By James Irwin
Information sharing for the purpose of cyber defense involves many hurdles, and the barriers to developing effective cooperative strategies are as complex as the need to have them is important, according to NATO Communication and Information Agency Senior Scientist Luc Dandurand.
“Operationally we want to share information,” he said at a panel earlier this semester at the George Washington University. “So why do we have a problem? In cybersecurity you have a more complex reality you are trying to model. It goes beyond physical factors. Take threat information: You have vectors of attack, systems being targeted, the motive of the attacker. It’s complex.”
Mr. Dandurand was at GW on March 20 for an event hosted by the Strategic Cyber Operations and Information Management and Security and Safety Leadership master’s programs on practices in cyber defense, featuring Internet Engineering Task Force (IETF) Security Area Director Kathleen Moriarty and Telos Corporation CSO and CTO Richard Tracy. George Washington Today sat down with Strategic Cyber Operations and Information Management Program Director Frederic Lemieux to discuss the current landscape of cyber defense.
Q: Large-scale cyber attacks are a major threat. How does information sharing help mitigate that threat, and what are some hurdles to doing that effectively?
A: You need information sharing because you have to know how cyber weapons are used, or how malware is evolving. You have to build a database in which you can analyze data and inform different areas of society that are dealing with attacks. One of the problems right now is distrust. For instance, critical infrastructure—electricity, telecommunications, water, energy, etc.—is mainly owned by the private sector, so the government may try to legislate and impose standards for information sharing, but the private sector might push back arguing that privacy can’t be compromised. Another hurdle is developing a common lexicon. The banking sector doesn’t define components of an attack the same way the energy sector does, which creates a problem of definition. Also, compliance rules regarding disclosure and reporting of cyber attacks vary tremendously from one critical infrastructure sector to another.
Q: When we say “information sharing,” what kind of information are we talking about?
A: The idea is to share information that is strategic and helps you understand trends: the type of attack, the number of attacks, the persistence of the attack. You also might want to share operational information, such as the type of investigation needed or tools required to neutralize or mitigate the threat.
Q: Ms. Moriarty and Mr. Dandurand mentioned a few possible advances being made in cyber defense information sharing. What were some of those advances, and how do they affect end users, public or private entities?
A: I think one of the advances is to make information sharing a private sector-driven initiative by sector of interest such as critical infrastructure sectors. For instance, you can work with pillar organizations—like AT&T or Verizon for the communication sector, or Exxon for energy sector—who can help shape the way you share data. To overcome the lack of trust, you can work with agencies and companies on encryption standards that make the data anonymous. The encryption requirement has to be high enough to protect the identity of the contributor. You don’t want, for example, a bank disclosing issues it has and then being embarrassed by its competitors publically for disclosing security issues it is facing.
Q: In what ways is GW’s Strategic Cyber Operations and Information Management program preparing students for this topic?
A: Students in this program are learning how to analyze policies drafted from the private sector, government agencies and the military. What they are doing is trying to find a best strategy to implement that policy—on cyber defense or investigation of incidents, for example—and link the strategy to a best practice in the field. Our students also are learning the evolution of regulation about information sharing and safeguarding—there is an entire side of the curriculum addressing information management, how you share with agencies and privacy laws. And they take cyber intelligence courses, which cover how to capture information, structure information, and use that to address cyber defense issues and emerging modus operandi.
Q: Mr. Tracy advanced an idea of aggregating shared data to create forecasting models, as a more proactive method of cybersecurity. Is that feasible?
A: If you solve the problem of trust and encryption and find a common language, you can develop data analysis tools that give you the opportunity to detect a threat early by predicting what is supposed to be happening and comparing it with what actually is happening. Then you could immediately warn people in a sector that there is an attack building up. I doubt that we’ll be able to say “this is day zero of the attack” anytime soon—there are too many variables to take into account right now—but you can understand what’s going on, a bit like with the Dow Jones Industrial Average, when you see something ramping up and you have time to tell your investor “get out” or “get in.” That’s possible.