Monday, August 28, 2017

Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure

My friend Neil Schwartzman, the leader of CAUCE, called my attention to a new report from The President's National Infrastructure Advisory Council (NIAC), "Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure."  Why is the Coalition Against Unsolicited Commercial Email interested in this?  As I've trained law enforcement, banking, energy, and government officials all around the world side-by-side with Neil, we've been constantly reminding them that these email-based threats are still one of the leading methods by which major intrusions and long-lived network invasions begin.

With that as an introduction, let's look at the recommendations of the report.  Note that as of this writing (25AUG2017) the report is still a DRAFT.  The 21 page report, with 14 pages of appendices and 10 pages of web-accessible references, is definitely worth reading, but I would urge those in the industry to read it with a critical eye and offer your thoughts if you have them back to NIAC.  Sadly, many of the conclusions of the current report are exactly the same as the conclusions of the 228 page report produced by the NIAC in January 2012 ( See: Intelligence Information Sharing: Final Report and Recommendations ).   What will be the difference in this report?  Quite possibly, YOU.   Read it, understand it, and join us in advocating for the recommendations.  In the May 2017 Quarterly Business Meeting of the NIAC, Homeland Security Advisor Tom Bossert was quoted as saying "we need to move beyond lip service between public-private partnerships," something I've been advocating for since my first InfraGard meeting on September 6, 2001.  We have enemies.  They want to harm us.  Our Critical Infrastructure is vulnerable and in many cases represents a target that could have a profound impact on our economy and way of life it is attacked. (At that same meeting, Chris Krebs called attention to DHS Secretary Kelly's speech linking critical infrastructure targeting by terrorists with trans-national organized crime.)


Recommendations for Securing Cyber Assets

There were eleven recommendations from the report which I'll list here and then review a few key recommendations in greater depth. (upper-case emphasis in original)
  1. Establish SEPARATE, SECURE COMMUNICATIONS NETWORKS specifically designated for the most critical cyber networks, including "dark fiber" networks for critical control system traffic and reserved spectrum for backup communications during emergencies.
  2. FACILITATE A PRIVATE-SECTOR-LED PILOT OF MACHINE-TO-MACHINE INFORMATION SHARING TECHNOLOGIES led by the Electricity and Financial Services Sectors, to test public-private and company-to-company information sharing of cyber threats at network speed.
  3. Identify best-in-class SCANNING TOOLS AND ASSESSMENT PRACTICES, and work with owners and operators of the most critical networks to scan and sanitize their systems on a voluntary basis.
  4. Strengthen the capabilities of TODAY'S CYBER WORKFORCE by sponsoring a public-private expert exchange program.
  5. Establish a set of LIMITED TIME, OUTCOME-BASED MARKET INCENTIVES that encourage owners and operators to upgrade cyber infrastructure, invest in state-of-the-art technologies, and meet industry standards or best practices.
  6. Streamline and significantly expedite the SECURITY CLEARANCE PROCESS for owners of the nation's most critical cyber assets, and expedite the siting, availability, and access of Sensitive Compartmented Information Facilities (SCIFs) to ensure cleared owners and operators can access secure facilities within one hour of a major threat or incident.
  7. Establish clear protocols to RAPIDLY DECLASSIFY CYBER THREAT INFORMATION and proactively share it with owners and operators of critical infrastructure, whose actions may provide the nation's front line of defense against major cyber attacks.
  8. PILOT AN OPERATIONAL TASK FORCE OF EXPERTS IN GOVERNMENT AND THE ELECTRICITY, FINANCE, AND COMMUNICATIONS INDUSTRIES -- led by the executives who can direct priorities and marshal resources -- to take decisive action on the nation's top cyber needs with the speed and agility required by escalating cyber threats.
  9. USE THE NATIONAL-LEVEL GRIDEX IV EXERCISE (November 2017) TO TEST the detailed execution of Federal authorities and capabilities during a cyber incident, and identify and assign agency-specific recommendations to coordinate and clarify the Federal Government's unclear response actions.
  10. Establish an OPTIMUM CYBERSECURITY GOVERNANCE APPROACH to direct and coordinate the cyber defense of the nation, aligning resources and marshaling expertise from across Federal agencies.
  11. Task the National Security Advisor to review the recommendations included in this report and within six months CONVENE A MEETING OF SENIOR GOVERNMENT OFFICIALS to address barriers to implementation and identify immediate steps to move forward.

The time to act is now.  As a Nation, we need to move past simply studying our cybersecurity challenges and begin taking meaningful steps to improve our cybersecurity to prevent a major debilitating cyber attack.

Further Comments and observations on the recommendations

Although there are 16 Critical Infrastructure Sectors recognized by DHS in the most recent Presidential Policy Directive on the subject (PDD-21), this report emphasizes the importance of the electrical and financial services sectors.  One graphic from the report, shown below, emphasizes the centrality of the Electrical center.  This focus is responsive to Presidential Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which breaks the tradition of trying to pretend that each of the 16 CI sectors (example: "national monuments" and "electricity") are equal with regards to the risk an attack on that Sector would bring. That Executive Order directed the National Security Council "to assess how existing Federal authorities and capabilities could be employed to assist and better support the cybersecurity of critical infrastructure assets that are at greatest risk of a cyber attack that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security."  To that end, NSC tasked NIAC with preparing and delivering this report.

(Believe this graphic is by Sören Finster, recent PhD from kit.edu)
The NIAC team specifically states that their job was not to identify cybersecurity needs (praising there the great work of the Commission on Enhancing National Cybersecurity's exhaustive Report on Securing and Growing the Digital Economy.) It was rather to identify immediate actions that could be taken to have a profound impact in the sectors where the greatest impact may be felt.

ONE: Separate, Secure Communications
Too many companies have fallen into the pattern of relying on the public Internet to connect the components of their critical infrastructure.  We have seen too often recently how a motivated script-kiddie using an IoT Botnet can impact "the whole Internet."  We have to make sure that such events, whether by script kiddies, terrorists, or nation-state actors, can't stop our Critical Infrastructures from functioning.  The report notes that several power companies have already moved to dedicated, closed networks. I know that Southern Company (who own Alabama Power) is an example of one company that is a leader in this area!  What is one of the first thing that happens in every public disaster?  Cell phones become unavailable due to the flood of "are you ok" calls.  Our CI incident responders need to be able to respond to us.

TWO: MACHINE-TO-MACHINE Information Sharing Technologies
Several example programs were listed as possible starting points, including:
  •  Department of Energy's "Cybersecurity Risk Information Sharing Program (CRISP)" run by the Electricity ISAC (E-ISAC) "which uses classified analysis of network traffic to identify attacks."
  • The FS-ISAC (Financial Services) machine-to-machine information sharing programs
  • DHS's Automated Indicator Sharing (AIS) platform, "which releases attack indicators from multiple sources."
More R&D is needed in this area, and the report calls this work "still immature" and points out there are "significant legal, liability, technology, trust, and cost challenges" which must be overcome.  They particularly note the issue of "Automatically implementing mitigations can create unpredictable outcomes in operational control environments."

While the private sector often has a more robust collection of Indicators of Compromise, the report notes that often government analysis is able to add value by enriching these indicators in a "connect the dots" type way that may require access to classified knowledge in order to understand the significance or the context of an event.

The report also cautions (my words, but their concept) that some ISACs suck.  Their words were that "ISACs vary dramatically in effectiveness."  Couldn't agree more.  Let's learn from those who are doing it right and try to clone their success.

THREE: Best-in-Class Scanning Tools
This one is really problematic. The tools that a Fortune 100 bank needs are dramatically different than the tools that a small defense contractor may be able to deploy. Several of the findings covered in this area include a "broad lack of understanding of the Federal tools available to help scan, detect, mitigate, and defend from cyber threats." but also the fact that "one-size-fits-all tools are rarely effective" -- especially in smaller businesses.

This recommendation class is also where the NIAC mentioned that "there is no way to test for embedded threats or verify the security of devices for critical Operational Technology systems."

FOUR: Today's Cyber Workforce
Several recommendations here are ones we have seen before, but they are still urgently needed.   The report documents that it is forecasted that we will have a shortfall of 1.8 million unfilled cybersecurity positions by 2022 if we don't make a significant change in how we prepare workers for these positions.  (This stat is from the Global Information Security Workforce Study by the Center for Cyber Safety and Education -- several reports have been released from this study and more are forthcoming.)

Specific recommendations include expanding the Scholarship-for-service programs focused on attracting the next-generation cyber workforce, and also a means for allowing college-level cybersecurity programs to be able to get clearances for students involved in internship programs. 

The recommendations of several additional groups on cyber workforce issues are worth noting here, including the Office of Management and Budget's "Federal cybersecurity workforce strategy" memo to heads of Executive Departments and Agencies from July 12, 2016.  The NICE Cybersecurity Workforce Framework (NIST 800-181) is 144 page guide to the Knowledge, Skills, and Abilities that the wide range of cybersecurity jobs need and that our educators must address (released August 2017).


FIVE: Market Incentives
Suggested incentives included grants for security upgrades and investments, tax-credits to incentive security system upgrades, and potential regulatory relief for those regularly proving that industry standards are met.  While requiring compliance with the NIST Cybersecurity Framework is encouraged, that recommendation includes "recognizing that small- and medium-sized businesses will need additional support to meet the requirements."

The report cautions that "cyber regulations are often blunt tools that are unable to keep up with dynamic risks in an arena where attack and defense capabilities change rapidly over months and years, not decades."

SIX: Security Clearance Process
In organizations where a cyber attack could result in catastrophic effects to public safety, economic, or national security, it is recommended that at least two key personnel be prioritized to receive Top Secret/Sensitive Compartmented Information (TS/SCI) clearances.  The ability to pass clearances not only between agencies, but between agencies and those in private sector is encouraged.  The number of SCIFs nationwide, and the ability for SCIFs to be accessed by appropriately cleared private sector individuals is also encouraged.  Even in organizations that have appropriate clearances for key personnel, those individuals frequently have to fly to DC to attend in-person briefings or travel more than an hour each way to access a SCIF.  Clearance without regular access to a means of receiving real-time intelligence is of limited value.

SEVEN: Rapidly Declassify Cyber Threat Information
Actively engaging with the private sector on cyber threats is called for.  This requires there to be both a mechanism and a location for such information.  Two options are called for -- one to build shared spaces, perhaps using the Kansas Intelligence Fusion Center as a model for co-location and information sharing.  The second, to consider greatly expanding the National Cybersecurity and Communications Integration Center (the DHS NCCIC) and to expand its role in sharing information with the various ISACs.

Because Intelligence Agencies have historically only shared information with and amongst themselves, rapid declassification and distribution has not really been part of their story.  This needs to change.  With the great problems raised in having too many cleared individuals, or clearing them with too little scrutiny, the only rational alternative is to declassify and share more information that has been marked SECRET or TOP SECRET primarily based on HOW it was found rather than WHAT was found.

EIGHT: A Pilot Task Force in Electricity, Finance, and Communications
This recommendation has four parts:
A. Establish a three-tiered task force of:
 (1) Senior executives in industry and government - who set priorities and direct resources
 (2) operational leaders tasked with implementation
 (3) dedicated full-time operational staff from both industry and government to dig in and solve complex issues
B. Leverage the Strategic Infrastructure Coordinating Council (SICC) to identify appropriate executives in Electricity, Finance, and Communications willing to be part of the pilot task force
C. Use the NIAC recommendations as a starter agenda
D. Use lessons learned from the pilot task force to expand to other sectors and assets


The report makes it clear that having advisory councils and "passive" coordination groups are not what we need.  We need "a bold new approach" that actually has the ability and resources to design AND IMPLEMENT solutions.

NINE: Use GRIDEX IV as a Test
Gridex is a fabulous example of how government and infrastructure owners can work together to test their ability to respond to a cyber incident.  (GRIDEX info page here.) This recommendations calls for the expansion of the participants to include Financial Services and Communication sector executives.  PRIOR TO the test, require key government agencies to document their response abilities in extreme situations.  Use the National Cyber Incident Response Plan as a guide, and use GRIDEX as a means of identifying gaps in processes and protocols as documented in these agency responses and in the NCIRP.  For GRIDEX to be most impactful, we need to learn from it and GO FIX THINGS!   Specifically, Gridex must feed back into the portion of Executive Order 13800 which calls for the Departments of Energy and DHS to "work on an assessment of the potential scope and duration of a prolonged power outage associated with a significant cyber incident against the U.S. electricity subsector."  (A status report on the implementation of EO 13800 is available.)

TEN: Optimum Cybersecurity Guidance
There are two parts to this recommendation:
A. "Use the cyber task force (recommendation #8) to evaluate effective cyber governance models from other nations and recommend the best approach to centralize and elevate cyber governance and enable national-level coordination for public-private cyber defense."
B. The NIAC pessimistically calls for establishing "a senior-level position or unit to coordinate and exercise operational control over individual Federal organizations."  They go on to note that "experience shows this may not come until after a catastrophic cyber incident occurs."

This recommendation is based partly on the greatly fragmented, isolated, and duplicative nature of the Federal government's cyber capabilities.  The report notes that there are "6 federal cybersecurity centers, 140 cyber authorities and capabilities across 20 agencies, 4 tools, and 8 assessment programs."  This division means there are "dozens of Congressional committee with cybersecurity oversight" but no one is in charge of national-level consensus that will lead to focused action.

Two potential models for national improvement, drawn from Israel and the United Kingdom, are further described in Appendix D of the report.

In the UK plan, a single National Cyber Security Centre was created, replacing the Centre for Cyber Assessment, the Computer Emergency Response Team UK, and CESG (part of GCHQ), as well as taking cyber responsibilities away from the Centre for the Protection of National Infrastructure.

https://www.enisa.europa.eu/topics/national-cyber-security-strategies/ncss-map/national_cyber_security_strategy_2016.pdf

Similarly, in Israel, a National Cyber Bureau was created in response to Government Resolution No 3611 of 2011.  In 2015, Israel went on to create a National Cyber Defense Authority.  While the NCB focused on strategy, the NCDA was tasked with operational objectives.  Elena Chachko has a good blog post at LawFare ( Cyber Reform in Israel at an Impasse: A Primer ) that explains the attempted design and some of the problems that go along with it.


ELEVEN: Convene a Meeting of Senior Government officials
Before the NIAC report's ink is even dry, the members of the NIAC have voted with their feet on the likelihood of their findings creating significant change.  Eight of the members resigned, in part stating that their "experience to date has not demonstrated that the Administration is adequately attentive to the pressing national security matters within the NIAC's purview, or responsive to sound advice received from experts and advisors on these matters."  While this is concerning, and the resigning members are certainly experts in their respective fields, the resignations were largely by President Obama-appointed officials and could be read as being politically charged and speaking more about events around Charlottesville and the Paris Climate Accords than cybersecurity matters.

Resigning from the NIAC were:
- Cristin Dorgelo (Chief of Staff to the President's Science Advisor in the White House Office of Science and Technology Policy, and the US Chief Technology Officer from July 2014 to January 2017. Dorgelo was the assistant director of the OSTP's Grand Challenge program)

- Christy Goldfuss (As the managing director of the White House Council on Environmental Quality (CEQ) Goldfuss helped oversee President Obama's Climate Action Plan.)

- David Grain (Former president of Global Signal, one of the largest independent wireless communication tower companies in North America, with a dominant presence in the SouthEast, and a former SVP of AT&T Broadband. Grain also has experience working in financial services at Morgan Stanley.)

- DJ Patil (Former Deputy CTO for Data Policy and Chief Data Scientist in the OSTP, with experience at Skype, LinkedIn, PayPal, eBay, and the Department of Defense, where he worked on bridging computational and social sciences, focusing on social network analysis to help anticipate emerging national security threats.)

- Amy Pope (Former Deputy Homeland security Advisor, and Deputy Assistant to the President on the National Security Council, helping to shape policy by leading a team of subject matter experts on supply chain security, countering violent extremism, border management, migration, biometrics, transnational organized crime and more.)

- Charles Ramsey (Former Police Commissioner, Philadelphia Police Department, and former chief of Washington DC's Metropolitan Police Department. Author of Policing for Prevention and Partnerships for Problem Solving )

- Dan Tangherlini (with experience as the Administrator of the US General Services Administration, an executive in the Department of the Treasury, and a fellow of the Office of Management and Budget, with additional experience working for the Secretary of Transportation on Infrastructure Financing issues.)

- Dan Utech  (former Deputy Assistant to the President for Energy and Climate Change.)