Monster Problem Threatens New US Cyberthreat Plan

President Barack Obama last week made good on his promise to establish a center for cybersecurity information gathered by agencies of the federal government. It’s a laudable initiative — if it works.

The Cyber Threat Intelligence Integration Center will, according to a White House fact sheet, connect the dots regarding malicious foreign cyberthreats to the nation and cyberincidents affecting U.S. national interests. It will provide U.S. policymakers with an all-source analysis of threats.

It also will assist relevant departments and agencies in their efforts to identify, investigate and mitigate those threats.

However, the center’s power to fulfill its mission seems a bit vague. For example, it will not collect intelligence, manage incident response efforts, direct investigations, or replace other functions currently performed by existing departments, agencies or government cybercenters.

It’s supposed to support the National Cybersecurity and Communications Integration Center in its network defense and incident response mission; support the National Cyber Investigative Joint Task Force in its mission to coordinate, integrate, and share information related to domestic cyberthreat investigations; and support the U.S. Cyber Command in its mission to defend the nation from significant attacks in cyberspace.

How it’s supposed to do that is a bit of a mystery, because it’s not clear how it’s supposed to get the intelligence to perform its support mission.

Laundering Information

Despite the lack of clarity, there’s some optimism about the center’s potential, because a similar agency — the National Counterterrorism Center — has had a measure of success.

“They’ve got a model that seems to be accepted and seems to work,” said Paul Tiao, a partner withHunton & Williams.

The functions of the center can be performed on an ad hoc basis to handle a major cybersecurity event, he noted.

“The president or his homeland security advisor could pull together all the relevant agencies and request an intelligence assessment,” Tiao told TechNewsWorld, “but that can’t be done on a steady basis.”

The idea is for the intelligence-gathering agencies to feed the center with information that can be turned into unified assessments on a continuing basis, he added.

Although the center is designed to work with other federal agencies, it could provide a useful function for the private sector, as well.

“The government needs a way to launder classified information,” said Resilient Systems CTO Bruce Schneier, a fellow at Harvard Law School’s Berkman Center for Internet and Society.

“If the NSA knows North Korea is attacking Sony now, the NSA has no way to tell Sony,” he told TechNewsWorld. “If this organization can make that work, maybe that’s helpful.”

Monster Problem

Providing government agencies with unified assessments may be a noble pursuit, but it remains to be seen how effective such reports would be to many of those agencies.

“The trouble is that each government agency has yet to develop the ability to consume threat intel and apply it to their own networks,” said Richard Stiennon, chief research analyst at IT Harvest. “That should have been a priority for this administration six years ago.”

Those agency problems are small potatoes, though, compared to what’s facing the center.

“Sadly, they are tackling a monster problem,” Stiennon told TechNewsWorld.

“The center will be inundated with billions of data points,” he continued. “The types of technology and the people that can use them are being developed in the private sector but not at the scale that is proposed here.”

Creating an agency to coordinate responses to cyberattacks is nothing new. Several of them have been created since 1998, and some of them are still around. Some even attracted top talent to run them — talent that left in frustration.

Why did they leave? Because the nation lacks a national cybersecurity policy, said Scott Borg, CEO and chief economist for the U.S. Cyber Consequences Unit.

Failure Without Policy

“A real national cybersecurity policy would identify the groups likely to attack us, their capabilities, and likely targets,” Borg told TechNewsWorld.

“It would lay out the potential consequences of these attacks in considerable detail. It would identify our vulnerabilities to these attacks,” he added.

“It would lay out the best ways to reduce each of these risk factors,” Borg continued, “and it would be based on detailed public discussions of all these things with all the essential facts publicly acknowledged.”

Such a policy was forged for nuclear weapons during the Cold War, he explained, so there is no reason an equally well-developed national policy could not be created for the cyberera.

“Since we still don’t have any real national cybersecurity policy the way we had a nuclear defense policy,” he said, “I don’t think this new center is likely to be any more successful than the past four or five centers that were established for the same purpose.”Breach Diary

• Feb. 24. Healthcare provider Anthem reports number of customers afftected by data breach earlier this moonth to be 78.8 million.
• Feb. 25. Target reveals in SEC filing that 2013 data breach has cost the retailer US$162 million.
• Feb. 25. SIM card maker Gemalto acknowledges British and U.S. intelligence services may have broken into its computer systems but denies the encryption used in the chips could have been compromised in the attacks.
• Feb. 25. Lenovo reports that its website was attacked by hackers who redirected traffic to another site and intercepted some employees’ email. Lizard Squad claims responsibility for the attack.
• Feb. 26. Organization for Economic Co-operation and Development finds Gamma International in violation of its human rights guidelines. This is the first time the organization has found a surveillance software company of such an infraction.
• Feb. 27. Telecoms and services provider TalkTalk reports information from data breach used to obtain bank information from an unspecified number of its customers.

Upcoming Security Events

• March 4. Top 3 Online Threats to Healthcare Insurance Customers. 2 p.m. ET. Webinar sponsored by NH-ISAC and RiskIQ. Free with registration.
• March 4-5. SecureWorld Boston. Hynes Convention Center. Open sessions pass: $25; conference pass: $175; SecureWorld plus training: $545.
• March 11. Intelligence Squared U.S. Debates: The U.S. Should Adopt The “Right To Be Forgotten” Online. 6:45 p.m. Merkin Concert Hall, Goodman House, 129 W. 67th Street, New York City. Tickets: $40; student, $12.
• March 11. How to Identify and Assess Data Incidents of all Shapes and Sizes. Noon ET. idExperts webinar. Free with registration.
• March 12. B-Sides Ljubljana. Poligon Creative Centre, Tobačna ulica 5, Ljubljana, Slovenia. Free.
• March 12-13. B-Sides Austin. WinGate Williamson Conference Center, Round Rock, Texas. Fee: $15/day.
• March 14. B-Sides Atlanta. Atlanta Tech Village, 3423 Piedmont Rd. NE, Atlanta. Free.
• March 16-17. B-Sides Vancouver. The Imperial Vancouver, 319 Main St., Vancouver, BC, Canada. Tickets (before March 1): supporter CA$25, plus $2.49 fee; professional $55, plus $4.29 fee; VIP $125 plus $8.49 fee.
• March 18-19. SecureWorld Philadelphia. DoubleTree by Hilton Hotel, Valley Forge, Pennsylvania. Open sessions pass: US$25; conference pass: $295; SecureWorld plus training: $695.
• March 19. Are You Hiding All You Intended? Probably Not. 2 p.m. ET. Black Hat webinar. Free with registration.
• March 20-21. B-Sides Salt Lake City. Sheraton Salt Lake City Hotel, Salt Lake City, Utah. Registration: before March 20, $40; $50 at the door.
• March 24-27. Black Hat Asia 2015. Marina Bay Sands, Singapore. Registration: before Jan. 24, $999; before March 21, $1,200; after March 20, $1,400.
• April 1. SecureWorld Kansas City. Kansas City Convention Center, 301 West 13th Street #100, Kansas City, Missouri. Registration: open sessions pass, $25; conference pass, $75; SecureWorld plus training, $545.
• April 20-24. RSA USA 2015. Moscone Center, San Francisco. Registration: before March 21, $1,895; after March 20, $2,295; after April 17, $2,595.
• June 8-11. Gartner Security & Risk Management Summit. Gaylord National, 201 Waterfront St., National Harbor, Maryland. Registration: before April 11, $2,795; after April 10, standard $2,995, public sector $2,595.