25 June 2017

** U.S. Cyber Survival Depends on Greater Collaboration

CHRIS INGLIS

There is little argument that the relationship between the public and private sectors has to be far stronger in order for the U.S. Government and U.S. Businesses to adequately protect themselves from emerging cyber attacks.

One of the challenges to date has been agreeing on how to share information between the two sectors, with complaints from the private sector that the Government is great on taking information, not so great with sharing it back. Oftentimes, say experts, the restrictions on sharing have to do with a classification process that is slow to adapt to the times we live in.

Lawmakers have debated the issue for years, making incremental progress while the adversaries gain the upper hand. The Cipher Brief’s CEO and Publisher Suzanne Kelly talked with Cipher Brief Expert and former deputy director of the NSA, Chris Inglis about where the weaknesses in cooperation lie and what needs to be done to better secure both the Government and private sector from what’s coming.

Suzanne Kelly: Do we need a new model for how intelligence agencies interact with the private sector?

Chris Inglis: There is a need for transformation of how we think of this space –methods and protocols we bring to bear and how we think of each other for purposes of cross-sector collaboration. That is going to be born on the back of real work, not just big ideas. We are going to actually have to do some practical things that allow us to build trust as a basis for needed collaboration as we go forward.

This is one of the reasons I am so optimistic about the prospects of the United Kingdom’s new National Cyber Security Centre. It’s early days – they have only been in place a couple of months – but they have proposed to radically transform collaboration between intelligence agencies and the private sector. They are bringing a significant slice, about 650 people, in from GCHQ, which is their counterpart to NSA, and putting them cheek by jowl alongside other subject matter experts – not just from the rest of government, but from the private sector as well. More importantly, the protocol driving their work will first and foremost be done in the unclassified sphere, and then only by exception, they’ll determine which of the discoveries made will then be taken back to a classified corner to ensure it’s dealt with in the most effective manner. The key is that any restriction of information to government channels will be the exception, not the rule.

Today, in the United States, it works the opposite. Most of our government’s national security cyber sleuths live in a classified world where people at the NSA, CIA, and FBI have to make a determination of what will be released from the classified domain. That creates a much harder and steeper slope for someone to chime in, justifying the merits of sharing something from a smaller to a larger audience.

Suzanne: Culturally are we not there? There is an assumption that the government is taking from the private sector but does not share enough information back. But at the same time the U.S.-based company that does business around the world is seen as being too close to the U.S. government – they are not trusted and therefore collaboration impacts the bottom line.

Chris: It is a multifaceted issue to be sure. There aren’t enough dimensions on a piece of paper in order to get all of these down. But one of the most often talked about is between, say, those who build this technology and those like the NSA or CIA, whose job it is to at some point understand and act on the vulnerabilities in that technology. Even then it’s not a single dimensioned issue. At NSA, they have a charge to aid in the defense of technology when used by friends and allies, and to exploit technology if it’s in the hands of an adversary. It is ultimately a continuum where greater collaboration in aligning those ends is important.

An equally important collaboration – beyond the vulnerabilities that might be in the equipment – is between the government and those people who use the technology. That discussion is typically more about threats, tactics, and techniques used by malicious actors than it is about inherent vulnerability.

We are actually getting a lot better on the first score. There is a Vulnerability Equities Process at the federal government level, and NSA already pushes 91 percent of what it discovers out to the people who build those devices. We are not nearly as good, however, on that second part, namely a real time collaboration or dialogue about actual threats – meaning people, parties, and organizations that are coming after us.

Suzanne: So when you say how do we have a dialogue about threats in real time, do you mean between NSA, DHS, and CIA, or do you mean with the private sector involved in that conversation?

Chris: All parties. So collaboration is actually pretty healthy within the government. There are not many barriers between the likes of NSA, CIA, FBI, or DHS. But there is a bit of a barrier between that group – the cadre of intelligence agencies – and the private sector that is actually on the front lines of cyber conflict, all day every day, about the nature of the threat actors who are operating in cyberspace.

Ten years ago, if we could see a threat actor who was actually aiming at somebody in particular, of course we’d try to get there in time and warn them to duck or take some measure to defend themself. But in 2017, there’s a much broader scope of threats operating on and across the Internet, and they are all moving faster and with greater agility. We really don't know when we see a threat actor come online, where they're going, or who they are going to aim at. And it might well be – much like the recent WannaCry ransomware campaign – that everybody's in the splash zone. So we can't wait until we know what the threat actor is actually going to do, we have to share that information as we see it – in real time. If we are not doing that, then we haven't equipped the people who are going to be on the receiving end of attacks to actually understand what's happening to them. Put another way, we can't tell them tomorrow, “I can explain what happened to you yesterday.”

So we're not yet good enough in that space to actually put people together, side-by-side, cheek by jowl, to collaborate in understanding who the threat actors are in cyberspace, not just the vulnerabilities in their software and hardware.

Suzanne: So the commercial incentive for sharing is that government would share information back with businesses that might be a target of attacks far earlier, so that they can act on that information on behalf of the billions of people that use their software?

Chris: That's both the commercial sector’s incentive and the test of government’s capacity and willingness to up their game in collaboration. Businesses say, “look, I'll show up at that table, but it needs to be a table where a no-kidding, committed official from the government shows up and can speak authoritatively about what the government knows.” Private sector entities can't afford to show up to 15 different government organizations. They want one, or at most, a very few, to represent the government in contributing what the government knows in time to make some thoughtful choices about what to do about it.

If that scenario becomes a reality, then you'll find that the private sector, particularly the sectors that use cyber technology – such as those involved in the Information Sharing and Analysis Centers (ISACs) – will show up.

As for those who would push back on the government having any role, it turns out that the inherently governmental authorities in a place like NSA make them the only entities that can legitimately go out and crack adversary networks. There are laws in place that say private citizens and private organizations cannot and should not do that. So we need to figure out how to bring all these resources to bear on behalf of all sectors of our society.

While there is some scar tissue from the Snowden allegations, we need to figure out what we're going to do moving forward. We need to figure out how to concurrently – not sequentially – apply all of the talents and authorities available to us across the private and public sectors. If they are applied sequentially, then adversaries will continue to divide and conquer, which is what is still happening today. Make no mistake, in the absence of greater collaboration among their victims, adversaries are winning – since the leverage, audacity, and choice of when and where to attack is on their side.

Suzanne: What would have happened if, for instance, Sony had more information ahead of time before they were attacked in 2014?

Chris: Sony is a decent example. I wasn't in government at the time, but my sense of it was the government knew enough about the threat actor that they quickly pinned the rose on the North Koreans. They did not make the case of attribution based upon some single artifact or shard that was left on the floor at Sony. Instead, they said, “We know something about how those characters come at you. We know the things they do in the initial phase of attack, the hours that they work, et cetera. We ultimately know their pattern of life.”

Imagine if we had laid all that out to whoever was defending Sony Pictures before the attack happened. In that way, Sony Pictures could see something coming across, right at that space joining them and the rest of the world, and immediately recognize the threat for what it was. That's it. They would say, “those are the guys that were described as unlikely to be coming at us for any good purpose.”

That's a bit pollyannaish, because things never look so clear in the heat of the moment as they do looking back. But, we’ll certainly not make any progress if we fail to share and collaborate. We didn't actually put Sony Pictures in a place where they could even have an opportunity to anticipate the attack. It was only after it happened that we said, “we know who those guys were, we know how they did it.” It is not very helpful the day after.

To be fair, Sony Pictures, or any organization that has suffered a bad fall, also has some lessons to be learned about not just how to defend their infrastructure, but how to make their infrastructure more resilient in the face of attacks through proactive changes to their own practices and protocols. By way of example, some of the things that were lost on that network shouldn't have been on the network in the first place.

Suzanne: Isn't that the great fear of board members across the country? Do we have the right defenses in place that are going to protect us from what's coming, and how do we know?

Chris: It is, and necessarily so. Boards have long since gotten past the point where they think this is about the defense of technology or that it's a delegable task. Saying things like, “let's just give this to the IT staff,” and telling them to “fix cyber” because the company’s leadership wants to focus solely on doing the company's business, doesn’t work. Boards now realize that cybersecurity is a vital component of the company's business.

For many companies, their core business assets are that technical infrastructure. In essence, they manage the assets of other people using the assets of other people – that's the whole of the business. In such cases, information technology is the lifeblood of the business, and its defense is the core activity of ensuring business continuity and survival. Think of Uber, Lyft, and Airbnb. Boards understand that this is their challenge. But they don’t yet fully understand the ins and outs of how they can actually do that. It's relatively simple, but hard at the same time.

We need to create defensible enterprises – not just through technology, but also through procedures, protocols, and designing appropriate roles that all line up in a coherent fashion. The goal is to create a defensible enterprise and then to actually defend it. Those are two distinguished, if complementary activities. There are many organizations that are not actively defending their enterprise.

Suzanne: So it is like having a wall without putting anyone on it?

Chris: In a manner of speaking, yes. We often assume that a thing can defend itself, and in most cases, of course, it can't – certainly not in the presence of a human adversary. Not anymore than your house can defend itself if you don't add a human component of care and diligence to its locks, windows, doors and all of the other things that you associate with being a homeowner.

We need to bring to bear all the instruments of power to our disposal. That's not just government power but also collaborating and benefiting from the knowledge of others. That's bringing culture to bear and using all of the assets at our disposal.

We actually do this reasonably well in the physical domain – individual citizens, police forces, militia, military, TSA, and the DHS are all concurrently working together in a complementary fashion, side-by-side-by-side. And we are very comfortable with that, because we've got significant experience in defending physical enterprises. We've made some mistakes and we've adjusted based on those mistakes, but we understand implicitly that we have to collaborate to defend shared physical spaces and the assets within them.

We're not there yet in cyberspace. It’s still too often a case of “every organization, man, woman, and child for themselves.” We're increasingly starting to organize, but not yet around the right things, not with the sufficient speed, and not with sufficient collaboration. But we'll get there.

It's similarly important to get some strong voices on all sides of the fence, particularly from our traditional allies. It will also be valuable to get some voices from China and Russia. I, for one, would love to hear more about how they think of this, and what their perceptions might be. But, in the end, any forward progress will be helpful here. Collaboration need not be complete and universal to be helpful.

No comments: