Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
To become organized for cybersecurity, agencies need to get their data organized. Beyond data lakes or data stores, important as they are, the government needs what you might call a concept of operations. That’s where one of the U.S. Cyberspace Solarium Commission’s top recommendations comes in. For more, Federal Drive with Tom Temin spoke with the Senior Director for the U.S. Cyberspace Solarium Commission, Robert Morgus.
Tom Temin: The commission recommended that joint collaborative environment, let’s talk about what the objective there is first, and then we’ll talk about how it might be constructed.
Robert Morgus: Sure, thanks for having me, Tom. The joint collaborative environment is, as you said, a recommendation that the commission came out with March of 2020. The idea behind it is to create a collaborative environment as you can probably tell from the title that would help pool federal government data on cyber threats and cyber incidents, and eventually allow the private sector to plug in and both share information in and then glean insights out. I think the way that we look at this at this particular proposal being implemented, if it if it does come to fruition over the next few years isn’t a couple of steps, where you’ll have to work on the fed/gov side to get the information that the different departments and agencies both on the high side and the low side collect, we need to get that all sort of consolidated, standardized and sort of interoperable, shared into this environment, then the second step will be to figure out a way to plug the private sector
Tom Temin: And would this include all of the federal government that is to say, the intelligence community, the Defense Department and civilian agencies?
Robert Morgus: That’s a good question. And I think ultimately, the answer should be yes. Whether or not we get there, I think is still an open question. I think the model for something like this is looking at the UK where they’ve got the National Cybersecurity center. And the big thing there, they’ve got sort of a high side floor, basically, in the building, they’ve got a low side floor. And those two talk to each other. But they’re not necessarily in the same environment, I think I could see something similar with the joint collaborative environment where you have a high side that is plugged into and talking to low side potentially providing insights, but you don’t necessarily have all of the high status flowing directly into the environment,
Tom Temin: Almost like a Bletchley Park for the 21st century,
Robert Morgus: Not dissimilar, not dissimilar.
Tom Temin: And where does the commission envision that this joint collaborative environment would live? That would probably be I’m guessing, one agency that would be the managing director, if you will, to operate it?
Robert Morgus: Yeah, I think the the logical place for it, given the sort of interest on the Fed Gov side and then plugging in the private sector would be scissor. at DHS, I think that that makes the most sense, given the amount of touch points they have both across the federal government from the Fed Gov it side. And then with the private sector, the the key then becomes how you integrate the intelligence community into it. And that’s a relationship that I know, DHS and the fort, for example, are working on that relationship already. And that’s something that I think still needs to be ironed out.
Tom Temin: And for this to happen. I mean, it’s easy to say, yeah, I’m great big data store, and everyone contributes all their data. But it sounds like a lot of groundwork would be required on the part of agencies to be able to share data. And there would have to be some kind of process by which the data could be made interoperable. How do you see that all working?
Robert Morgus: Yeah. So there are a few things that need to happen. And I think the first big movement is going to be an authorization from Congress, because this needs to be resourced and authorized before we can do that. And I think part and parcel of that there needs to be some sort of nudge likely from the hill to get the federal departments and agencies that do collect relevant cyber threat data, cyber incident data, to them to start talking to one another about how they make sure that that data can interact with, with data from other agencies, right. So standardization, interoperability, there’s also there needs to be some sort of conversation about the actual infrastructure that would enable this right. I mean, when we when we talk about the joint collaborative environment, we think about a cloud environment, what does that mean, in terms of how agencies plug in? What sort of infrastructure do they need in order to modernize in order to sort of be able to actually interoperate with with the cloud environment that’s hosted at DHS?
Tom Temin: Yeah. So I mean, a lot of agencies already have cloud computing resources and contracts that they’re using both DoD and now intelligence community, as well as the civilian agencies. So those existing mechanisms, though, I guess, have different levels of security, different levels of applications that they have in there, you’re looking for something that would be totally separate from any of those?
Robert Morgus: Not necessarily, although, you bring up the security of the environment. And I think that’s, that’s one of the big challenges that something like that face, because it is simultaneously supposed to be open to the outside. The private sector will be plugging in, but you also want to make sure that you’re not sort of leaving it open for adversaries to come in.
Tom Temin: Alright. And so let’s envision then that there is a joint cooperative environment, it exists and there’s 88 petabytes of data within there, what would be the application of and how would it work in terms of actually detecting and responding to Rent.
Robert Morgus: So I think that the big thing that the environment would be able to do is provide more of a real time environment than what we have right now. I don’t know, Tom, the anecdote we hear about the way that information flows between departments and agencies right now is the most common mode of that data sharing your information sharing is right now, Microsoft Outlook, the environment would allow folks to share data more quickly. I think the key there is you’re sort of approaching real time, when you talk about data sharing at that point, ideally, you’d see agencies departments and agencies plugging in and sending their feeds directly to the environment and allowing others to sort of query that data set, look for tactics, TTPs, that they can that they can sort of glean and look at how they might be able to better protect their own networks. Ultimately, I think you’d like to see the private sector, eventually, probably starting with this sort of big critical infrastructure, private providers plugging in, in the same way that we’d see departments and agencies, though, like I said, at the beginning, I think that’s kind of a two step process, the first step is to get the fed guvs house in order before we can really bring any meaningful sort of bring the private sector in in any meaningful way,
Tom Temin: I would think the metadata would be just as important as the data because in order to do research to query a database, you have to know what’s there. And so the metadata about what is in there and to whom it’s available, would seem to be really important imperative to have in the center,
Robert Morgus: I would, I would think so. And, we’ve seen, we’ve heard about the value of metadata in especially in analyzing threats, and particularly in sort of translating threats across different environments, to different departments, different agencies, different sort of defensive assets. So yeah, I think, the amount of metadata will be will be just as important as sort of some of the granular indicators of compromise and the like.
Tom Temin: And for this data base, let’s call it data, Lake, whatever you want to call it, this data store this environment, I can envision it sending alerts out in real time as algorithms attached to the data, detect things, but also as a research environment where people can go back and look at the long context, for example, of what was happening or whatever research purpose they might have, can the environment as you envision it support both real time alerts and queries, as well as research based on art stores of data that’s maybe no longer operationally relevant?
Robert Morgus: I think in an ideal world, yes, I think it’s going to take some time to get there. I think I think about the success of the environment sort of in the two year, the five year in the 10 year time frame, after it’s sort of authorized and starts being implemented. And I think in the two year timeframe, you’re looking at it more being a sort of relevant real time information sharing environment, that for the most part of the federal government, especially on the civilian side, the low side are plugged into, as you grow sort of the two to five year timeframe, you start to see more of that longitudinal data, a more opportunities for folks to plug in from a research perspective, and you start integrating the high side. And after five years, I would I would like to see the the environment welcoming critical infrastructure providers and having a clear process within the plugin. And then sort of over the longer term. I think what is potentially really interesting about this would be the sort of the dev sec ops opportunity and the opportunity for folks to start building applications and building building new widgets in on the environment in order to sort of make some of that a little bit easier, a little bit more approachable for folks.