The nature of cyberthreats aimed at both the U.S. government and private American companies calls for a dramatic shift in how the larger cybersecurity community shares information about hackers and collectively responds to attacks, said Neal Ziring, technical director for the NSA’s Capabilities Directorate.
While raising the awareness of what different hackers and foreign intelligence agencies are doing in cyberspace remains essential, Ziring said, it’s simply not enough based on the level of danger and activities occurring today.
The next and necessary step is the development of a shared, public-private framework in the U.S. that can roll out software patches and other system updates at “machine speed” to individual researchers, industry and the government as soon as new intelligence becomes available, according to Ziring and Thomas Donahue, director of research at the Cyber Threat Intelligence Integration Center. They both spoke Thursday at a cybersecurity conference in D.C.
“The big thing for me is that information sharing by itself is not enough. We need to start establishing the infrastructures, the standards, the practices for shared response,” Ziring said. “Today’s actors can be really successful because they develop this tradecraft and they get to use it over and over and over again — and they advertise the investment in this tradecraft as monetizing it against lots of targets. That’s what we need to take away from them. And the only way to do that is to have a response that can be shared amongst all of us.”
Ziring’s plan is to essentially democratize cyberthreat intelligence and make it actionable for a myriad of different U.S. partners. The market today leans on a model in which private companies acquire and sell proprietary research only to clients, keeping much of what they find accessible only to customers.
While the Homeland Security Department has helped pioneer the development of several different cyberthreat information sharing programs, a response framework like the one described by Ziring does not exist today.
“With [recent cyber events] as the new normal setting for decision making, we must improve our awareness of the infrastructure and activities of our adversaries because it is poor, our ability to respond to specific incidents is way too slow and our strategic response to that kind of behavior is at best nascent and weak,” said Donahue.
At the moment, a private, nonprofit organization named the Cyber Threat Alliance, or CTA , offers perhaps the closest model to what Ziring is proposing.
“The CTA’s move to an incorporated entity signifies the commitment by industry leaders to work together to determine the most effective methods for sharing automated, rich threat data and to make united progress in the fight against sophisticated cyber attacks,” the organization’s website reads.
Founded in 2014, the CTA is exclusively comprised by prominent, private sector cybersecurity firms, including Fortinet, Intel Security, Palo Alto Networks, Symantec, Check Point and Cisco, who collectively pool threat intelligence and code-based countermeasures. Companies provide this information at-will and “in good faith.”
Ziring’s comments come nearly one month after former NSA Director Keith Alexander told senators that the U.S. government would be wise to reorganize current cybersecurity responsibilities, which are split between the FBI, Homeland Security Department, Defense Department and intelligence agencies, into a single entity. Alexander said that this new organization would lead the efforts to develop constructive relationships with private digital security companies.