and destination pairs, right? So you’re collecting data from whatever means, you get source and destination. Anything you can see continuously is probably the neighborhood for your environment, and it becomes a pretty interesting kind of discussion point, I think. So if you, if you’re in that organization, you look at one facility. Some place might—and I’ll just talk geospatially, because that’s my familiarity—some place might show up that’s unusual. You don’t have an office there but you have a spike in your IDS alerting or you have some kind of net flow data that’s going there that’s unusual. If it’s just one building, no big deal. If that one location is hitting all your buildings, you might be a little bit more nervous, right? If you find out that all the buildings being hit, they’re only hitting offices dealing with your intellectual property, you’re probably on the verge of calling it an attack, right? Your response would be much different. The cyber data didn’t change. The way you’re looking at it didn’t really change. You’re just framing it a little bit differently.
So if we look at expanding that, if you had an ISAO that looked at an organization and defined a neighborhood, or even an ISAC, right, how it defines a neighborhood, now you’re comparing those destination locations. If you find a location that’s hitting all members of an ISAC, that probably becomes even more troubling, right, and as the ISAC starts—or the ISAOs start putting their data together, and you start seeing locations in geophysical space, or you could do it in, in logical space as well, that are hitting everybody, that becomes a national effort, right? So I think what the general put forward works, right? It scales from a local responsive level and it aggregates up very, very quickly to help identify, as a community, where we’re worried about what’s important and where we have to go. So it might be—I just offer it up as a way to maybe start aligning the prioritization of an organization at all tiers.
So I think the discussion this morning was interesting. We started talking about how ISAO’s going into what’s the analytics that work. I think one of the things that—the way I’m looking at it—is if you identified your analytical process, the target is to kind of find that, that catalyst data within your neighborhood. I mean, that’s what we’re looking for. If there’s analytical processes that you could put out, you could, you could think of a series of functions, starting from maybe data aggregation, to data quality control, to filtering, to modeling, to alerting, to response activity, as a single process but with multiple outputs, right? Your ISAO might only want you to aggregate. They do all the rest of it themselves, right? So it’s one common process. They’re going to jump in and out, your, your members, at different stages, and you would deliver to that membership, right? There’s no reason necessarily to provide everything to everyone. But those standards can write the whole process and your users can jump in and jump out as they need to.
I’ve seen bits and pieces of this working very, very well, so it’s really hard to say, universally, what would be good or not. I think that would be a start. I think we’re probably in kind of an exploration phase where we’re going to put this out, we’re going to collect data, we’re going to see what works, and maybe that’s the way to start.
The challenges? I mean, I think we’re still early. We’re still in the exploratory phase. I think both the benefits and the challenges will kind of show themselves. I think the thing really about trust and—and it’s kind of a, kind of a Catch-22, right? Trust—the more you have it, the less you have to prove it, right? So when you have no trust there’s going to be a lot of data that has to be shared. When you trust somebody, you trust their quality, you trust their handling of it, there’s less you really have to talk about, so things get easier. So I think there’s that hump there. It’s, it’s a, it’s a touch-and-feel kind of situation, and we’ll see where it goes from there.
So I look forward to the conversation and thank you again for the invitation.
DR. DAVID MUSSINGTON: Thank you. You’re staking out a couple of points—before I move on to Evan. Trust is probably a challenge that I’d like each of you to comment on. Trust and privacy concerns, and trust of government versus trust of private sector entities is probably an issue that’s going to, to frame how ISAOs form through time. The notion of what constitutes the local neighborhood goes to whether it’s a sector or a community of interest, or some other pairing, or, or triplet, or some, some other sort of set of actors that go here into a group. And the notion of triggers, for going beyond general awareness. So if, you know, when, when is trouble detected that elicits action? These are just some questions to help frame partner remarks.
So, Evan, go ahead please.
EVAN WOLFF: Thank you, and like everyone else I want to thank all the people that put it on, especially everyone in government service. Having, having been, been at the Department of Homeland Security for the first 5 years, which is like dog years, so that’s like 30 years of federal service, so the—for others, I really appreciate everything that, that those who have served are doing.
I’m a—I guess I have a few hats here today. I’m a partner and co-chair of the data security and privacy practice at Crowell & Moring, which is an international law firm. I’m also a managing director at the Chertoff Group, and, more importantly, I’m counsel to the Interstate National Gas Association of America, which many of you may now be scratching your head on why INGAA is a relevant organization. But, actually, they are a small group of organizations that control the majority of our, our, our natural gas pipeline, distribution and storage, and, as you all know, to anyone who has had a cold winter, natural gas storage and distribution is kind of an important issue. And, and what they—they’ve come together over the last year with, with some good lawyering added in there, and, and built an actual information sharing organization. They’ve actually gone through and developed some guidelines on how to implement the NIST Cybersecurity Framework.
And so it’s, it’s been an interesting sort of learning opportunity, for which I feel like I, I was somewhat prepared for as a client, because my background, actually, before I was a lawyer, I have a—I worked in encryption analytics and numerical modeling. I was fortunate enough to be, to, to be a part of the MITRE Corporation with PUD 63 was, was passed, and we had to start standing up ISACs at the, the front end of, of this problem, and, and got to work for the government as a scientist for a while. So I guess I have sort of a, a, a geek and wonk perspective on this, and I speak Klingon and Romulan at the same time. So excuse me if I start ambling a little. I have friends in the back that will throw things at me.
To the point of what’s, what’s working, I think, you know, I would argue what works most right now is I think largely ISAOs are faith-based initiatives, and, and I, and while you can all think that’s sort of a, a horrific statement for a lawyer to be saying in front of a large, off-the-record room, I, I think actually, you know, the sort of lack of clarity, the lack of certainty, but the amount of faith people have in this effort actually is really helping us do a lot, to make a lot of motion, take a lot of steps that we normally would not get done, meaning that, you know, I am getting lawyers to, you know, lawyers, not outside counsel, but actual lawyers that are responsible for protecting companies’ assets and information, to agree to share information without there being any regulations, without there being any real, you know, triggers.
But they’re doing it because, first of all, you know, there, there, there is this desire to be a part of this effort. They realize there’s some common good out of it, and this is where, you know, I hate cyber by analogy but there is sort of a, a faith-based initiative to, to what’s going on right now. I think I, I will point—and I’m not going to—I’m not as rich as General Touhill so I’m not going to bet $2 but I’ll, I’ll bet a cheap cup of coffee at my, my free coffeemaker that, that I think that’s not going to last. Eventually lawyers will sort of revert back to what we do best, which is be risk-adverse and say, “Wait. If we’re sharing information, where, where is the liability of that?”
We’re already starting to see that in, in some of the cases that are coming out of, of, of the other agencies, like the Federal Trade Commission, which has a set of these 50 unfairness cases and they’re all really along the same idea that, that companies need to protect their data or else it’s an unfair business practice, and, and that’s causing, you know, some of this sort of retraction. I think we’re going to, we’re going to see that coming out of some large data breaches as well. So we’re not always going to sort of have, have this sort of great opportunity. Similar to what happened at, you know, I guess during World War II, and what we experienced at the start of DHS, in, in that people were willing to help out because it was the right thing to do, and also people saw that it was a way of, of not only protecting our, our great democracy but the companies that, that, that are participating in it.
I do think there—another sort of point that’s working well is, is this convergence of government and industry. I mean, the fact that we’re actually able to have these meetings and people show up and we all listen to each other, I think is another sort of thing that’s going well, and that, and that there is largely, I would argue, because of the, the lack of, of, of clear rules and laws that, that people can come together and, and talk more than, than they have in the past. And I think the, you know, the, the, what—my third point of why it’s going well and then I’ll start off with my list of 25 things of why it’s not working—is because, you know, there is this sort of desire and, and—within, within the board room, and, and also within the sort of operations centers and companies to do something, and this is a very sort of easy and digestible first step. I mean, there are other first steps that people don’t like, and I’m, you know, when, when we think about sort of where encryption technology has come in America, from, you know, the regulatory ITAR provisions to where we are now, we could see some very uncomfortable path forward that we don’t want to take.
Just to, to, to be brief, some of the, I think, challenges that, that we face are, you know, first of all, this governance problem. We saw this earlier today. I was glad that, as a former MITRE employee, that we had a MITRE employee sitting between the FBI and DHS. But there’s a governance problem and, and that was no sort of fisticuffs between the federal agencies on, on the, on the, on this panel. But I think there is a governance problem within industry, and, and within government, and that we really don’t know. I still am a little unclear when it comes to ISAOs what is DHS’s role versus what is FBI’s role. Sorry, Mike and others, if you guys have a very clear vision of it, but I spend a lot of time working with both agencies and, and I know how to cherry-pick, and when you go to the sort of third rail of the Secret Service, but I think that, that, that, that governance problem is also seen in industry, where companies are increasingly becoming more aware of how to manage this problem, and this is what, I guess, economists call a classic, you know, externality and companies are figuring out how to internalize it or developing mechanisms to internalize it, like environmental health and safety and other, Sarbanes-Oxley, and other areas of risk. But we’re still, we’re still at the beginning of, of that, of that growth, growth curve.
I think, you know, one of the more important challenges that we have, and it was talked about earlier, is metric. Something that when we were standing at bar—and I’ve been involved in now three—since I left DHS and MITRE I’ve been involved in three sort of ISAC, ISAO stand-ups over the last 5 year—and each one, you know, the business people have come in the room and said, “So how do we know if this works?” especially if you don’t do cyber for a living. If you’re an energy company, if you’re a transportation company and your job is to move people or move goods, then cyber enables that, but you don’t make any money off cyber. It just costs you, hopefully, less or more, depending on what, what sort of part of that line you’re, you’re, you’re standing on.
And so I, I think the, the, you know, that, that’s, that’s a challenge, and, and, and another, I think challenge long-term is going to be the sort of where the law comes and maybe some—I’m the lawyer here so I’ll try to be a little argumentative, or at least argue with myself—that, that I think laws really, in creating a regulatory environment for information sharing, you know, will initially sort of create some, I think, benefit. I think we’ll see out of CISA, or whatever the, the, whatever the information sharing laws, the, the bills that we see coming out of, out of Senate and Congress, I think they’re going to, they’re going to initially help companies because they will create that liability. They’ll create that initial protection.
But we, what they aren’t doing is thinking about the entire lifecycle of information sharing, which goes not just from what you do to how do you get a signature from someone else’s Snort box and put it on your Snort box, but how do you actually conduct a thorough investigation? How do you do joint defense investigations when you have common enemies and you have to work with multiple law enforcement agencies or, or the other big L word, which is litigation, and how do you do sort of joint litigation, which is really hard. I’ve been involved in three large data breaches that have, that have had six or more class action cases associated with them, and, and it was really hard representing a single company with a bunch of components, and if we had to have multiple companies involved—and this gets to be that sort of, that, that 3,000 figure that, that people bounce around, that 3,000 of these notifications happen externally—well, you know, for a lawyer that creates a lot of risk. And I think until we understand how to build a legal platform that, that provides the assurance that protects a company, that’s going to be a challenge.
And so, I guess, just to, to be clear, I’m not saying that the current proposals, legislative proposals that are, that are out there right now—and especially one that, that has cleared the, the Congress—are not good efforts. I think they’re great and I think they’ll take us the next step forward. But I don’t think those are—I mean, 3 years from now, when we’re all together, I think we’re going to be looking at sort of a whole nother level of, of legal and regulatory, and really business risk.
DR. DAVID MUSSINGTON: Thanks. There are a couple of terms that, that seem prominent in Evan’s remarks. Metrics, which is something we worry about a lot, in terms of mission assurance against cyber risks, and that approve, prove the value proposition for whatever protections that you, that you want to suggest are important. I hadn’t heard the term “the joint litigation” being identified before with a particular problem, but that sounds, sounds significant and not something that I’ve seen much literature on. Governance. Governance in terms of the SO, governance in terms of ISAOs, governance in terms of DHS and other agencies’ relationships with the changing environment of information sharing actors, were all sort of mentioned as prominent challenges which we’re going to have to deal with, successfully or not, but they will be challenges.
JOSEPH VIENS: Sure. Thank you, and, Mike, Mr. Echols, I appreciate your inviting me to this pane and I very much appreciate being with the distinguished moderator and fellow panelists. Real quick, I think it’s important for me to describe our ISAC. It’s probably the most unique one out there. We are the official ISAC for the communications sectors, actually the National Coordinating Center through DHS, which is a subset of the NCCIC, and we heard about that this morning. We have 67 members of the communication ISAC. They range from network service providers, ISPs, to associations, to equipment vendors. The key requirement to be a member of our ISAC is to have a tie to the communication sector.
We come together every week with our DHS partners, with the NCC. We also recently, within the last probably year and a half, have developed a network service provider group subset of the industry side of the NCC Comm-ISAC—that’s what we call it—and that group also comes together on a weekly basis, and we work collaboratively and we’ll, you know, any member of that group can, can bring things up, certainly with, with our government partners in that meeting, and then also additionally with, with just the members.
We’ve had a long history of collaboration in the communications sector, dating back, really, to the Cuban Missile Crisis back in the early ‘60s, when President Kennedy was faced with the possibility of, of, you know, continuity of government issues and continuity of communication issues. So that was extremely important. In the, in the early ‘80s, President Reagan also felt that this was extremely important too. So we, we ended up having embedded reps from the telecommunication companies with, with government. So, really, we’ve been doing this directly for 30-some years, since the early ‘80s, and then more formalized in our ISAC with the PDD 63 effort, like the other ISACs as well.
So I wanted to give you that background. I also wanted to give you a quick background on me. I’m the Director of Enterprise Business Continuity and Crisis Management for Time Warner Cable, and we are volunteer—we have volunteer leadership process within our ISAC and we’re elected to 2-year terms. And I only tell you that because I am not the cyber expert here, and I’m certainly willing to, to maybe provide some insight into how we may go about, you know, information sharing and some of the issues that we have around that. We had—the ISAC industry chairs submitted comments initially. I think that might be out on the ISAO website. So you can get more background on kind of where, where we stand with this.
But you talked about trust and privacy concerns. That’s at the forefront of everything we do, because if we don’t have that in place with our customers, it’s a serious issue for us, not only from a business perspective but certainly from a regulatory and, and, you know, breach of, of legal, you know, ECPA and other data privacy laws that we are required by law to adhere to. So, you know, there are also antitrust issues that we have to be concerned with. We make sure that we adhere to all of those as well, as we interact with one another when it comes to this space.
So those, those are some of the challenges with respect to that. The legislation, I think, addresses that to an extent, and it’s something that we are constantly working on to make sure that we do, that we’re involved with, and make sure that it makes sense.
You know, some of the things that, that we really need to focus on as it relates to ISAOs is to make sure that they’re, they’re at high level and very general in scope, because every entity is different. Every entity’s risk posture is different, and it’s extremely important to, to make sure that you, you understand that, and, and to be too prescriptive with an ISAO standard, I think, could be counterintuitive to this initiative and actually do more harm than good. So I think we have to be very, very, very careful about, in this process, of being too prescriptive. Automotive information sharing. We talked a lot about STIX and TAXII this morning, you know. So if an entity, an ISAO doesn’t have the ability—or even a big company, for that matter—have the ability to do that, does that preclude them from the process here, and, again, does that create, you know, more harm than good from what, what we’re trying to accomplish here?
You know, we have to—we definitely—and I don’t want to get into too much policy because that’s not my, my background either, so I will, I will leave that to, to those that are more astute in that. But it has to be general to cover all, all, all sectors, and be flexible and enable, you know, their implementation across, you know, the diverse communities and disciplines. Definitely need to consider all existing laws. As I mentioned earlier, the data privacy that prohibit the sharing of, of personal data, so PII. We have to be very, very cognizant of that and careful of it.
I don’t know if I, I strayed too far from your, what you were asking me to talk about. You know, the NCC Watch, in conjunction with the NCCIC, US-CERT, ICS-CERT provides a lot of our indicators and information around cyber security issues, so we are benefactors of that, as well as government agencies and other sectors, for sure, that are involved. The companies within the communications sector do a very, very good job of protecting the networks. Obviously, we’ve got—if you look at it in, in three buckets, you’ve got our customers, you’ve got our enterprise, and then you’ve got our, our, our core backbone network. So those are the things that we’re concerned with as it relates to cyber security. And we—I think, for the most part, our sector’s done a great job of covering all of that making sure that we’re leaning forward as it relates to protecting our, our, our entities and our customers, and all of our stakeholders.
DR. DAVID MUSSINGTON: Before I go to questions, just one point, I guess. You mention STIX and TAXII as being something that, that might impede cooperation if companies don’t have it. I’m wondering, is there a standard that’s, that’s different in the communications sector?
JOSEPH VIENS: In terms of automated sharing, just generally speaking, you would have to have the ability to receive automated information, and what I’m saying is not all entities would have the ability to put forth that effort and the infrastructure behind it, in order to do it effectively.
DR. DAVID MUSSINGTON: So entities would probably like assistance.
JOSEPH VIENS: Potentially.
EVAN WOLFF: Yeah, I mean I guess here we have to sort of have the conversation about the haves and the have-nots, because I completely agree that, you know, with everything that he said about the communications sector, and I think the, you know, the communications sector along with—since there are a lot of IT companies in the room and a lot of people that service IT companies and banks—you know, you guys all, I go into this category, or the haves. You do IT for a living or you at least have a reason to do IT for a living. If we go out to, you know, retail, and, and, and energy, you know, there is a different perspective, and I’ve heard this before, that while STIX and TAXII is, you know, you know, complicated, and we, you know, there’s still argument of what the acronyms even mean, and, and there’s only one company that’s really licensed it, and, and it has weird acronyms.
But the, the, the reason why sort of I, I like it is sort of because it moves us out of this faith-based initiative—and just so you know, I’m not anti-faith in any way—but it creates some sort of very specific, practical, and, as a lawyer, repeatable, which is sort of the—you know, a standard that lawyers always want to think about, is, you know, if we set up a system, is it something that we can rely upon? Is it something that, that is used by others? Has it become an industry standard? There’s actually a whole line of cases called Daubert, to those of you who have sleeping problems, that you can look at.
But, but, you know, and, and, and, which talked to the rules of evidence, and that’s really where, why, I think, I, I, and I, I do push for sort of having standards. And I can look to some examples of where they’ve been very helpful to the digital community. If we look at the payment card industry, for example, how we created the PCI standards did involve a set of regulations, but really involved everyone coming together and coalescing around a set of voluntary standards, and that’s sort of how STIX and TAXII were, were created as well. You know, we all agreed on the Kill Chain is how we’re being attacked; let’s, let’s look at how we can sort of reverse engineer, back-end-out a way of sharing information that could help us stop this known phenomenon.
And so I think, you know, it creates that sort of meaningful way of approaching it. I also agree—just, once again, because I, I, as my 9-year-old points out, I continually disagree with myself every morning before I drink coffee—that it creates a problem, because it really is hard for simple companies to, or for companies that don’t do IT for a living, for them to implement it. And so this is where I’m not worried about that problem, because I have 100 faith in, in, in sort of our, our development and technology industry, and we’re going to make it much easier. You know, we’ve gone from—when I look at my first system administration job in 1988, to, you know, what my 9-year-old son does now, which is far more complicated in terms of his impact but better tools—we’re going to automate and we’ll get better at these tools than we are now. We’re not going to be using, sort of, CACTUS and, you know, in, in 5 years we’ll be doing something else but not that.
DR. DAVID MUSSINGTON: Just one remark before I open it up to questions. A lot of research has shown that small- to medium-sized enterprises aren’t well served by current ways of disseminating threat information. A lot of research has shown that small- to medium-sized businesses aren’t well served by current information exchange or sharing mechanisms. So STIX and TAXII, I’m not sure if that’s the issue. It wouldn’t be for most. But there is an issue of whether, in fact, the supply side will ever catch up with the demand that doesn’t articulate requirements clearly enough to actually be served.
ATTENDEE: I mean, my short answer is managed security services are going to solve that problem, that and some overlaying regulations like we’re seeing coming out of DoD, with the Defense Federal Acquisition Rules or the DFARS Safeguarding Rule, where if requires companies to have a secure supply chain. I think, you know, companies have realized, with their payment card and, and, brand, card brands in the, in the, in, in the card industry and the payment industry that, you know, they also have to worry about their supply chain. So I’m actually not worried about—my brother’s a doctor and he has, you know, 50 employees, and he’s never going to use STIX or TAXII, nor will he know what they are. But we do go to secure cloud providers to store all his HIPAA data, and, and so I think that’s—I think the market—I have faith that the market will take care of some of that problem, or hopefully most of it.
DR. DAVID MUSSINGTON: So on that very sanguine comment—comments from the audience? Sir. We’ve got a microphone right here.
ATTENDEE: So to sort of play devil’s advocate there, so for a small law firm or a small doctor’s office, I can definitely see some cloud options for them there, but if you’re like a very small 1-, 2-person retailer, or a pizza shop, or even just somebody who is just starting their practice, and there were regulatory requirements for you to go and meet these requirements, the only way you could do it was by going to a third-party security cloud vendor, that’s not in the budget for them now. How is that going to be in the budget for them then, in the future, when it’s a requirement?
ATTENDEE: A small pizza shop still has to comply with OSHA, with workforce safety rules. They have to comply with a lot of other complex regulatory issues that they do through a variety of tools—and just to be clear, I’m not saying we need to start regulating small businesses for data security, but they, you know, they, there are, over time, they will, I think, develop a market, will develop a set of tools, just like, you know, GoDaddy allows, you know, someone with a, you know, a 10-year-old to be able to create their own website, without having to, you know, have command knowledge of, of, of, of how, how, what domains work. I think, you know, those, those same companies that are pushed to go, to go online will be able to go online more securely. I actually think it’s going to take us some time and I think it will be built in supply chain.
But I, I agree, the small, the small to medium businesses are going to be sort of—I mean, they’re the tail of this problem. Since largely none of them are here today, I think they’re clearly the, at least, you know, a huge part of the problem that, that they aren’t represented.
ATTENDEE: So one of the things we’re doing, and have done with the CSRIC, FCC CISRIC working group for effort—you can go online and look at that. I think it’s a 400-some-page report. We took that head-on, and we had a subgroup that looked at small and mid, mid-sized businesses as it relates to what are some of the impediments to adopting the cyber security framework. So I think there’s a lot of information there.
Some of the things that we’re doing on the comm sector side is we’re doing educational outreach. We’ve got, obviously, associations that represent the smalls and mids, and we’re providing webinars and, and other information to help in that effort. And then I think the managed services has got to be the option for a lot of them, if they can’t handle their, their security requirements in-house.
ATTENDEE: Okay. Great. So just, just to clarify and make sure I understand, your belief is that the cloud and managed security markets will scale down to these people who want to enter the enterprise space, or the business space, but it doesn’t necessarily mean that there’s going to be a raised barrier of entry for these such that these sectors will only see large companies being able to operate?
ATTENDEE: I think there’s going to be a balance and I think, you know, when someone is entering the market they have very low risk, you know. The data they store, you know, assuming you’re not, you know, your, your market entry isn’t building a nuclear reactor, but I’m starting something that has a low risk sort of, sort of entry point. As the risk increases they’re going to have more money to spend on better managed security services, better cloud offerings. So I think that sort of framework. I don’t think, you know, someone who’s starting a company tomorrow as a sole proprietor is going to be able to sort of instantly do everything that mature companies are going to be able to do, but I think as risk increases, there will be sort of this matching or sort of matching of risk and security.
ATTENDEE: Got it. Thank you.
DR. DAVID MUSSINGTON: Just around on that point, you pointed out many services, companies providing perhaps analytic services to small- to medium-sized. Does that suggest that a standards organization needs to be, needs to articulate standards for products that managed services companies provide? For example, if there’s a—if an IDS service is offered by a managed service provider to small- to medium-sized business—the chain of logic here—and the small businesses are sufficiently small and not expert, that they don’t fully understand the products they’re buying, does the standards organization, sort of from that situation, gain a responsibility to, in some sense, enrich or certify the services that are, that are vended, ostensibly suitable for small- to medium-sized business?
JOSEPH VIENS: It’s probably a question for me. Again, I think we have to be careful about how prescriptive we get with this process, because, you know, each circumstance is different. Each business, again, is different, and their risk and their profiles are different. So further regulating managed service companies, I’m not sure is necessarily the answer.
DR. DAVID MUSSINGTON: I didn’t say regulated.
JOSEPH VIENS: I know, but, but being too prescriptive with, with respect to the services they, they provide. I think they do a good job on their own by describing their services to a prospective client, and you can just go out onto their websites and, and look at those pretty clearly.
EVAN WOLFF: And sort of in support of that statement, too, you know, if we all are in agreement that we can’t regulate our way out of this, there, there isn’t like companies are going to just be developing untested products, because, ultimately, as we’ve seen with, you know, litigation like coming out of the Federal Trade Commission—which actually has picked up, I would argue, this exact problem—then, then it ends up in courts, or these administrative agencies are developing what the standards are, and we’ve seen many times with data breaches, where it’s judges that decide what is the standard of care for a company protecting and storing data. So I don’t think we have to say if we don’t have regulations for everything then, you know, we’re in the Wild Wild West. We still have, you know, a litigation system and ultimately Congress could decide it wants to actually do something, and create, create some laws around this too.
ATTENDEE: If they could actually do anything. I didn’t say that out loud.
ATTENDEE: So the short answer is no.
ATTENDEE: Now for the explanation. Those products that mentioned—IDS, IPS—are already certified. I mean, that’s why you have NIAP, common criteria, FIPS 140-2, NIST 800-131A, et cetera, et cetera, et cetera. So to add another certification is just a matter of how much more cost you want to add. No, I don’t think that the small- and medium-sized businesses are going to go to managed service. It’s too expensive. The OSHA regulations and everything else are already putting them out of business, so the question is how do you simplify security? I heard the panel talk about how STIX is working. It ain’t working. DHS is on one version of STIX, which is a version behind where the standard is, so we have to back-port that to try to get it there. That’s why it was moved to OASIS, so we can actually make it a real standard, because all of us in the IT industry are having a hard time using it.
Let’s talk the truth here, because otherwise we’re going to ask some standards organization to tell us how do to the business with the wrong premise, and I submit that the premise is incorrect. STIX/TAXII is the leading candidate to move forward. I think it’s going to be better than MAEC or IODEF, or a few others. It has the capacity—excuse me—it has the capability to become the thing that we’re coalescing around, because industry and governments globally understand that’s a problem, and we’re desperate for a mechanism, but it can’t be something that we took a CSV file, put it in XML, and all of a sudden watch it explode ten times, and you can’t handle it or eat it, because a small or medium business can’t handle it, and neither can a large very well.
And that is where we are stuck. So we’re trying to get our way through that. So the standards organization doesn’t need to focus on that as to how to make that work better. It’s a matter of what mechanisms are out there that we can operate and share, and how do we type forecast, or the type of organization we are, and where we’re trying to go with that information, in an attribute of how reliable that information is from that kind of organization. That would help us. I say that from having started the IT ISEC in 2000, and organized response at first, and doing large-vendor exchanges, daily. So we get how to do that. I don’t need an SO telling me how to share. I need the ability to share with better partners and stop creating more organization to dilute the effort.
Sorry for the soap box.
DR. DAVID MUSSINGTON: Mike, could you respond to, or sort of refine a little bit what you see the SO’s core tasks as being?
MIKE ECHOLS: [Speaking off mic.]
ATTENDEE: I think you have a good basis with the National Council of ISACs and the existing highly functioning ISACs, to be able to provide a lot of the insight and answer these questions, and I think—I think those ISACs can serve in a kind of a leadership role or a mentorship role here to develop, to develop these standards, for sure. I think we should look to what’s working instead of trying to fix something necessarily that isn’t broke, so to speak.
ATTENDEE: There are three types of organizations that you really revolve around. There’s readiness, basically your security. There’s your instant response—how do you actually respond, and attack, et cetera, and then recover? And there’s a security effort around that globally, about how to define the service of what that is. We’re actually meeting next Sunday in Berlin, for this subject. The third part is the information sharing. How do we get it from one individual to their like-type group, or community of interest, and then how do you then get that out to everyone else as an early detection, early warning, so that you can go back and do your readiness and your response?
So realize there’s three different elements here, and we’re talking about information sharing like it’s all of them. We haven’t defined those other two aspects, and they go hand-in-hand with this problem-solving. Now try to enlarge the ISAO perspective. You have to know how it interacts in the ecosystem. It doesn’t do everything.
DR. DAVID MUSSINGTON: Any other questions?
ATTENDEE: I’ll just make one comment to that, Steven. I think that many of the, again, highly functioning ISACs already encompass all of those qualities, so, again, I think we can certainly bring some richness to this process, for sure.
MIKE ECHOLS: [Speaking off mic.]
ATTENDEE: Sure. Yeah.
ATTENDEE: So we can maintain our way of life.
ATTENDEE: I’m not arguing against this process. I’m here to support it, for sure, and I—believe me, I have the same company sending me a letter from two different entities that have lost my information or breached my information. So I guess I guess 4 years of protection from, for these two breaches. I don’t know.
EVAN WOLFF: Two concurring.
ATTENDEE: Yeah, two concurring.
ATTENDEE: Thank you, Mr. Lawyer.
ATTENDEE: So I get—I understand the problem, and I think we all do. That’s why we’re here, for sure.
ATTENDEE: I do—I mean, I, I, I guess I’ll go back to the one thing that I’ve learned at DHS about the sectors, is the only thing they have in common is they’re all different, and I think that we do need to take that into consideration when we think about sort of learning from these, the ISACs, the smarter, older ISACs, that just because you understand the communication sector—no disrespect to the communication sector—doesn’t mean you understand even how the energy sector uses the communication sector, because, you know, they still use radio wave towers, and they use fiber as backups to control liquid pipelines. And so, you know, we—and this is a sort of a problem that DHS had at the beginning and why we ended up with sector coordinating councils, not more ISACs, is that, you know, there needs to be sort of a very guttural understanding that, that each of these sectors really do think about life a little differently, they have a different business purpose, and they have different reliance on, on cyber. And I do agree that information sharing is small jars for some of them and bigger jars for others, because some of them are focused on other parts of the problem.
DR. DAVID MUSSINGTON: Someone down here.
PETE PAYSON: Hi. I’m Pete Payson with DHS I&A out of Connecticut, and my question is—I work at the Fusion Center and we have this National Network of Fusion Centers that are already in the communities, that have established rapports with federal, state, and local law enforcement, also private sector industry. And what do you envision their role is going to be as part of this program that you’re initiating?
ATTENDEE: I don’t know. That’s maybe a Mr. Echols question.
ATTENDEE: [Speaking off mic.]
ATTENDEE: I mean, I’ll—that’s a very—I admire that question, because it’s a, it, because, you know, this, this is, I think how I’ll sort of reframe it in sort of a question I think we can all maybe start answering to get to that harder question, which is what is the role of government in information sharing? What is the role of the NCCIC if, if you are a small business or a large international energy company and you have, you know, detected something, either on your own or through some third-party notification, something on your network? You don’t have necessarily a duty to disclose it to anyone if it doesn’t involve PII or loss of HIPAA data.
You know, you don’t have to go to the NCCIC unless you want to, you know, have sort of some patriotic duty. But, at the end of the day, if you, you know, have, you want to make this an insurable loss you’re going to have to report it to someone. It might be the FBI. You might want to go to—I spend a lot of time dealing with local police departments on large cyber data breaches, to be honest, because they’re an easier place to do your initial reporting, if you want actually get a police report that you can turn over to your insurance company. And so I think that’s where the fusion centers are going to be very helpful in that sort of reporting piece.
Unfortunately, I think, you know, they’re going to be a step behind figuring out what is the role of government in this really incident response and some of this information sharing problem. I, it’s just, it’s a really, it’s a really hard, hard problem, because right now the laws and lawyers sometimes don’t exactly sort of support the goals that, that we’re talking about here.
I don’t know if anyone wants to disagree with me.
ATTENDEE: Well, I look at the fusion center, too, as we have all the components represented along with protected security advisors, who could go out. We do get a lot of cyber reporting. I also report into the intelligence community with cyber incidents and other things. And so I think the role of the fusion centers could actually enhance this, to some degree, where the expertise and the network is already in place to share that information. With regard to governance, I know in Connecticut we have an executive board that’s made up by members, and there are some private sector sitting on that, that executive board for governance. So there is a network in place. It’s just, I think it could be utilized.
ATTENDEE: But the challenge is, like in, for, if we’re looking at an incident, you know, you’re already—once you make the determination that you’ve had lose PI, you’re already going to have to notify 47 state attorneys general and/or other state officials. So, you know, it comes down to this question, the sort of most-written memo in any data breaches, you know, do you have a requirement to disclose this to anyone? If not, see Section 2, which is, is there any benefit you get from disclosing this? And I know we’re already going to have to call the Connecticut AG, I think it’s within 30 days of, of the loss of PII, I believe is what the Connecticut law states.
And so, you know, can we get companies to voluntarily go to the fusion centers? That’s a—I think that’s a good question.
ATTENDEE: Yeah I think—I’ll make it simple. Turn it into a question and then we can add to all this. The real question is, how do the, the government fusion centers and cyber centers—because I’ll throw the cyber centers into the mix, how do they all play in the ISAO world that we’re trying to create? I mean, that really is the question that we need to, to refine the answer to. And, on that note, Pete wants to say something.
Yeah, we’re almost done. We’re done a quarter of?
ATTENDEE: I think what we’re describing is a need for an interoperation between ISAOs. Mr. Echols, your comment about ISACs, you know what they do and they do verticals, you know, we need to think of that as—you know, the verticals, like the IT or comms or other sectors will tell you how the system operates. But when you get down to the fusion centers, et cetera, it’s how they operate the systems. I know that’s a play on words but stop and think about it. One is how does it traditionally work—you know, bits and bytes are going to be bits and bytes overall. How you do certain commands on a system are going to be pretty much the same. But how you’re employing them to support a business, to transfer data, and how you’re going to protect are going to be unique to your situation, whether it’s geographic, it has to do with a certain type of business, a subsector of a subsector, et cetera.
And that becomes important because now as you try to paint a picture, you’re going to a difference, and here is where I submit the government has a role, and that is helping put context as things roll and move, because that gives the impetus for people to act. Notice I’m not asking for a regulatory stick. I’m asking for a “let me understand what is happening,” because that is a larger and quicker motivator, because Congress passing a law, we’ll always be behind where we are in responding to the threat, because a threat is going to evolve, the technology is going to evolve, and economic and business operations are going to evolve. And those change. So when we go back to Connecticut, that’s where the problem is on the ground, not how the systems operate but now they operate the systems.
DR. DAVID MUSSINGTON: Okay. We are practically out of time, so unless I hear—okay.
ATTENDEE: So the financial services ISAC, in our experience, has been working wonderfully, and the information that we’ve been able to share, you know, between the, the entities that were in the financial services was timely, actionable, and relevant, especially during the Ababil, Al Qassam fighter brigade campaigns, and that was a big win for us, and within that ISAC. But one of the things that we keep running into is all of the information analysis that we get from law enforcement and from government tends not to be timely and tends to be so vague that it’s not actionable. And so what are we going to be doing different with this initiative to remedy that in the future?
ATTENDEE: I guess I’ll take a crack and release what I see.
ATTENDEE: [Speaking off mic.]
ATTENDEE: Yeah, no, no. Go for it.
ATTENDEE: So I think, you know, educating as far as what we can provide, a lot of times because of investigative restrictions, a lot of times we cannot provide more information because it’s at a classified level. And in the first panel what we basically stated was a lot of times what we’ll do is once that general information goes out we do provide, based on a sector or whether it be an ISAO or a region or whatever, bringing in folks and giving that classified, contextual information that kind of puts the pieces together for the private sector as to why the information that’s coming out may seem dated or it may seem like, you know, it’s not actionable. When you get the context behind it, that allows you to kind of figure out what’s going on a lot better.
So that’s kind of what we’re trying to do. We’ve been doing it for the last couple of years, since my program started, is to get that contextual basis and information out to the private sector, and then be able to say, “If you see something, let us know.” It’s almost like a request for information back out to the private sector. So I don’t know if that answers your question as far as how are the formations of these organizations going to assist in that, but it might be an opportunity for us to leverage and get more information out to a wider variety or a wider audience, as far as contextually concerned.
ATTENDEE: Let me give you another perspective. One, this executive order was promoting private sector information sharing. So one of the things that we ended up doing, Peter, is we were trying to inspire—or stand up for information sharing across the private sector. Then you don’t have to worry about the government, right? What happens after that, when the private sector starts sharing more information between, within themselves, the government, all those things that you’re saying, we have to come to the table with facts that are information, better information. So you’re aspiring—by sending this private sector information sharing up—somebody asked me, “What do we need to government for?” Well, that’s something that the government will have to ask itself, right? So we’re going to have to get better.
So I think this is one of those things like a ladder, you know. Private sector takes a step, the government takes a step.
ATTENDEE: I guess I have a little bit of a different perspective because I do, you know, if, if you sort of had two scenarios of Company A getting information from the government or Company A getting information from Company B, most of the time they’d probably rather get it from Company B. So I think sort of the first issue of this strengthening the peer-to-peer information sharing networks is, is going to be very helpful, and I think that could actually, you know, result in better protection of networks. I think this also will force the government to do something different, not sort of race to, you know, intercept more data to share with the private sector.
I guess your word is “context.” My word is “mitigation” and helping companies, especially those that sort of are, are new to some of this incident response world, or that, you know, are, let’s say in some of these other sectors—energy, non-business, energy, defense sectors—every time there’s a government release and they have this mitigation section, to, to lawyers and to companies, oftentimes that’s the best part of, of the alert to see, because it tells you what you need to do. It tells you if you follow these rules, if you follow these steps, then, then at least you have, you’ve met a standard and, and, and it’s probably a standard that makes sense since oftentimes a lot of mitigations come, comes out of NSD and other places that, that actually are very helpful. And so I think it’s going to cause the government to sort of play a different role in this information sharing rather than just try to compete with peer-to-peer information sharing models.
ATTENDEE: I’ll make one quick comment on the government piece. I think the continued collaboration—you know, the financial ISAC is on the floor of the NCCIC, we’re on the floor of the NCCIC—I think the continued collaboration and mutual understanding of what our issues are is, I think, already proven to be very effective and improved things from where, where they were not too long ago. So, I think there’s hope to, to improve that process if we continue in, in the manner in which we’ve been, we’ve been working hard at this issue together.
ATTENDEE: [Speaking off mic.]
DR. DAVID MUSSINGTON: Okay. I think with that we’re concluding this panel. Thank you all.
ATTENDEE: Thank you for having us.