The Christian Science Monitor continued its Passcode cyber section launch yesterday with a conference organized by the Center for National Policy: "Cyber Framework and Critical Infrastructure: A Look Back at Year One."
Transforming Overwhelming Data to Actionable Inteligence.
Andrew Borene of IBM i2 opened the morning's session. Advocating proactive disruption of cyber attacks, he listed familiar reasons for cyber's pervasive importance. He quoted a Center for Strategic and International Studies estimate of $500B lost to cybercrime annually, and reviewed (again, familiar) accounts of the difficulty of staying ahead of rapidly evolving threats. He concluded that the United States has reached an inflection point with respect to cyber security, and that collaborative public-private action to defend data and networks will become the new norm. He praised last week's formation of the Cyber Threat Intelligence Integration Center (CTIIC) as the focal point for cyber information sharing. He concluded by outlining IBM's view that the coming era of proactive cyber defense will need analytical tools that can deliver insight from big, disparate data sets, connecting seemingly unrelated entities.
Cybersecurity, Critical Infrastructure, and Information Sharing: a View from the Department of Homeland Security.
Dr. Phyllis Schneck, Deputy Under Secretary for Cybersecurity and Communications, Department of Homeland Security, put last week's Executive Order into context. It is, she said, the culmination of a lot of Government work over the past two years. The NIST Framework and the progress made toward voluntary adoption of security best practices are successes. Asked about incentives for adopting the Framework, she offered "fear" as one of them — fear, that is, of what a breach could do to an enterprise, not fear of law enforcement. Other incentives moving businesses toward adopting the Framework comes from the still new but rapidly maturing insurance market. She expected legislation fostering targeted cyber liability protection to be very important.
There are, she noted, eighteen different critical infrastructure sectors, each with its distinctive business models, cultures, and needs. The financial sector evolved information sharing early, and has clearly benefited from it. The Department of Homeland Security's National Cybersecurity and Communications Integration Center (NCCIC) is uniquely well-placed to spread cyber information sharing to other sectors, collecting and distributing indicators of threat. The NCCIC delivers in effect a cyber weather map. It is also fostering a common language in which threat information can be shared.
The new CTIIC is an intelligence activity. It will work on the government side, and touch the private sector by providing shareable context to NCCIC. She concluded on a glass-half-full note. As the threats we see grow more sophisticated, we can take this as a sign that the community is doing a good job: "That means we've wiped out some of the bottom feeders."
Information Sharing: Who, What, and Why.
The morning's discussions finished with a conversation between the SANS Institute's John Pescatore and Harley Geiger of the Center for Democracy and Technology. Pescatore commented that information sharing legislation is a perennial topic, but too much is made of it. We've shared information for years. The real issue isn't just sharing threat intelligence — the first thing most people think of — but rather sharing effective defense and response tactics. Such lessons learned would be valuable, and considerably more valuable than sharing signatures or threat intelligence. The Government should avail itself of marketing mechanisms to help drive security in the private sector: FedRAMP has done so for the cloud.
Geiger continued with the observation that cyber information sharing is valuable, but not a complete solution. Digital hygiene is at least as important practice, as are other emerging best practices and standards of care. Insofar as the Government does share cyber information, the Center for Democracy and Technology thinks that a military agency like NSA is not the appropriate lead organization. Sharing belongs in the Department of Homeland Security.
There are, Geiger argued, many legislative provisions now in force that permit information sharing. Where new legislation might help would be in removing obstacles in the way of business-to-business information sharing. The Administration's proposals don't incentivize this. We also want to avoid information sharing "becoming a giant backdoor wiretap for law enforcement." In any form of information sharing, promised privacy protections — yet to be developed — will be vital.
Geiger and Pescatore agreed that information sharing shouldn't be government-centric, but believed they saw signs that legislation was shaping up to make it so.
Pesacatore concluded with remarks on the future of cyber security in the private sector. "We're evolving toward an effective understanding of what's an acceptable cyber loss." A major retailer like Target loses some $2B annually to "shrinkage" — shoplifting and employee pilferage — and it plans and budgets for such shrinkage as a foreseeable cost of doing business. Yet Target's much-discussed cyber losses last year were an order of magnitude smaller than the shrinkage it experienced. Many kinds of cyber risks might be assessed and managed in terms of foreseeable loss. Pescatore finished with a call to shift attention away from over-emphasized threat intelligence and toward effective, timely sharing of lessons learned.