Cybersecurity is a continuously moving target, as new threats emerge on a daily basis. So federal efforts at analysis and information sharing must by necessity be constantly evolving as well.
The National Cybersecurity and Communications Integration Center is the custodian of the Department of Homeland Security’s cyber incident information sharing network.
“You know the difference between data and information, right?” John Felker, director of NCCIC, asked during a recent speech at a cybersecurity conference sponsored by AFCEA Bethesda in Washington. “Data is stuff. Information is stuff that’s had somebody analyze it and make sense of it so we can make use of it to further our cyber defense efforts.”
Felker gave two recent examples of the kind of “information stuff” NCCIC does. He said during the San Bernardino shootings, NCCIC tracked cell tower traffic to ensure no jamming was occurring, and monitored 911 calls to get a clearer picture of the incident.
During the Pope’s visit, NCCIC coordinated with local communications companies to ensure the integrity of communication systems in the event of an emergency.
But Felker said that NCCIC’s incident response work begins before an incident even occurs. It runs a red team of white hat hackers that probe agencies for vulnerabilities, simulating cyber incidents without the negative consequences. He said agencies don’t think enough about their systems’ vulnerabilities until they’re already exposed.
“What does your system look like?” he asked. “Do you know how you’re architected? Are you segmented or are you not? Do you know what box talks to another box? Do you know what box talks to the internet? What are the vulnerabilities in your system that you should be concerned about, particularly as it applies to your line of business?”
NCCIC then conducts analysis on both simulated and real incidents, and shares that information governmentwide in order to help agencies improve their own cybersecurity statuses.
Meanwhile, NSA’s Cyber Task Force is conducting a different kind of analysis. They monitor known threats, perform risk assessments, and study their capabilities so that agencies know what they’re up against, and what to expect.
Philip Quade, chief of the Cyber Task Force, said that NSA is trying to look beyond current capabilities to see what’s coming next.
“The way we see it is that many of us are in that perilous condition in that boat, and we see that huge wave in front of us, and we’re quite worried about that huge wave,” he said during the conference. “And I need to be a little bit doom-and-gloom here by saying there’s an even worse wave beyond that. And that’s even more sophisticated types of attacks.”
NSA has identified a number of “bad actors” who conduct malicious cyber operations, Quade said, including Russia, North Korea, China, Iran and non-nation state organizations such as the self-proclaimed Islamic State. He said that many of these bad actors have upgraded their capabilities from malware to what he calls “milware” —more sophisticated versions of malware customized by governments. Milware, Quade said, is what was used to attack infrastructure in Ukraine.
The one defensive advantage U.S. agencies have, in Quade’s opinion, is that it’s very difficult to understand the structure of foreign systems.
“We need consequence based risk-mitigation more than ever, because the adversaries are going to be absolutely befuddled how they’re configured, so let’s use that knowledge against them,” he said. “Let’s turn that into the judo move of cybersecurity. Use our knowledge of the consequences we’re trying to avoid to design in a variety of layered security approaches to make sure those bad consequences don’t happen.”
Quade said the U.S. needs to become better at defining levels of risk, and why something is risky. The current system is open to individual interpretation, and that isn’t precise enough.
The problem, Quade said, is the three dimensions of risk: threat, vulnerability and consequence. Cyber risk can be viewed through each of those dimensions, and assessed differently. An intelligence operative with a background of assessing threat might declare an event low risk because it’s unlikely bad actors would target it. Meanwhile, a technologist might declare it high risk because the vulnerabilities are glaring.
And mitigating risk unfolds differently depending on which dimension is being addressed.
“Sometimes you don’t have a choice,” he said. “You can’t always mitigate the threat. What does that mean —telling the Russians to knock it off? It doesn’t quite happen that way all the time.”
Quade said the solution is for cyber personnel to better understand the consequences owners and operators of systems want to avoid.
“If I understand the bad consequences you want to avoid … I can do a better job as a foreign intelligence producer or as a technology vulnerability discoverer,” he said. “I can’t know everything about all foreign threats; it’s too big of a job. And I also can’t be an expert at every technology’s vulnerabilities —too big of a job. But if I can get a better understanding of what the consequences are that you want to avoid, then I can narrow my aperture and look a little bit more precisely at threat vectors and technology vulnerabilities.”