Speed and communication are key elements to effective threat intelligence in the government, according to panelists at the Akamai Government Forum on Thursday.
“If you want to do cybersecurity to be in scale, a key enabler of that is having that information sharing piece in place,” said Renee Tarun, deputy director of the Cyber Task Force at the National Security Agency (NSA).
Speed in threat intelligence communications is essential, as the necessary parties need to be able to act at the same speed as the hackers. FBI director of the National Cyber Investigative Joint Task Force (NCIJTF) Donald Freese described an exfiltration threat that occurred within the past two days and required speedy communication to deal with.
“We were able to stop and disrupt that particular bit of malware that had been established and was starting to beacon out, which would have resulted in exfiltration,” he said. “And we could see that moving laterally through the networks by the time we arrived. That, even though it took several days from the point of collection initially, still was able to arrive in time to disrupt the attack.”
The panel addressed the necessity of intelligence sharing in the world of cyber threats, both between Federal agencies and between Federal and local authorities. Panelists all expressed the desire to have their threat communications and warnings travel at the “speed of cyber,” by automating notification systems.
“There’s still a lot of human, in the loop, interaction,” said Freese. Due to the sometimes classified nature of some communications, human verification is necessary, and therefore gets in the way of fully automating the systems.
Tarun also addressed the many avenues information has to move through before it can get to the necessary party.
“We’ve been able to take information that we’ve got from our intelligence activities and be able to pass that over to our partners at the FBI and DHS, who in turn were able to pass that on to the private sector entities, who are able to take corrective measures and put mitigations in place,” she said.
Moderator Fran Trentley, senior director of Global Security and Government Services at Akamai, commented that if communication between Federal agencies is difficult, communication with state and local entities can get even worse. Freese described a fellowship program at NCIJTF that tries to bridge that divide.
“We have a fellowship program at the NCIJTF, and that is a fully dedicated state or local law enforcement official that we take on for six months, and six months is a considerable amount of time,” he said. “We have folks from California, for example, right now.”
Nelson P. Moe, CIO for the Virginia Information Technologies Agency, emphasized the work that Virginia has done at the state level to improve threat intelligence communications.
“Primarily at the state level, we’re going to follow what the big boys do, as far as standards,” Moe joked. He added that information security was able to move efficiently through the various state agencies that need it.
Though the state level is very much behind the Trusted Automated eXchange of Indicator Information (TAXII) and Structured Threat Information eXpression (STIX) specifications for information sharing of cybersecurity within the Federal government, the different agencies all have slightly different languages and methods that make information sharing difficult.
“Do we all need to have the same kit? No,” said Brig. Gen. Maria B. Barrett, deputy commander for the Cyber National Mission Force at the U.S. Cyber Command. “But we do need to be interoperable when it comes to the data.”
When asked what ultimate outcome the NSA would like to have in information sharing, Tarun said, “It’s a team sport. We really need to work together.”