MISSION-ESSENTIAL INTELLIGENCE AND CYBER SOLUTIONS
MISSION-ESSENTIAL INTELLIGENCE AND CYBER SOLUTIONS
Presentation to the Cyber Security & Critical Infrastructure Protection Symposium - March 20, 2013
BARBARA ALEXANDER, DIRECTOR OF CYBER INTELLIGENCE
TASC INFRASTRUCTURE PROTECTION AND SECURITY GROUP
Thank you very much for the invitation to speak to you today. This is an august – indeed, a bit intimidating – group of cyber professionals. I find that when I am in the presence of engineers and scientists I want to wear one of those T-shirts with a complicated equation that states, "This is why I majored in English" – or in my case, political science. I spent my career as an intelligence officer and have come to the cyber world not as a network defender or solution developer, but as someone who seeks to support those on the front lines of cybersecurity with actionable, responsive information.
I’m also honored to be here with some of the premier thought leaders working across the many aspects of cybersecurity today. The speakers who have already presented have been insightful and raised critical challenges that we face across government, industry, the private sector and the public.
The breadth of backgrounds and perspectives represented here illustrate the scope of the problem. Go to any symposium and ask what cyber includes and whose responsibility it is - and you are likely to get the answer, "Yes."
Yes - it is a federal issue.
Yes - it is a state and local issue.
Yes - it is an intelligence issue.
Yes - it is a defense issue.
Yes - it is a commercial issue.
Yes - it impacts business decisions.
Yes - it impacts IT operations.
Yes - it is a policy matter.
Yes - it has legal repercussions.
Yes - it affects foreign policy.
Yes - it involves the global supply chain.
Yes - it is an education and training matter.
Yes - it requires a public-private sector partnership.
The fact is this domain touches every one of these areas - and only an interdisciplinary, holistic approach and a focus on prevention will provide secure and resilient cybersecurity.
There is widespread agreement that the threat is real, and that there are a variety of actors –nation states, organized crime, insiders, hacktivists, terrorists and even mischief makers. There is agreement that the theft of intellectual property and trade secrets as a result of cyber attacks is in the hundreds of billions of dollars. General Keith Alexander, director of the NSA, has called this theft "the greatest transfer of wealth in history." Shawn Henry, former executive assistant director of the FBI, once called the cyber threat "an existential one, meaning that a major cyber attack could potentially wipe out whole companies. It could shut down our electric grid or water supply. It could cause serious damage to parts of our cities, and ultimately even kill people."
I think it’s time we agree that our response must be multi-faceted - a collaboration between network defenders and system engineers, intelligence specialist and law enforcement, policymakers and lawyers, people in government and people in private industry. To be successful we must bring all of our insight and expertise into the fold. Do you remember the Rubik’s cube? The cyber domain is like a Rubik’s cube – all aspects must be worked together. Change one and the effect impacts others, sometimes with unintended consequences.
For many years, network defenders focused on keeping intruders out and attacks at bay. They wanted to "catch-and-patch" – and didn't really care about who was attacking the system or if there was a pattern in the attacks. The trouble with this approach as a standalone solution is that it’s reactive. A signature-based system will only stay ahead until the next version of malware surfaces. It is a never-ending, reactive cycle that is vitally important and, at the same time, painfully limiting. I think this is changing and there is more awareness that it’s not enough to stop the attack at the door. But where the “catch and patch” approach still exists, it’s important to move beyond reaction.
We must push the boundaries of protection beyond “responding and recovering” by adopting a multifaceted, layered defense - which is where cyber-intel comes into the picture. Intelligence is helping with the "prevent and protect" side of the Rubik’s cube. If through solid and responsive threat intelligence we can effectively push the border of cyber defense out, away from our networks, the network defenders have more time and better opportunity to secure the cyber domain.
Intelligence helps in four distinct ways.
1. Intelligence provides context. When I was at DHS, one of my cyber intelligence experts spoke to a gathering of CIKR sector folks who are heavily dependent on SCADA systems. He explained to them why a particular nation state was attempting to get into their networks – it wasn’t to shut them down, it was to learn about the specific methods the United States uses to produce that form of energy because they were developing similar ones. We know, of course, that theft of intellectual property is a huge component of the cyber threat. But his explanation to the audience was more than just the "what" of the attack, it was the background and the economic explanation of the "why". The information he gave them had little to do with cyber methods and everything to do with a broad understanding of the perpetrator and the target. My TASC CISO reminded me of how he uses information like this: understanding the context allows him to act on the intelligence by saying, “I need to look for these guys where I store my engineering documents, not my control centers. “ Context allows him to better defend the networks by focusing on what the attackers look for.
The point is that enemy intent is as important as enemy capability. Intelligence analysts looking at trends of attacks by the collective Anonymous, for example, concluded that DDoS attacks generally followed media reports about actions that the group disagreed with. Knowing the pattern of behavior enabled preventive action.
2. Intelligence provides indications and warnings. Sometimes a network defender’s best defense is to allow an actor to remain in a network to see the pattern of behavior. And warning is important across networks – if activity is occurring on a military network, for example, it could also be occurring on a corporate network, and vice versa. We need government and industry to share information with each other. Hold this idea –I’m going to come back to it in a minute.
3. Intelligence provides a more complete picture – full situational awareness, if you will. An intelligence analyst uses all sources of information: the traditional "INTs" – HUMINT, GEOINT, SIGINT, MASINT, and OSINT, or open source, as well as data sources from IDS, or information gathered during law enforcement investigations. There is a danger of approaching cybersecurity with a single-source mentality. Often, intel analysts hear from the private sector or operators – "let me see the raw intel and I will be able to defend my networks better." The problem is that raw intel is just that – unevaluated, unexamined.
Take for example the purported hack of an Illinois water system in 2011. Raw, unconfirmed data that was leaked to the media indicated the system was hacked by actors in Russia. In fact, after a detailed intelligence analysis, DHS and the FBI concluded was that there was no malicious or unauthorized traffic from Russia or any other foreign location – instead, an authorized employee logged onto the system while vacationing abroad. Use of a single source of data had led to the wrong conclusion.
But you have to remember that intelligence isn’t always fast—or perfect. As we move into the cyber domain as a whole, it is essential that we understand the adversary's planning process. This is what the military calls the intelligence preparation of the battlefield. For the cyber threat, preparation involves the threat actors’ collecting information, developing a strategy, ensuring the capability – all before executing it. Intercepting the elements of this planning process is an area where intelligence plays an important role, but it takes time to gather accurate, actionable information.
4. Intelligence provides the information that allows better decisions. Decisions on cybersecurity are rarely made by the CISO or network defenders. They’re made in the board room by the CEO and the business lines. Intelligence helps inform those decisions by enabling understanding of the threat, and helping to develop a comprehensive risk assessment. Vulnerability alone doesn’t make the business case – but articulating the threat in a holistic manner – threats to the global supply chain, threats from insider attacks, threats from actors performing industrial espionage, and threats from actors probing for weaknesses as part of operational planning – allows better decisions about resource allocation and risk analysis. In other words, intelligence helps reduce uncertainty for the decision maker. Together, the CIO, CTO, CISO and intelligence professionals make the case to the decision maker.
For intelligence professionals to deliver mission-essential information, the network defenders need to provide crisp requirements. We don’t always know what the user needs. In the DHS Office of Intelligence and Analysis, we developed a comprehensive list of "Standing Information Needs". When we first went to our customers back in 2004 or 2005, we asked “What intelligence information do you need to do your mission?” We got the response "I don’t know—whaddya got?" To be effective in the realm of cybersecurity—or any domain – intelligence needs to know the specific requirements from the beneficiaries of that intelligence. For example:
Requirements – What cyber data are anomalous? Where do they come from? What specific questions do you need answered? And in what timelines? This should be an iterative discussion between the intelligence providers and the users.
Data – The relationship between the network operators and defenders and the intelligence providers is a symbiotic one. Intelligence analysts take data from operational sensors and logs and fuse them with all-source intelligence information to arrive at a comprehensive threat analysis and provide information about trends, tactics, techniques and procedures back to the customer. That information in turn informs the IDS which provide data back.
Common understanding – A dialogue with network defenders to understand what is possible and what is not possible; to understand the legal requirements and restrictions with regard to the protection of privacy; to understand the difference between law enforcement activities and intelligence; and to understand what is doable in a short timeframe versus what can be accomplished in a longer term. Additionally, the users have to be willing to accept the intelligence information without visibility into protected sources and methods. This willingness – especially when we talk about government and private sector relationships – develops as trust increases.
All this leads me back to the concept of information sharing.
The new executive order on cybersecurity and the accompanying presidential policy directive on critical infrastructure security and resilience recognize that both the public and private sectors hold complementary information that must be made available in both directions if we are to truly secure our cyberspace. Under the order, federal agencies are required to produce unclassified reports of threats to relevant U.S. companies in a timely manner. The challenge here is not so much sharing the data, but rather sharing it in a way that makes connections – intelligence personnel are trained to meet this challenge, provided that they know what the operators need and that they can deliver actionable and tailored information. There have already been some successes in this area – the DIB pilot and the FS-ISAC – have demonstrated sharing relationships which, while not perfect, are examples of what we can look toward.
The intel community needs to become more transparent and provide the necessary information in a way that is timely, useful and actionable – without revealing their sources and methods. Speaking from experience, I can say we often speak to ourselves, rather than getting information about the threat to the user. Hopefully the dialogue sparked by the new EO and, ultimately, by legislation, will facilitate this sharing of essential information.
There’s an important point to make here. In the changing world of cyber intelligence, we have to recognize that our approaches can be impractical. In the intelligence world, a study can take months to get through the review and publication process. By the time a report reaches the operator, the information is useless. We have to quickly assess what information is operational, get it out and get it out fast. US-CERT bulletins are a good example of operational reports that need to be shared widely and quickly.
There are other policy questions as well that must be answered – what triggers a move from “DEFCON3” to “DEFCON1”? When does corporate espionage or even the theft of intellectual property merit a counterattack? Our government leaders need to define the policies and protocols for monitoring, assessment and appropriate response. But policy and doctrine aren’t the missions of the intelligence officer, so I just leave these as questions the cybersecurity community – all parts of it – needs to address.
Our shared goal is quite clear: provide a policy platform and operational structure that ensures robust and resilient cybersecurity for government and industry. Our digital infrastructure is a national strategic asset, and its protection is a national security priority. With a more holistic and collaborative approach that integrates a complete picture of the cyber-scape from focused and tailored intelligence with the ‘catching and patching’ of network defenders, we can push the cyber border further out from our networks and do more to prevent attacks, rather than focus primarily on response, mitigation and recovery. In the dynamic cyber environment, success does require incredibly sophisticated technical savvy - those complicated equations on that t-shirt that I don’t understand. But success also requires that we apply the insight and expertise of a broad spectrum of stakeholders. Only by working in strong partnership across the intelligence community, network defenders and government and corporate leaders will we keep our cyber enemies at bay.
Founded in 1966, TASC, Inc., helps solve complex national security and public safety challenges by providing advanced systems engineering, integration and decision-support services to the Intelligence Community, Department of Defense and civilian agencies of the federal government. With about 5,000 employees in 40 locations, TASC generates more than $1.5 billion in annual revenue. For more information and career opportunities, visit our website www.tasc.com.