Watchers: from Neighborhoods to Polling Places
The panel's title was "Strategies in Response to a Significant US Cyber Incident," and those strategies stressed collaborative, even voluntary models. Deborah Golden (Deloitte) chaired a discussion among Aaron Hughes (US Deputy Assistant Secretary of Defense for Cyber Policy), James Trainor (Assistant Director of the US FBI's Cyber Division—soon to retire, and therefore promising much candor), Andy Bosnian (CyberArk), and Andy Ozment (US Assistant Secretary for Cybersecurity and Communications, Department of Homeland Security).
Ozment began by describing the origins of PPD-41, the Presidential Policy Directive that guides cyber incident coordination, promulgated on July 26 of this year. The victim, Ozment explained, drives what happens during incident response. The Government plays a role in "asset response, threat response, and intelligence," with resources drawn from different agencies. The Department of Homeland Security, which engages on most significant incidents, concentrates for the most part on asset response. Asset response involves helping the victim recover, and to identify the vulnerability that enabled the incident in the first place.
Threat response is investigation—criminal investigation—of the incident. The FBI's Trainor explained that private entities can expect the Bureau to work side-by-side with incident responders, and he effectively reiterated a recently familiar FBI determination to treat victims of cyber attacks as just that—crime victims—not as suspects.
The Department of Defense role in cyber defense wasn't changed by PPD-41. Hughes noted that Defense retained its responsibility to defend the nation against "significant attacks," and suggested that the Department would play a role in incident response that's analogous to the role it assumes in the case of natural disasters. So hurricane relief should afford an imaginative model of how the Defense Department sees itself supporting cyber incident remediation. To a question about cyber deterrence, Hughes described this as involving a whole-of-government approach. Deterrence isn't only cyber on cyber, but includes sanctions and other measures. He offered one lesson of general applicability: operationally realistic exercises are very important, and these should include the participation and cooperation of both the Government and the private sector.
The private sector, of course, as Bosnian said, plays a significant role in both asset and incident response.
A great deal of cooperation for cyber defense is necessarily voluntary, and there are instructive analogies with the role neighborhood watch plays in ordinary public safety and law enforcement. It's often said, Ozment observed, that cyberspace is borderless. But this isn't true—borders are there, and remain important. "It's more accurate to say that everyone is on the border." Thus the importance of following best practices and being prepared for incidents. "If you haven't done this, you can't be helped, much."
To a question about how watching and sharing information might advance security, Ozment distinguished incidents from indicators. There's reluctance in the private sector to share information about incidents for many reasons, including legal and regulatory uncertainty, but there's much less concern sharing indicators. So invites companies to share indicators through the portal the Department of Homeland Security has established. One company has signed on so far; he encourages others to do so.
Trainor, for his part, also encouraged people to call the FBI to report incidents. He understands hesitancy to share, a reluctance arising from regulatory attention, civil liability, and reputational damage.
Cooperation needn't be confined to US companies and agencies. Ozment offered the response to last December's power grid hack in Ukraine as an example. He saw initial cooperation established through FBI contacts in Ukrainian law enforcement circles. It included CERT-to-CERT work, DoD liaisons, and participation by the Department of Homeland Security, the Department of Energy, and the North American Electric Reliability Corporation. None of the individual steps in this attack were sophisticated, but assembled into a coordinated campaign of phishing, lateral pivoting, and telephonic denial-of-service they proved both clever and effective. The US was able to both help and learn, and then to come home and teach.
A final question asked about securing elections, a topic that received much discussion at the Summit. Should the voting system be designated as critical infrastructure? That won't happen for this election cycle at least, but Ozment took the opportunity to explain what such designation meant: it enables the Department of Homeland Security to offer more help. "It doesn't put DHS in charge." Trainor said that election issues have historically involved issues of voter fraud. That's a matter that belongs to the states, he explained, although the Bureau will help where it can. And he closed with an interesting caution on the limitations of that help: "It's a felony for an armed Fed officer to show up at a polling place."