A fast-moving panel of experts shared their thoughts on a range of cybersecurity topics.
Jason Miller (Executive Editor, Federal News Radio) moderated a panel whose announced topic was "Protecting high-value assets in Federal agencies—implementation strategies."
But the panel would stray from that announced topic and range over other topics of current interest. The experts who took part included David Hogue (Senior Technical Director, Cybersecurity Threat Operations Center (NCTOC), US National Security Agency), John Felker (Director, NCCIC, US Department of Homeland Security), and Martin Stanley (Branch Chief, Cybersecurity Assurance Branch US Department of Homeland Security). Only Miller and Stanley were originally scheduled to participate; the others stepped in to replace other experts who were weathered in by the unseasonal blizzard. The result was a lively and wide-ranging discussion.
Miller began by asking whether the audience knew how many US Federal laws there were that in some direct way governed cybersecurity. He himself counted (with confidence and authority) some sixty-four statutes, the earliest one being the Posse Comitatus Act of 1878, which restricts the use of military forces for law enforcement purposes. His point was that the US legal environment surrounding cyberspace is as complex as the incidents that play out in that domain.
What's an incident and what do you do about it?
Asked about the number of incidents organizations face, Felker pointed out that estimates can vary with the definition of "incident." The important thing to note is that there's effectively no difference between the frequency with which Federal agencies and private organizations come under attack.
What's more interesting than counting incidents is what you do when they're reported. Miller asked Felker what happened when the NCCIC gets a call from an agency that has an incident. Felker noted, first, that it's important to have prepared your ability to assist by building a relationship of trust with the agencies you serve. the importance of building up trust with the agencies. But in the case of a particular incident, "We hand a report to one of our incident response managers," he said. "Then we look to see if it appears other agencies are experiencing the same attack." And then the NCCIC offers such assistance as the affected agency thinks it needs.
Security becomes resiliency.
Stanley reminded the panel and the audience that the NIST draft framework, 800-160 version 2 was being released that day. This version focuses on designing resiliency into systems. In fact, Stanley said, "Federal Network Security" has become "Federal Network Resiliency." Systems have to be designed so they can continue to operate under the adverse, degraded conditions of attack.
One of the biggest challenges he sees is getting large organizations to understand what their high-value assets in fact are. That set can and will change over time. It's not a fixed, static list. Stanley said that DHS has prepared, with NIST, a High Value Asset Control Overlay to help organizations improve the self-understanding necessary to resiliency.
Inspectors general, threats, and bug bounties.
Miller pointed out that IGs can be a problem for organizations who self-report, or ask for help. "Did you work with the IG community," he asked, "to help them not slap the wrists of CISOs when they come in?" Stanley thought that interesting question, and one you certainly had to address. He would focus agencies on risk management as opposed to compliance checklists. "But the idea that there's a one-size-fits-all solution is mistaken. Instead, it's about understanding threats."
Miller asked Hogue how he liked bug bounty programs, particularly the famous one the Department of Defense has in place. Hogue likes them very much indeed. He especially likes the way he's seen them underscore the importance of foundational best-practices. Those unglamorous measures are vital, and bug bounties can help improve and sustain them.