(ISC)² Blog

By:

Larry P. Bunch CISSP, CEH

http://mysite.verizon.net/vze18ez5m/id3.html 

Twitter: https://twitter.com/#!/bunchlarryp  

Preface

  This article was originally intended to be a light reading OP/ED piece.  However, it has slowly evolved into a hybrid OP/ED – Whitepaper dealing with Cyber Intelligence and Network Security.  The opinions in this article do not represent the United States government or my employer (VortechX LLC.).  This article is intended to generate discussion, collaboration, and interaction within the Intelligence and Network Defense communities of both the Public and Private sectors of the United States.  The ideas and recommendations presented here reflect only my own opinions and may NOT be entirely feasible legally or technologically.  Nonetheless, we really need to reevaluate the current state of how the United States views and handles Cyber-Security.  This is a condensed version of the paper. The paper can be viewed in its entirety at my website listed above.  Enjoy and please feel free to provide feedback.

“Recent attacks on U.S. corporations such as Google Inc, the NASDAQ stock exchange, Lockheed Martin Corp, and RSA, the security division of EMC Corp, Amazon.com and ITunes and U.S. government and military websites including the Department of Defense, Department of Justice, FBI and numerous law enforcement agencies has sparked a sense of urgency to address threats to U.S. computer networks.” _{(http://www.examiner.com/homeland-security-in-chicago/u-s-military-chief-we-re-under-constant-attack-every-day)}  

   In today’s networked environments of both the United States Government and Private Business networks, the Intelligence/counterintelligence and network security communities are intertwined in a complex and (at times) convoluted relationship.  One of the main points that I touch on is expanding the Information Sharing paradigm that the Intelligence Community (IC) has implemented across the entire IC.  Another point that I expound on is a radical idea, which for numerous reasons may not be possible.  That point would be this: The Intelligence Community has a vast pool of untapped talent available to them working in the Private Sector.  These Business Intelligence and Network Defense analyst working in the Private sector could act as an additional “set of eyes” to the IC if leveraged properly (ethically and legally).  That is, if frank and open discussions take place between the two communities and a framework could be established.  We are now entering a crucial stage in our nation’s history.  We are standing on the precipice of either continuing to be a global economic and technological powerhouse, falling into mediocrity or, even second nation status.  Therefore, we must do some serious self-examination in regards to our Cyber Security policy and how it relates to our National Security.  

“Both military intelligence and national intelligence will be treated more holistically”  ^{(http://www.afcea.org/signal/articles/templates/Signal_Article_Template.asp?articleid=2805&zoneid=333)}

  The USG needs to employ “Machiavellian intelligence” (also known as political intelligence or social intelligence) capacity of an entity to be in a successful political engagement with social groups”.  Or, in this case, the US Private Sector.  The USG needs to exercise a Machiavellian approach and implementation especially when it comes to Information Assurance (IA), Network Defense, and conducting Cyber Operations against our adversaries. 

  I realize that there would be tremendous obstacles to overcome.  In regards’ to constitutionality, individual / corporate rights, and privacy issues.  However, I believe that the time has come for us to seriously consider joint Public/Private collaborations.  I believe that we in the Cyber community are missing out on a whole lot of actionable Intelligence that is just sitting out there in Cyberspace on many USBUS’ networks.  Towards the end of writing this paper, I have discovered that I may not be alone in some of my radical thoughts and concepts that I am proposing.  See example below:

  While speaking at a security forum in London earlier this week, General Martin Dempsey, Chairman of the Joint Chiefs of Staff, warned that the constant barrage of cyber attacks against critical systems will require a unified effort by government and the private sector to improve security.  Dempsey reiterated what many experts have been saying for years - that cyber-based espionage operations are a major threat to proprietary information and ultimately the economy as a whole.  The report, titled Foreign spies Stealing U.S. Economic Secrets in Cyberspace, boldly suggests that state-sponsored entities in both China and Russia are systematically targeting US government and private sector networks in an effort to pilfer valuable information that has tremendous economic value”.

The Bottom Line Up-Front (BLUF) 

  The United States Intelligence Community (USIC) and Computer Network Defense Communities (CND) must figure out a SECURE way to integrate United States Business (USBUS) Business Intelligence (BI) and CND efforts into the Intelligence Community (IC) information sharing paradigm and the US Government CND communities at the lowest classification level.  Of course selected USBUS personnel can be read on or, (granted access to classified material if absolutely necessary) if possible.  This is entirely feasible and within the realm of possibility with proper vetting of USBUS personnel of course.   The United States Government (USG) must sit down draft legislation, policies, and implementation procedures to facilitate this goal  Although the IC has made tremendous strides in successful collection efforts in developing and presenting a clear, actionable Intel picture.  However, we still do not have enough eyes “in the wild” so to speak.  Compounding this problem, there is currently a severe shortage of properly trained federal agents, state, and local law enforcement officers who possess the knowledge or training in conducting cyber investigations.  The USG has a vast pool of untapped talent in the private sector that can leveraged and be utilized in Intel collection / operations, and US CND efforts.  The private sector BI and CND communities would probably be more than willing to be utilized for the common defense.  Given the right set of circumstances and proper direction and guidance (legally, ethically, and morally), mutually beneficial Information Sharing agreements can be implemented.   

[Comment: It is entirely possible (in my opinion) to implement an Information Sharing paradigm without compromising our National Security or, any ongoing investigations. 

  The United States (as a whole) must take a “Holistic” view and a “Machiavellian approach in the implementation of US Cyber Security / Network Defense strategy.  We must develop and implement stronger and more stringent goals, strategies, and policies concerning our offensive, defensive, and retaliatory responses.  Especially when it involves a “foreign” or, state sponsored entity..  We must vehemently defend “our” internet and national infrastructure from our adversaries.   

  The US has to be far more aggressive and act far more decisively in our response to foreign adversaries who threaten and continue to conduct Computer Network Attack (CNA) operations against us.  For far too long we have been idly standing by while our networks and electronic resources have been under attack.  Our adversaries (much like childhood bullies) will continue “raping and pillaging” our Defense, Business, Research and Development (R&D), and Supervisory Control and Data Acquisition (SCADA) (“aka” infrastructure networks).  For far too long we have been letting Advanced Persistent Threat (APT) actors especially those from China; wreak havoc on our networks.  In order to better defend the National Security Interest of the United States we (the US) need to take a serious look at how we are currently dealing with all of the APT’s and emerging threats that we are facing.  In addition, the United States as a whole; must do a better job in developing inter and intra  organizational relationships (working groups), information sharing, and collaborative projects (both classified and Un-classified) in order to better defend and secure ALL of our Information Systems.  We need to bring the Public and Private Sectors together and get on the same sheet of music so, to say.  Private Sector industries are the engines that drive our economy and must be defended just as fanatically DoD assets.

 “But just as we failed in the past to invest in our physical infrastructure – our roads, our bridges and rails – we've failed to invest in the security of our digital infrastructure… This status quo is no longer acceptable – not when there's so much at stake. We can and we must do better”. – President Obama, May 29, 2009 _{http://www.whitehouse.gov/the-press-office/2011/05/12/fact-sheet-cybersecurity-legislative-proposal} 

  The world’s economies have become more globalized and each country’s governments and businesses attempt to gain a completive edge on the United States.  The United States Government Agencies (USGA) (aka “Public Sector”) and US Businesses (USBUS) (“Private Sector “) must establish, enhance, and maintain emerging collaborative efforts in both CND, information sharing , and to a limited degree Cyber Intelligence.   The onus is on the USG, namely the Department of Homeland Security (DHS), to establish and foster an atmosphere of trust between all of the entities in both private and public sectors.  DHS must be pro-active and aggressively pursue and build these relationships. 

  The USIC / CND and USBUS’s BI / CND analysts and collectors must establish relationships and national dialogue in order to defend all of our networks.  In many cases the analyst and collectors from both communities share the same duties and responsibilities and at times do work together.  Obviously they play on different playing fields.  However, our adversaries have the resources and capabilities to “spread the field” in each of these communities (public and private Sectors) and have the ability and resources to field two equally talented teams on these separate playing fields.  Conversely, the US currently does not have the necessary resources to stand up to the onslaught from the numerous APT’s we are facing.  We (the United States the USIC in particular) currently does not have the means in place to leverage (legally or otherwise) the vast pool of untapped talent and resources that we have available in the Private Sector to successfully defend all of our networked resources (we do but, we don’t. I will elaborate on this later).  APT actors are targeting and stealing data from both USBUS and the USG that is oftentimes related for example; defense contractors networks.  APT actors are targeting specific personnel and documentation from the defense contractors network concerning their targeted program.  They are simultaneous targeting the DoD networks involved with the targeted program.  On numerous occasions APT actors will utilize compromised USBUS hosts or networks as a CNA staging point or repository for malicious activity.  We are currently facing a diverse group of opponents each with varying degrees of skills, capabilities, and resources.

  However, at the end of the day the levels of sophistication and/or complexity of these programs does not matter.  If an attack is successful and data is lost we still bleed just the same.  The USG needs to establish a framework and model for cooperation and participation.   Both private and public sector Intel and CND communities must have the means available and a system available to them to better coordinate information sharing and possibly conduct joint operations with each other.  In doing so, we will be better able to put all of the pieces together (share information) from numerous intelligence sources to develop the big picture.  Information that is deemed as having an intelligence value must be shared without compromising any ongoing investigations or any spillage of classified information.  We must always keep the privacy of U.S. citizens foremost in approaching this new paradigm.  Let us face the facts.  Most of the folks in the public sector do not have a need for (or, in many cases want) a security clearance.  Nevertheless, these private sector employees are a valuable, yet untapped resource.   These individuals could be utilized by the IC to provide relevant and actionable intelligence when there are any indicators of malicious activity on the network(s) of the USBUS in question.  The USIC then has the responsibility to share the intelligence with the CND community as soon as possible.  In addition, this must be a two way street.  That is any intelligence derived from data provided to the USIC by a USBUS must be shared with the USBUS providing the data as soon as possible.  The goal is to effectively stop the attacks, eliminate the threat, and implement new security measures to protect the public and private sectors. 

  The public and private sectors MUST sit down together to conduct an in depth examination and reevaluation our current laws, regulations, and each other’s organizational policies, procedures, and guidelines, in order to develop and implement a common and “legally” operational framework and working environment.  We must ensure the preservation of the privacy and civil liberties of US citizens in addition to the protection and integrity of Personally Identifiable Information (PII).  We need to establish a “holistic” Cyber Defense/Security framework that will better serve and defend both US public and private sector computing assets and network infrastructure as a whole.  We must continue to, effectively ensure and protect the privacy of every US citizen, business, and organization.  I believe that it is possible to establish an atmosphere of trust between the USG and private sector organizations working together towards the common defense. 

Part 2 is coming next week.