Why Cybersecurity Partnerships MatterThe public and private sectors must collaborate in new ways to ward off dangerous threats to critical systems and IT infrastructure.
Hub Of Activity
Homeland Security's National Cyber Security Division (NCSD), which includes US-CERT and the National Coordinating Center for Telecommunications, is a hub of activity for these joint efforts. IT personnel from the private sector routinely work within the division's National Cybersecurity and Communications Integration Center, which opened in 2009. During a tour of the facility last year, InformationWeek learned that NCCIC had been in touch with Facebook and Twitter about possible attacks on their sites.
The center is establishing ties with 18 industries that it deems critical, including telecom and energy, as a way to keep lines of communications open and provide assistance where needed. A group within NCSD that concentrates on attacks against critical infrastructure took the lead in the government's investigation last year of the Stuxnet worm, which infected thousands of specialized computers in Iran, Indonesia, India, and elsewhere, according to Symantec. NCSD also led Cyber Storm III, a war game in which dozens of companies participated.
During the past year, some of the tech industry's biggest players have worked with the feds to investigate cybersecurity incidents. Microsoft, for instance, engaged CERT teams to take down the Waledec botnet, which infected tens of thousands of Windows-based computers worldwide. About that same time, Google reportedly turned to the National Security Agency to analyze a security breach of its systems that originated in China.
At the Pentagon, DOD officials now meet "regularly" with their counterparts at technology and defense companies to identify vulnerabilities and get ahead of threats, according to Deputy Secretary Lynn.
While the benefits of public-private partnerships are clear, the challenges are pervasive: a lack of trust between parties; laws and regulations that discourage full disclosure of information; the vested interests of security vendors; fear of bad publicity and customer backlash; and silos and turf wars within government agencies.
New rules of engagement are needed to break down those barriers. Incidents such as last year's leak of government documents on WikiLeaks and the penetration of Nasdaq servers by unknown attackers could have and should have been prevented. "Open source"--that is, open to all--data consolidation, analysis, and remediation efforts are what's needed.
The opportunity is in harnessing a wider array of perspectives and ideas than happens now with a closed loop of participants. We know it's possible because we do it already with software and hardware vulnerabilities in the form of the Common Vulnerability and Exposures, or CVE. With Mitre as the editor and numbering authority for CVE identifiers, data gets collected and used across the industry.
"Working together is one of the great technical challenges of our time." --William Lynn, Department of Defense
What more can be done to improve cybersecurity? I argue for these next steps in public-private collaboration:
>> Establish real-time events tracking across organizations and sectors of the economy. We have the technology and the knowledge to identify an increase in threat activity or behavior across systems. Let's use them.
>> Conduct intelligent activity analysis, also in real time, to identify where threats originate, their targets, and their activity and behavior.
>> Identify and share the sources of abnormal and malicious traffic.
>> Establish an organization of vendors, businesses, and researchers that develops capabilities for dynamic defense and response.
Imagine what researchers and engineers could do if these pieces were put into place. Internal security teams could batten down the hatches quickly, while security vendors could immediately incorporate the necessary changes in their products and push out patches and updates.
But how to begin? There are two existing models outside of the security industry for how this might work. One is a stock exchange, which serves as a clearinghouse for transactions and a hub of market and economic information. There's also the example of the National Weather Service, where data gets shared and repurposed widely by third parties that use it to create value for their customers. If we can track financial transactions by the billions and forecast weather events days in advance, we should be able to get a better handle on cyberthreats as well.
We need to muster our creativity and entrepreneurial mojo to come up with workable solutions. Stuxnet exemplifies the risks we face. The worm was aimed at industrial control systems, which run the gamut of critical infrastructure, from nuclear power plants to oil refineries. It was built with great care to stealthily embed into systems, propagate, and update by "phoning home."
2 of 4