For years, the federal government has launched one policy initiative after another to protect critical IT infrastructure in coordination with the private sector. There's been progress, but the threats--computer breaches from foreign parties, fast-spreading worms, and hidden malware--have outpaced the advances, leaving computer systems and networks across industries more vulnerable than ever.
What can businesses and Uncle Sam do, together, to reverse this dangerous trend? There must be three areas of immediate focus. First, the public and private sectors need to share more information--more parties must be included and new platforms used. Second, they must pay more attention to defending against attacks that threaten critical IT infrastructure and even damage physical facilities. Third, their collaboration must be ratcheted up to the next level--real-time identification and response as threats occur and, more to the point, "moving security practices from a reactionary posture to one that's proactive and preemptive," says Rich Baich, leader of Deloitte's Cyber Threat Intelligence Group.
In other words, the growing number of cybersecurity "partnerships" being established between the federal government and the business community are more than a one-way street. The feds may be driving the effort through initiatives such as Homeland Security's 2009 National Infrastructure Protection Plan, developed in response to a presidential directive, but companies stand to benefit from the more resilient cyber defenses that result from such collaboration.
The feds have defined 18 infrastructure areas considered essential to national interests. They include the agriculture, banking, chemical, and defense industries, as well as government facilities. The goal is to protect the computer systems and networks that serve those vital sectors from increasingly sophisticated threats, including those launched by hostile actors such as terrorist organizations and rogue nations.
Even the Department of Defense is looking to work with the private sector. When Deputy Secretary of Defense William Lynn recently outlined the DOD's plans for bolstering its cyber defenses, he called for increased cooperation with industry. "With the threats we face, working together is not only a national imperative, it's one of the great technical challenges of our time," he said in February at the RSA Conference in San Francisco.
Over the past two years, the DOD has developed "active defenses" that use sensors, software, and signatures to protect its military networks. Next, Lynn said, the agency will make its cyber capabilities available to the private sector "to help protect the networks that support government operations and critical infrastructure," such as the power grid, telecommunications networks, and defense contractor systems.
Several organizations have laid the groundwork for increased collaboration on cybersecurity. Since 2003, the U.S. Computer Emergency Readiness Team (US-CERT) has been providing updates on threats to industrial control systems and other computing infrastructure. The 42,000 members of InfraGard, a partnership between the FBI and the private sector that dates back to 1996, are devoted to creating "actionable intelligence" for infrastructure protection.
Much of the activity revolves around information sharing in key industries. For example, the National Council of Information Sharing and Analysis Centers supports threat response for companies in financial services, healthcare, public transportation, and a handful of other industries.
Information sharing is important, but it's not enough. Scott Charney, VP of trustworthy computing with Microsoft, calls information "a tool, not an objective."
Industry-specific initiatives are evolving into something more substantial. The Financial Services Sector Coordinating Council, whose members include Bank of America, Citigroup, Morgan Stanley, and Visa, coordinates the protection of IT and other infrastructure operated by banks, insurance companies, and other financial institutions. The council does that work in collaboration with the departments of Homeland Security and Treasury, and in December it took things a step further via a memorandum of understanding with the National Institute of Standards and Technology, Commerce Department, and Homeland Security that paves the way for financial firms and government agencies to work together on the development of cybersecurity technologies and test beds.
Hub Of Activity
Homeland Security's National Cyber Security Division (NCSD), which includes US-CERT and the National Coordinating Center for Telecommunications, is a hub of activity for these joint efforts. IT personnel from the private sector routinely work within the division's National Cybersecurity and Communications Integration Center, which opened in 2009. During a tour of the facility last year, InformationWeek learned that NCCIC had been in touch with Facebook and Twitter about possible attacks on their sites.
The center is establishing ties with 18 industries that it deems critical, including telecom and energy, as a way to keep lines of communications open and provide assistance where needed. A group within NCSD that concentrates on attacks against critical infrastructure took the lead in the government's investigation last year of the Stuxnet worm, which infected thousands of specialized computers in Iran, Indonesia, India, and elsewhere, according to Symantec. NCSD also led Cyber Storm III, a war game in which dozens of companies participated.
During the past year, some of the tech industry's biggest players have worked with the feds to investigate cybersecurity incidents. Microsoft, for instance, engaged CERT teams to take down the Waledec botnet, which infected tens of thousands of Windows-based computers worldwide. About that same time, Google reportedly turned to the National Security Agency to analyze a security breach of its systems that originated in China.
At the Pentagon, DOD officials now meet "regularly" with their counterparts at technology and defense companies to identify vulnerabilities and get ahead of threats, according to Deputy Secretary Lynn.
While the benefits of public-private partnerships are clear, the challenges are pervasive: a lack of trust between parties; laws and regulations that discourage full disclosure of information; the vested interests of security vendors; fear of bad publicity and customer backlash; and silos and turf wars within government agencies.
New rules of engagement are needed to break down those barriers. Incidents such as last year's leak of government documents on WikiLeaks and the penetration of Nasdaq servers by unknown attackers could have and should have been prevented. "Open source"--that is, open to all--data consolidation, analysis, and remediation efforts are what's needed.
The opportunity is in harnessing a wider array of perspectives and ideas than happens now with a closed loop of participants. We know it's possible because we do it already with software and hardware vulnerabilities in the form of the Common Vulnerability and Exposures, or CVE. With Mitre as the editor and numbering authority for CVE identifiers, data gets collected and used across the industry.
What more can be done to improve cybersecurity? I argue for these next steps in public-private collaboration:
>> Establish real-time events tracking across organizations and sectors of the economy. We have the technology and the knowledge to identify an increase in threat activity or behavior across systems. Let's use them.
>> Conduct intelligent activity analysis, also in real time, to identify where threats originate, their targets, and their activity and behavior.
>> Identify and share the sources of abnormal and malicious traffic.
>> Establish an organization of vendors, businesses, and researchers that develops capabilities for dynamic defense and response.
Imagine what researchers and engineers could do if these pieces were put into place. Internal security teams could batten down the hatches quickly, while security vendors could immediately incorporate the necessary changes in their products and push out patches and updates.
But how to begin? There are two existing models outside of the security industry for how this might work. One is a stock exchange, which serves as a clearinghouse for transactions and a hub of market and economic information. There's also the example of the National Weather Service, where data gets shared and repurposed widely by third parties that use it to create value for their customers. If we can track financial transactions by the billions and forecast weather events days in advance, we should be able to get a better handle on cyberthreats as well.
We need to muster our creativity and entrepreneurial mojo to come up with workable solutions. Stuxnet exemplifies the risks we face. The worm was aimed at industrial control systems, which run the gamut of critical infrastructure, from nuclear power plants to oil refineries. It was built with great care to stealthily embed into systems, propagate, and update by "phoning home."
Greater Threat Awareness
Cybersecurity leaders inside the Washington beltway and outside understand that tighter relationships between government agencies and businesses can lead to greater threat awareness and faster response. For this article, I talked to Gregory Schaffer, Homeland Security's assistant secretary for cybersecurity and communications; Kathleen Kiernan, InfraGard's chairwoman; Bob Dix, VP of government affairs and critical infrastructure protection with Juniper; and Microsoft's Charney. Everyone agreed on two points: There needs to be significant improvement in communications and active engagement between the public and private sectors.
One new way to accomplish that goal is through a talent swap, letting cybersecurity pros in business and government move across lines temporarily as a way of picking up new skills and sharing best practices. Just this month, Homeland Security launched a "loaned executive" program, with an opening for a senior adviser for cybersecurity and communications integration planning. DHS is looking to fill that position with an exec from the private sector. The job description: Function as a consultant on private-sector models, methodologies, best practices, and process developments for potential application within Homeland Security.
In a presentation at MIT this month, Homeland Security Secretary Janet Napolitano invited students and faculty to become part of a "deeper, broader partnership" on homeland security. Napolitano pointed to the "trifecta" of disasters in Japan--an earthquake, tsunami, and nuclear plant crisis--as underscoring the need for resilient infrastructure and networks. "At DHS, we're asking how we can ensure the industrial control systems that run our water treatment and power plants are safe, how to use the distributed nature of cyberspace as a strength rather than a liability that makes it more difficult to defend," she said.At the Defense Department, a new "IT exchange program" aims to let security professionals within the military learn best practices from businesses, and vice versa. "We want senior IT managers in the department to incorporate more commercial practices," Lynn said at RSA. "And we want seasoned industry professionals to experience first hand the unique challenges we face at DOD."
What else will it take? As much as some people dislike the idea, government regulation may be the only way to raise the level of security across industries with the haste that's needed. Too many companies grasp best practices in cybersecurity but don't actually implement them. The one area where we see consistent, aggressive change (despite some flaws) is in organizations required to meet the Payment Card Industry Digital Security Standard. If Uncle Sam really wants to protect the nation's IT infrastructure, he may have to mandate it.
Lawmakers have been tilting at that windmill for years. A comprehensive bill, the Protecting Cyberspace as a National Asset Act of 2010, is working its way through Congress. The bill would give the president authority to institute measures to protect telecommunications networks, the electric grid, financial systems, and other critical control systems in the event of a national emergency. Such presidential authority would be temporary, limited to 30-day increments, but broad, and critics complain that the legislation contains an "Internet kill switch." The senators behind the bill refute that characterization, but the controversy speaks to the sensitivity around government influence over systems and networks used by the public. Other pending legislation with implications for business are the International Cyberspace and Cybersecurity Coordination Act and the Cybersecurity Enhancement Act.
Not surprisingly, the tech industry and many businesses would rather see such changes driven by incentives than by new rules and regulations. A coalition of industry groups--the Business Software Alliance, Center for Democracy and Technology, Internet Security Alliance, TechAmerica, and U.S. Chamber of Commerce--recently released a report that argued for letting companies voluntarily adopt best practices in cybersecurity rather than have them mandated by government.
"There is concern that new policy initiatives may consider replacing the current model with an alternate system more reliant on government mandates directed at the private sector," the white paper states. "This change of direction would both undermine the progress that has been made and hinder efforts to achieve lasting success." The report presents recommendations in seven areas, including information sharing and incident management, to advance cybersecurity through public-private partnerships.
One trend that could directly lead to more secure public IT infrastructure is the government's push into cloud computing. Federal CIO Vivek Kundra is calling on federal agencies to make increased use of software as a service and other cloud services, but before that happens, those services must meet federal security requirements. That presents a tremendous opportunity for the government to leverage its buying power to prompt cloud service providers to establish more attack-proof and resilient data centers and processes. Businesses and consumers stand to benefit from any such improvements, since they tap into the same cloud infrastructure.
Business and government IT and security pros must seize such opportunities because the threats are growing in number and severity. Information sharing has been an important first step, but it's what happens next that will make or break efforts to develop a more robust computing infrastructure.
Erik Bataller is senior security consultant with Chicago-based risk management consultancy Neohapsis. Write to us at firstname.lastname@example.org.