Chief Operating Officer of the Information Assurance Directorate,
National Security Agency
Getting Inside the Adversary's OODA Loop: Automation and Information Sharing for Cyber Defense
April 21, 2014—The CyberWire interviewed Mr. Philip Quade, Chief Operating Officer of NSA's Information Assurance Directorate, who participated in SINET ITSEF 2014. The NSA's Information Assurance Directorate is responsible for the security of US national security systems. He shared his views on Active Cyber Defense, and how it depends upon automation and information sharing for a risk-based approach to Sensing, Sense-making, Decision-making, and Acting in cyberspace.
The CyberWire: Thanks for speaking with us. Having just returned from SINET ITSEF, where do you see the future of cyber security?
Quade: We think it lies in leveraging automation and integration to be able to detect and mitigate cybersecurity risk in real time, that is, fast enough to enable effective defense. It's important to have humans in the loop at some points, but relying heavily on human intervention is neither scalable nor, ultimately, practical for most cybersecurity actions within your own networks. At SINET ITSEF we were very interested in hearing the private sector's ideas on this.
NSA has the mission of helping to secure national security systems, basically, systems that process classified or otherwise sensitive information relevant to national security. The Department of Homeland Security is responsible for setting cyber security standards for other Federal systems.
Our national security customers are finding it difficult to select from the large number of point solutions to cybersecurity, not to mention attempting to manage these independently. We want to be able to see the private sector create manageable solutions, with best-of-breed tools from a variety of sources, and see them re-integrated, and automated as much as possible. This is the message we wanted to convey to the Silicon Valley entrepreneurs we met at SINET ITSEF.
The CyberWire: How can cyber defenders get inside, or at least keep pace, with the adversaries' decision cycle?
Quade: They can leverage automation to accomplish what can't be done at human speed or human scale. This means developing trustworthy automated tools and getting comfortable with turning work over to smart machines.
We talk about the OODA loop a lot, and in cyber we think of it as Sensing, Sense-making, Decision-making (with a dial-able level of automated decision-making), and Acting. You stay inside the adversaries' loop by letting the machines evaluate risk and offer automated courses of action. To get there we need automated decision systems smart enough for operators and policy makers to be comfortable using.
The CyberWire: If information sharing is as important to cyber security as consensus seems to make it, can you describe the challenges of such sharing?
Quade: I think I'd like to distinguish several kinds of information sharing, since sometimes we talk past each other before realizing we mean different things by that term. I think of information sharing in three categories: The first is technical information sharing among cybersecurity machines within an enterprise. Here, we would like to see operators put to use the data from the sensors they own that are already employed on their networks, so that real-time (and other) analytics can assess the importance of what's being sensed, and refer the analysis for decision and action, again with as much automation as possible. Our goal would be machine-to-machine information sharing, a data exchange among tools that allowed effective plug-and-play. We'd find, I think, that the whole would turn out to be greater, and more informative than, the parts. Our customers ideally would buy, install, and integrate COTS products, and then control their own networks. But data exchange in this way among those COTS products would be easily enabled and enhance the overall value of those products. Such an exchange would take place over something that's often called a "messaging fabric" used for short, fast data exchanges among machines, to allow them to operate as a team.
The second type of information sharing might take place across enterprises, where operators would automatically share operating conditions and specific incidents, since such cross-enterprise alerting helps provide context as organizations try to make sense of what's going on within their own networks.
The third type of information sharing is sometimes simply referred to as "fact of," so that, say, Organization One knows that Organization Two is facing a similar problem, which indicates, perhaps, a larger threat and/or an opportunity to collaborate on a solution.
The CyberWire: What would be the role of the National Institute of Standards and Technology (NIST) in evolving the necessary standards for machine-to-machine information sharing?
Quade: We'd like to partner with the private sector and the Department of Homeland Security, then develop and publish a standard through NIST.
The CyberWire: To return to technical information sharing, how do you see it enhancing cyber defenses?
Quade: We see the sort of exchange I've described as a critical enabler of "Active Cyber Defense." And please note that this has nothing to do with "hacking back"—it's not at all about getting into other people's networks. The idea behind the Active Cyber Defense that I'm talking about here is to detect and mitigate threats in cyber-relevant time inside your own networks. To do that you've got to automate manual processes. It's a policy-friendly approach that can, through automation and machine learning, give enterprises a way of staying inside an adversary's OODA loop. And it complements defenses taking place at the boundaries of networks.
Regarding cross-organizational information sharing, it's just smart to get information from your own networks and compare it with the problems other agencies are seeing. This provides a shared context for your defense, and shared context is the second form of information sharing we're interested in. A common situational awareness is reciprocally beneficial.
The CyberWire: What about some of the barriers to information sharing we commonly encounter? For example, enterprises are reluctant to share information for legal reasons, or for competitive reasons, or for fear of reputational damage.
Quade: Most barriers to information sharing are not technical ones – the things that NSA focuses on—but policy barriers. Technologies might enable easier policy decisions, but policy barriers are ultimately overcome by people. The soft stuff is the hard stuff.
The CyberWire: So what did you take away from SINET ITSEF?
Quade: We were at ITSEF to look for good ideas from industry. What ideas might COTS bring us, and our customers? We wanted to learn what the private sector was thinking, and to compare it with some thinking from the Government. We'd like to be able to dialogue, strategically, with the private sector. You might even say that that strategic cooperation is the fourth form of information sharing we're interested in. We want commercial systems to be secure not the least because we want to be able to buy solid, affordable COTS tools, but believe that strategy is a tide that floats all boats – secure COTS products available for national security customers, and others as well.
The CyberWire: Are there any immediate, practical steps you'd recommend an enterprise take to increase its cyber security posture?
Quade: Sure—one easy thing they can and should do is follow NSA Information Assurance Directorate advice. We publish it regularly. The SANS Top 20 is another good place to start. We shouldn't forget the human element either, since technical safeguards are often dependent on people using them prudently.
The CyberWire: What do you see as the coming trends in cyber threats, and the corresponding defensive and mitigation measures enterprises should be working on?
Quade: I'd rather talk about risks than threats. Cybersecurity risk, of course, has three components: threat, vulnerability, and consequences. The way forward involves network operators understanding all three aspects of risk, and making sound risk-based decisions involving all three of them—maybe you act to reduce a vulnerability, or maybe your actions reduce a negative consequence. To do that in cyber-relevant time, they'll need the right set of automated tools and the confidence to use them.
The CyberWire: Is there anything else you'd like to share with the CyberWire's readers?
Quade: I'd like to say that everything we've discussed will take a collaboration to accomplish—it's not just about NSA, but about our Defense, government, and private sector partners producing integrated, automated capabilities that work together, better than what could be done individually.
The CyberWire: Thank you, Mr. Quade.