news from the SINET Innovation Summit
SINET's Innovation Summit concluded yesterday with discussions of appropriate cyber security roles for government and the private sector, the challenges of enhancing security and privacy, the use of actionable risk intelligence, and fresh collaboration models.
There was consensus among the symposiasts that effective defense would require broader collaboration, and that a prime form such collaboration must take is timely sharing and analysis of cyber threat intelligence. Automation—eventually realized in machine-to-machine links—seems essential to achieving both the speed and clarity necessary to development of actionable intelligence. Enterprises generate more data than human watchstanders can analyze, and without automated analytical tools these data will blind an enterprise with what amounts to the glare of war. (Human watchstanders and reverse engineers can also quickly become prohibitively expensive.)
In addition to threat intelligence, enterprises should also share defensive tactics, techniques, and procedures. These will inevitably involve defense in depth, and they should be developed and deployed in the context of sound risk management. Several panelists stressed the importance of situational awareness of one's own networks, and of improving security through behavioral analytics built around business processes.
That the cyber threat is both global and permanent seems beyond question. Adversaries are numerous, often well resourced, and above all adaptive. As the attackers, they enjoy an inherent advantage over defenders: the attacker need succeed only once to damage an enterprise. Both government and industry work to stop attacks, but stopping attackers—counteroffensive cyber operations—is by industry consensus a governmental responsibility.
Government speakers acknowledged that industry has much to teach them, not only in terms of technology, but in terms of best practices as well. There was widespread unanimity on the value of joint cyber exercises as essential to effective cyber defense.
We link to several articles below that illustrate some of the symposium's themes: the enduring nature of the threat (particularly as it manifests against the financial sector), the possibilities of collaborative defense (and how exercises enhance it), and the value of a fresh look at policy (especially personnel policies).
One executive attending the conference, Peter Clay (of CSG Invotas) offered us his perspective on the value of cooperation, and the challenges involved in achieving it. "The information security community is currently overcoming enormous hurdles that were imposed out of fear that any threats they were experiencing would be exposed. After all, this is a community that historically has struggled to even admit that there might be an issue with security." He regards a forum like SINET as invaluable. "Until about two years ago, there were few forums for organizations to share their security challenges in a safe and confidential environment. Before that time, the information organizations were willing to share was often out of date to the point of being useless. Today, open and up-to-date information sharing can take place without significant concern of reputational risk or undue public scrutiny. Simply learning to communicate threat exposure or risk doesn't solve all of the issues, but it is an excellent first step."
Admiral Michael Rogers, Commander of US Cyber Command and Director of the National Security Agency, closed the conference with the day's second and final keynote address.
He opened by expressing his belief in the cooperation SINET is working to create. "Cyber," he remarked, "is the ultimate team sport." The engines of technological advance aren't in the government, and the government, finance, and technologists need to work together to share information and expertise.
That sharing is more difficult than Admiral Rogers would like it to be, both within and outside the government. He'd like to get faster. He'd like to know what malware the private sector is seeing, and what tactics have worked against it. He'd like to share threat intelligence, harnessing NSA's foreign intelligence mission to understand what's going on in cyberspace, and pushing as much intelligence as reasonably possible out to the private sector and other government agencies.
Cyber is particularly challenging: it's no respecter of traditional boundaries, whether geographic or organizational. "If we can't get beyond our comfortable boundaries," he said, "bad things will happen."
A question from the audience asked about the possibility of going out of the government's comfort zone by holding joint exercises including uncleared, non-contractor private-sector enterprises. Admiral Rogers agreed that some such set of tactical exercises is needed. We should also begin by picking sectors we work with well now.
A follow-up question asked about the possibility of including the private sector in offensive cyber operations, and here the Admiral demurred. There are legal obstacles to this, and we should certainly begin with the easier, more obviously permissible defensive exercises.
Another question from the audience likened a compromised computer to an enemy soldier, and asked how we could secure all the computers in the US? Admiral Rogers proposed an analogy—there are millions of vehicles on the roads in the US. The federal government, the states, industry, and private individuals all have a role in automotive safety—it amounts to a vast partnership. "I think cyber is like this in its complexity. I don't foresee any governmental agency or level assuming full responsibility for cyber defense." It's a complex partnership: we need legislation to protect companies from liability for sharing information (or acting on it). And leaders can no longer tell the CIO "this is your problem; fix it." Our cyber problems are foundational and must be dealt with as such.
In response to a question about what can be done to rebuild trust and repair the damaged brand of NSA and the US as a whole, the Admiral said that NSA has a real and important mission. "But we need more transparency. Recognition of the inherent rights of individuals led to the creation of the United States. It's our foundational idea." He called for broader dialogue to engender trust.
His conclusion reminded the conference of the severity and reality of the threat. "Let me conclude by cautioning you not to believe everything you read. There are adversaries who seek our annihilation. As much as we want transparency, those adversaries also listen, and they watch very closely. If I'm too specific, I weaken us. We absolutely need dialogue. And we need to balance this dialogue with measures to secure us against those who wish our destruction. There are enemies out there who would, if we permitted it, repeat 9/11 on a vastly larger scale. We can't forget this."