Threat information sharing builds better cyber standards, expert says

Anne Neuberger, director, Commercial Solutions Center, NSA

Michael O'Connell | April 17, 2015 5:36 pm

Cybersecurity experts often consider public-private partnerships to be something of a mixed bag.

“On the one hand, they’re cited as critical … to improving the government’s awareness of what’s occuring on private-sector networks and also really improving private sector ability to defend networks,” said Anne Neuberger, director of the National Security Agency’s Commercial Solutions Center. “On the other hand, they’re frequently criticised as ineffective.”

Neuberger made those remarks in a Sept. 25 speech, at the Second Annual Cyber Security Summit hosted by the U.S. Chamber of Commerce in Washington, D.C.

To illustrate the contradictory nature of these government and business partnerships, she shared the lessons NSA learned — both good and bad — in participating in public-partnership models.

Eighty-five percent of the nation’s critical infrastructure is owned and operated by the private sector, she said. In addition, the private sector is responsible for building much of the individual systems of those companies, from utilities to networks to routers.

Advertisement

“On the private side, threat intelligence is gathered by private-sector entitites,” Neuberger said. “But there’s also … government-gathered threat intelligence, and the sense is that threat intelligence is often gathered on certain entities — tactics and techniques. Based on the number of times, in various groups, we talk about the importance of greater government information sharing, there is certainly at least the perspective that that threat intelligence would be useful if shared frequently and at the right value level with the private sector.”

One of the central challenges the government and private sector face in establishing a threat-sharing system is the degree of shared responsiblity both sides have, particularly between the government and large, critical-infrastructure firms.

“Critical services, as we noted, from power to water are owned by private-sector firms, but it’s probably fair to say the average citizen looks to their government to ensure the resiliancy and the continuity of those services,” Neuberger said. “And in addition, it’s also fair that companies may spend enough to ensure that their networks securely support core business functions. But it’s also probably a reasonable sense that they may feel that the ability to really gird networks from catastrophic attacks may well be something that’s a shared government responsibility.”

Currently, the government does not monitor private-sector networks to maintain, detect and stop malicious activity.

“As a result, if we’re saying that there is that shared responsibility, the model of a partnership does seem to be at least an intermediate way to rapidly share threat and vulnerablilty information,” she said.

Neuberger described two models for government-private sector work — one regulatory, the other a partnership.

“Given the complexity of setting standards and regulating technology in such a rapidly evolving area, it does seem worthwhile that we kind of take that partnership model as far as it can get us before looking towards a regulatory model,” she said, adding that is the position of the government and the U.S. Chamber.

Can public-private partnerships actually work?

While a need for establishing a public-private partnerships exists, the question remains, what is the best way to make those systems work?

Currently, the federal government has three models for partnering with the private sector — general, targeted and operational. These are voluntary, cyber-specific information sharing efforts supporting critical infrasturcture protection that ensure the government is sharing threat intelligence with companies.

These efforts are different from the NSA programs recently leaked to the press by former contractor Edward Snowden.

“Those are foreign intelligence programs, where U.S. companies are compelled to respond to lawful orders,” she said. “Those orders are carefully reviewed by appropriate courts and subject to strict oversite by all three branches of government,” she said.

General information sharing, the first model, applies to a broad range of private entities with a focus on sharing threat information.

“Pretty much any company that wants to participate can,” Neuberger said. “Mostly, it’s done as one-way sharing from the U.S. government to private companies with, in some cases, limited and anonymized sharing by those private sector participants.”

Neuberger pointed to the Financial Services – Information Sharing and Analysis Center as an example of a successful general information sharing entity.

Targeted information sharing focuses on highly specific, often classified, threat information shared between a small group of companies, many of whom are in the technology sector. This purpose of this model is to mobilize key technology-sector and government experts to improve the security within that realm.

“The thought there is that by actually improving the security within hardware and software products, you’ll have the natural side benefit of that broad array of companies or consumers who then purchase those products naturally being protected from that threat,” Neuberger said.

One lessoned learned is that improved security in a particular area can carry over into bodies, both public and private, that promote standards.

The final model Neuberger described was the opernational public-private partnership, which represents the deepest collaboration between the sectors and includes the Enhanced Cybersecutity Services program introduced in February by excutive order.

“In this model, government often shares classified threat intelligence, threat signatures with private-sector communications providers who meet a set of security standards,” she said. “These companies, force multipliers if you will, often incorporate this threat intelligence into other services that they offer, combining the best private sector and threat intelligence and then offering that as for-profit service often to other firms, often to smaller and mid-size firms who can benefit then benfit from that economy of scale.”

Lessons learned from public-private partnerships

The three models Neuberger described each have core differences, including the objectives of the partnership, the goals of the collaboration, the types of companies participating and the roles of the participants.

These differences have led to several key lessons learned.

The first is to focus on the specific objective you are seeking and to ensure that the partnership participants, both in the pubic and private sector, are those needed to acheive that objective.

The second lesson is that the government provide information that is valuable.

“Sometimes on the government side, whether that’s within the intelligence community with regard to how classified we keep information or more broadly across government, there needs to be a better effort to ensure that information we share is fresh,” Neuberger said.

The third lesson is that trust is foundational.

“The number of participants and degree of trust likely increase in inverse proportion,” she said. “So, for critical infrastructure sectors with active regulatory bodies, that’s often a challenge. What is the role of a government regulatory body when there is public- private partnership?”

The final lesson is that the outcomes of public-private partnerships can help to inform wider policies, first by legislation and then procurement.

“Government is often a very large consumer of IT,” Neuberger said. “And there’s a lot that we can do to set the right security standards so that corporate individuals have a good sense of what we value from a security perspective.”

Lessons learned through targeted partnerships can also help to inform standards, which she called critical to the nation’s cybersecurity strategy.

“Technology is complex,” Neuberger said. “Security comes at a cost. Standards help achieve that right balance, addressing the level of performance, resiliancy required, for given usage in ways that fit within the technology to market cycle.”

This played out over the last few years in the federal government’s shift from using government-built technology to procuring commercial technology for government use. This move necessitated an increase in cybersecurity standards to meet the government’s security needs.

“NSA relies on the encryption and standards we advocate for and advocate for the encryption and standards that we use,” Neuberger said. “So, what we recommend for inclusion in those cryptographic standards, we use ourselves in protecting classified and unclassified national security systems. We don’t make recommendations we can’t stand behind for protecting the most sensitive information within the U.S., all the way and including the communications of the President.”

RELATED STORIES:

Agencies exploring the right balance between open data, security

NIST puts finishing touches on critical infrastructure cyber framework

White House seeks to shed the risk-averse cyber information sharing culture