, called my attention to a new report from The President's National Infrastructure Advisory Council (NIAC), "
." Why is the Coalition Against Unsolicited Commercial Email interested in this? As I've trained law enforcement, banking, energy, and government officials all around the world side-by-side with Neil, we've been constantly reminding them that these email-based threats are still one of the leading methods by which major intrusions and long-lived network invasions begin.
With that as an introduction, let's look at the recommendations of the report. Note that as of this writing (25AUG2017) the report is still a DRAFT. The 21 page report, with 14 pages of appendices and 10 pages of web-accessible references, is definitely worth reading, but I would urge those in the industry to read it with a critical eye and offer your thoughts if you have them back to NIAC. Sadly, many of the conclusions of the current report are exactly the same as the conclusions of the 228 page report produced by the NIAC in January 2012 ( See: I
). What will be the difference in this report? Quite possibly, YOU. Read it, understand it, and join us in advocating for the recommendations. In the May 2017 Quarterly Business Meeting of the NIAC, Homeland Security Advisor Tom Bossert was quoted as saying "we need to move beyond lip service between public-private partnerships," something I've been advocating for since my first InfraGard meeting on September 6, 2001. We have enemies. They want to harm us. Our Critical Infrastructure is vulnerable and in many cases represents a target that could have a profound impact on our economy and way of life it is attacked. (At that same meeting, Chris Krebs called attention to DHS Secretary Kelly's speech linking critical infrastructure targeting by terrorists with trans-national organized crime.)
There were eleven recommendations from the report which I'll list here and then review a few key recommendations in greater depth. (upper-case emphasis in original)
Too many companies have fallen into the pattern of relying on the public Internet to connect the components of their critical infrastructure. We have seen too often recently how a motivated script-kiddie using an IoT Botnet can impact "the whole Internet." We have to make sure that such events, whether by script kiddies, terrorists, or nation-state actors, can't stop our Critical Infrastructures from functioning. The report notes that several power companies have already moved to dedicated, closed networks. I know that Southern Company (who own Alabama Power) is an example of one company that is a leader in this area! What is one of the first thing that happens in every public disaster? Cell phones become unavailable due to the flood of "are you ok" calls. Our CI incident responders need to be able to respond to us.
While the private sector often has a more robust collection of Indicators of Compromise, the report notes that often government analysis is able to add value by enriching these indicators in a "connect the dots" type way that may require access to classified knowledge in order to understand the significance or the context of an event.
The report also cautions (my words, but their concept) that some ISACs suck. Their words were that "ISACs vary dramatically in effectiveness." Couldn't agree more. Let's learn from those who are doing it right and try to clone their success.
This one is really problematic. The tools that a Fortune 100 bank needs are dramatically different than the tools that a small defense contractor may be able to deploy. Several of the findings covered in this area include a "broad lack of understanding of the Federal tools available to help scan, detect, mitigate, and defend from cyber threats." but also the fact that "one-size-fits-all tools are rarely effective" -- especially in smaller businesses.
This recommendation class is also where the NIAC mentioned that "there is no way to test for embedded threats or verify the security of devices for critical Operational Technology systems."
FOUR: Today's Cyber Workforce
Several recommendations here are ones we have seen before, but they are still urgently needed. The report documents that it is forecasted that we will have a shortfall of 1.8 million unfilled cybersecurity positions by 2022 if we don't make a significant change in how we prepare workers for these positions. (This stat is from the
Global Information Security Workforce Study by the Center for Cyber Safety and Education -- several reports have been released from this study and more are forthcoming.)
Specific recommendations include expanding the Scholarship-for-service programs focused on attracting the next-generation cyber workforce, and also a means for allowing college-level cybersecurity programs to be able to get clearances for students involved in internship programs.
The recommendations of several additional groups on cyber workforce issues are worth noting here, including the Office of Management and Budget's "
Federal cybersecurity workforce strategy" memo to heads of Executive Departments and Agencies from July 12, 2016. The
NICE Cybersecurity Workforce Framework (NIST 800-181) is 144 page guide to the Knowledge, Skills, and Abilities that the wide range of cybersecurity jobs need and that our educators must address (released August 2017).
FIVE: Market Incentives
Suggested incentives included grants for security upgrades and investments, tax-credits to incentive security system upgrades, and potential regulatory relief for those regularly proving that industry standards are met. While requiring compliance with the NIST Cybersecurity Framework is encouraged, that recommendation includes "recognizing that small- and medium-sized businesses will need additional support to meet the requirements."
The report cautions that "cyber regulations are often blunt tools that are unable to keep up with dynamic risks in an arena where attack and defense capabilities change rapidly over months and years, not decades."
SIX: Security Clearance Process
In organizations where a cyber attack could result in catastrophic effects to public safety, economic, or national security, it is recommended that at least two key personnel be prioritized to receive Top Secret/Sensitive Compartmented Information (TS/SCI) clearances. The ability to pass clearances not only between agencies, but between agencies and those in private sector is encouraged. The number of SCIFs nationwide, and the ability for SCIFs to be accessed by appropriately cleared private sector individuals is also encouraged. Even in organizations that have appropriate clearances for key personnel, those individuals frequently have to fly to DC to attend in-person briefings or travel more than an hour each way to access a SCIF. Clearance without regular access to a means of receiving real-time intelligence is of limited value.
SEVEN: Rapidly Declassify Cyber Threat Information
Actively engaging with the private sector on cyber threats is called for. This requires there to be both a mechanism and a location for such information. Two options are called for -- one to build shared spaces, perhaps using the Kansas Intelligence Fusion Center as a model for co-location and information sharing. The second, to consider greatly expanding the National Cybersecurity and Communications Integration Center (the DHS NCCIC) and to expand its role in sharing information with the various ISACs.
Because Intelligence Agencies have historically only shared information with and amongst themselves, rapid declassification and distribution has not really been part of their story. This needs to change. With the great problems raised in having too many cleared individuals, or clearing them with too little scrutiny, the only rational alternative is to declassify and share more information that has been marked SECRET or TOP SECRET primarily based on HOW it was found rather than WHAT was found.
EIGHT: A Pilot Task Force in Electricity, Finance, and Communications
This recommendation has four parts:
A. Establish a three-tiered task force of:
(1) Senior executives in industry and government - who set priorities and direct resources
(2) operational leaders tasked with implementation
(3) dedicated full-time operational staff from both industry and government to dig in and solve complex issues
B. Leverage the Strategic Infrastructure Coordinating Council (SICC) to identify appropriate executives in Electricity, Finance, and Communications willing to be part of the pilot task force
C. Use the NIAC recommendations as a starter agenda
D. Use lessons learned from the pilot task force to expand to other sectors and assets
The report makes it clear that having advisory councils and "passive" coordination groups are not what we need. We need "a bold new approach" that actually has the ability and resources to design AND IMPLEMENT solutions.
NINE: Use GRIDEX IV as a Test
Gridex is a fabulous example of how government and infrastructure owners can work together to test their ability to respond to a cyber incident. (
GRIDEX info page here.) This recommendations calls for the expansion of the participants to include Financial Services and Communication sector executives. PRIOR TO the test, require key government agencies to document their response abilities in extreme situations. Use the National Cyber Incident Response Plan as a guide, and use GRIDEX as a means of identifying gaps in processes and protocols as documented in these agency responses and in the NCIRP. For GRIDEX to be most impactful, we need to learn from it and GO FIX THINGS! Specifically, Gridex must feed back into the portion of Executive Order 13800 which calls for the Departments of Energy and DHS to "work on an assessment of the potential scope and duration of a prolonged power outage associated with a significant cyber incident against the U.S. electricity subsector." (
A status report on the implementation of EO 13800 is available.)
TEN: Optimum Cybersecurity Guidance
There are two parts to this recommendation:
A. "Use the cyber task force (recommendation #8) to evaluate effective cyber governance models from other nations and recommend the best approach to centralize and elevate cyber governance and enable national-level coordination for public-private cyber defense."
B. The NIAC pessimistically calls for establishing "a senior-level position or unit to coordinate and exercise operational control over individual Federal organizations." They go on to note that "experience shows this may not come until after a catastrophic cyber incident occurs."
This recommendation is based partly on the greatly fragmented, isolated, and duplicative nature of the Federal government's cyber capabilities. The report notes that there are "6 federal cybersecurity centers, 140 cyber authorities and capabilities across 20 agencies, 4 tools, and 8 assessment programs." This division means there are "dozens of Congressional committee with cybersecurity oversight" but no one is in charge of national-level consensus that will lead to focused action.
Two potential models for national improvement, drawn from Israel and the
United Kingdom, are further described in Appendix D of the report.
In the UK plan, a single National Cyber Security Centre was created, replacing the Centre for Cyber Assessment, the Computer Emergency Response Team UK, and CESG (part of GCHQ), as well as taking cyber responsibilities away from the Centre for the Protection of National Infrastructure.
Similarly, in Israel, a National Cyber Bureau was created in response to
Government Resolution No 3611 of 2011. In 2015, Israel went on to create a National Cyber Defense Authority. While the NCB focused on strategy, the NCDA was tasked with operational objectives. Elena Chachko has a good blog post at LawFare (
Cyber Reform in Israel at an Impasse: A Primer ) that explains the attempted design and some of the problems that go along with it.
ELEVEN: Convene a Meeting of Senior Government officials
Before the NIAC report's ink is even dry, the members of the NIAC have voted with their feet on the likelihood of their findings creating significant change. Eight of the members resigned, in part stating that their "
experience to date has not demonstrated that the Administration is adequately attentive to the pressing national security matters within the NIAC's purview, or responsive to sound advice received from experts and advisors on these matters." While this is concerning, and the resigning members are certainly experts in their respective fields, the resignations were largely by President Obama-appointed officials and could be read as being politically charged and speaking more about events around Charlottesville and the Paris Climate Accords than cybersecurity matters.
Resigning from the NIAC were:
- Cristin Dorgelo (Chief of Staff to the President's Science Advisor in the White House Office of Science and Technology Policy, and the US Chief Technology Officer from July 2014 to January 2017. Dorgelo was the assistant director of the OSTP's Grand Challenge program)
- Christy Goldfuss (As the managing director of the White House Council on Environmental Quality (CEQ) Goldfuss helped oversee President Obama's Climate Action Plan.)
- David Grain (Former president of Global Signal, one of the largest independent wireless communication tower companies in North America, with a dominant presence in the SouthEast, and a former SVP of AT&T Broadband. Grain also has experience working in financial services at Morgan Stanley.)
- DJ Patil (Former Deputy CTO for Data Policy and Chief Data Scientist in the OSTP, with experience at Skype, LinkedIn, PayPal, eBay, and the Department of Defense, where he worked on bridging computational and social sciences, focusing on social network analysis to help anticipate emerging national security threats.)
- Amy Pope (Former Deputy Homeland security Advisor, and Deputy Assistant to the President on the National Security Council, helping to shape policy by leading a team of subject matter experts on supply chain security, countering violent extremism, border management, migration, biometrics, transnational organized crime and more.)
- Charles Ramsey (Former Police Commissioner, Philadelphia Police Department, and former chief of Washington DC's Metropolitan Police Department. Author of
Policing for Prevention and
Partnerships for Problem Solving )
- Dan Tangherlini (with experience as the Administrator of the US General Services Administration, an executive in the Department of the Treasury, and a fellow of the Office of Management and Budget, with additional experience working for the Secretary of Transportation on Infrastructure Financing issues.)
- Dan Utech (former Deputy Assistant to the President for Energy and Climate Change.)