04:40 PM

Why Cybersecurity Partnerships Matter

The public and private sectors must collaborate in new ways to ward off dangerous threats to critical systems and IT infrastructure.

Hub Of Activity

Homeland Security's National Cyber Security Division (NCSD), which includes US-CERT and the National Coordinating Center for Telecommunications, is a hub of activity for these joint efforts. IT personnel from the private sector routinely work within the division's National Cybersecurity and Communications Integration Center, which opened in 2009. During a tour of the facility last year, InformationWeek learned that NCCIC had been in touch with Facebook and Twitter about possible attacks on their sites.

The center is establishing ties with 18 industries that it deems critical, including telecom and energy, as a way to keep lines of communications open and provide assistance where needed. A group within NCSD that concentrates on attacks against critical infrastructure took the lead in the government's investigation last year of the Stuxnet worm, which infected thousands of specialized computers in Iran, Indonesia, India, and elsewhere, according to Symantec. NCSD also led Cyber Storm III, a war game in which dozens of companies participated.

During the past year, some of the tech industry's biggest players have worked with the feds to investigate cybersecurity incidents. Microsoft, for instance, engaged CERT teams to take down the Waledec botnet, which infected tens of thousands of Windows-based computers worldwide. About that same time, Google reportedly turned to the National Security Agency to analyze a security breach of its systems that originated in China.

At the Pentagon, DOD officials now meet "regularly" with their counterparts at technology and defense companies to identify vulnerabilities and get ahead of threats, according to Deputy Secretary Lynn.

The Challenges

While the benefits of public-private partnerships are clear, the challenges are pervasive: a lack of trust between parties; laws and regulations that discourage full disclosure of information; the vested interests of security vendors; fear of bad publicity and customer backlash; and silos and turf wars within government agencies.

New rules of engagement are needed to break down those barriers. Incidents such as last year's leak of government documents on WikiLeaks and the penetration of Nasdaq servers by unknown attackers could have and should have been prevented. "Open source"--that is, open to all--data consolidation, analysis, and remediation efforts are what's needed.

The opportunity is in harnessing a wider array of perspectives and ideas than happens now with a closed loop of participants. We know it's possible because we do it already with software and hardware vulnerabilities in the form of the Common Vulnerability and Exposures, or CVE. With Mitre as the editor and numbering authority for CVE identifiers, data gets collected and used across the industry.

William Lynn, Department of Defense
"Working together is one of the great technical challenges of our time." --William Lynn, Department of Defense
What more can be done to improve cybersecurity? I argue for these next steps in public-private collaboration:

>> Establish real-time events tracking across organizations and sectors of the economy. We have the technology and the knowledge to identify an increase in threat activity or behavior across systems. Let's use them.

>> Conduct intelligent activity analysis, also in real time, to identify where threats originate, their targets, and their activity and behavior.

>> Identify and share the sources of abnormal and malicious traffic.

>> Establish an organization of vendors, businesses, and researchers that develops capabilities for dynamic defense and response.

Imagine what researchers and engineers could do if these pieces were put into place. Internal security teams could batten down the hatches quickly, while security vendors could immediately incorporate the necessary changes in their products and push out patches and updates.

But how to begin? There are two existing models outside of the security industry for how this might work. One is a stock exchange, which serves as a clearinghouse for transactions and a hub of market and economic information. There's also the example of the National Weather Service, where data gets shared and repurposed widely by third parties that use it to create value for their customers. If we can track financial transactions by the billions and forecast weather events days in advance, we should be able to get a better handle on cyberthreats as well.

We need to muster our creativity and entrepreneurial mojo to come up with workable solutions. Stuxnet exemplifies the risks we face. The worm was aimed at industrial control systems, which run the gamut of critical infrastructure, from nuclear power plants to oil refineries. It was built with great care to stealthily embed into systems, propagate, and update by "phoning home."

2 of 4
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-08-28
Buffer overflow in CHICKEN 4.9.0.x before, 4.9.x before 4.9.1, and before 5.0 allows attackers to have unspecified impact via a positive START argument to the "substring-index[-ci] procedures."

Published: 2015-08-28
Stack-based buffer overflow in GSM SIM Utility (aka SIM Card Editor) 6.6 allows remote attackers to execute arbitrary code via a long entry in a .sms file.

Published: 2015-08-28
Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.

Published: 2015-08-28
The guest portal in Cisco Identity Services Engine (ISE) 3300 1.2(0.899) does not restrict access to uploaded HTML documents, which allows remote attackers to obtain sensitive information from customized documents via a direct request, aka Bug ID CSCuo78045.

Published: 2015-08-28
Cisco IOS XE before 2.2.3 on ASR 1000 devices allows remote attackers to cause a denial of service (Embedded Services Processor crash) via a crafted L2TP packet, aka Bug IDs CSCsw95722 and CSCsw95496.

Dark Reading Radio
Archived Dark Reading Radio
Another Black Hat is in the books and Dark Reading was there. Join the editors as they share their top stories, biggest lessons, and best conversations from the premier security conference.