A message from DefCon: Don’t wait on Washington DC for cybersecurity answers
On the topic of infrastructure cybersecurity, there is a long-held belief by some in our industry that the US federal government needs to find ways to share more information with the private sector. There are any number of problems when making this argument, starting with the fact that the beliefs behind it just aren't true. Mark Weatherford, former Deputy Undersecretary for Cyber at DHS and now with the Chertoff Group, just made this point at the recent DefCon event in Las Vegas and I wholly agree. We need to dispel these myths once and for all and talk about where to get the answers we need to align with the Presidential Executive Order on Cybersecurity and tackle the growing problem of cyberattacks on critical infrastructure.
This argument is based on beliefs that:
- The US federal government has vast intelligence resources with the capability to identify cyberthreats to infrastructure.
- The information held within government walls contains the solution needed by infrastructure operators and the communities who rely on them.
- Once the Feds learn to share this knowledge better, the threat to water, power, transportation and other critical resources would be greatly reduced.
The first problem with such arguments is the fallacy that the US federal government holds a mysterious monopoly on related knowledge. The general public--and subject matter experts who should know better--carry a mental image of vast warehouses of government information. Remember the last scene from the 1980s movie "Raiders of the Lost Ark"? Presumably these warehouses include all possible technical vulnerabilities, hacktivists' plans, and foreign capabilities that threaten our infrastructure. Belief in such omniscient power should be seriously questioned when combined with known limits on bureaucratic capabilities, much less the common accusations of government incompetency.
The second problem is that the private sector already has as much knowledge as, and in most ways more knowledge than the government, to begin with. The oft-repeated and likely understated statistic that 85% of critical infrastructure is owned and operated by the private sector should be the first clue. The government's widely known weakness in acquiring and retaining a cybersecurity-skilled workforce is another. And in a truly globally connected world, the final fact that the overwhelming bulk of both infrastructure and workforce reside outside the legal and physical borders of the United States points us in another direction.
There are indeed capabilities contained within the public sector which have unique value, none more so than the American federal public sector. But the staggering majority of the potential cyberattack surface--and therefore also the sensory surface--of critical infrastructure is already in the hands of private sector infrastructure operators. All of the source code for all of the devices that make up critical infrastructure is already in the hands of the private sector entities who created it. All but some small portion of known vulnerabilities to applications, devices, and facilities is in the hands of the private sector. Almost all of the people with the requisite skills are already in the private sector, and their ranks are swelling with former public sector peers looking for better compensation.
So, while the Presidential Executive Order on Cybersecurity is a good thing that will likely lead to improvements in related capabilities on behalf of the US government, the order itself will not move the bar measurably toward the goal of a robustly defended cyberphysical infrastructure. In fact, the ability of the public sector to perform its own relatively small part of the overall task will remain limited regardless of its efforts, so long as the private sector continues to stand waiting for an answer from Washington DC.
Instead, the answers lie all around us in pieces ready to assemble--the work of vendors and integrators, researchers and asset owners, industry organizations and standards bodies. They lie in existing real-time sharing systems like REN-ISAC's Collective Intelligence Framework (CIF) and the Internet Systems Consortium's OPSEC-Trust. They also lie in existing incident sharing formats like IODEF, and emerging ones like STIX. The Situational Awareness Reference Architecture (SARA) being developed by the ICS-ISAC and its membership seeks to compile these capabilities from across the private sector.
Until the private sector takes greater ownership for capturing and utilizing knowledge that is already within its grasp, the public sector will remain unable to perform even the limited role it can play in addressing threats to our shared infrastructure. The search for security does not begin in Washington, it begins at home.