Even as they analyze and respond to operational cyber threats on a day-to-day basis, officials at the Homeland Security Department’s National Cybersecurity and Communications Integration Center (NCCIC) say they’re working to build concrete plans that public and private sector responders can act on in the event of a major attack in the future.
The relatively new planning effort grew out of a DHS project designed to get a better understanding of the cyber tools at the nation’s disposal. The project, dubbed Energizer, was a response to a 2011 presidential policy directive which told DHS to draw up assessments of the national resources available to respond to crises, including cyber attacks.
Larry Zelvin, NCCIC’s director, said for the last year and a half, the center has been busily inventorying all the capabilities the nation could bring to bear in a significant cyber incident.
“But when we looked at all these capabilities, we said, ‘OK, that’s interesting, but how can we use this to be a little bit better?’ So we looked at 10 major urban areas and a few critical infrastructure sectors to start, including finance, transportation, energy and communications,” he told attendees at AFCEA’s Global Intelligence Forum in Washington. “The challenge I put before the group was, let’s say everything in Manhattan between 40th St. and Battery Park goes completely dark because of a cyber incident. Where do we go? What do we do? What is Con Edison doing, and when they come to government, what are they asking us for? Then we have to look at whether we have that ability, do we have that authority, and then we have to worry about funding. So we’re trying, in a very proactive way, to look at those kinds of challenges, and we’re working very closely with the FBI, the Department of Energy and the intelligence community as we try and get a better handle on that.”
Zelvin said a year ago, the NCCIC really had no playbooks for how it would respond to a given cyber incident. He says that’s changing, and to draw up effective plans, he says the agency realized it needed visibility into the cyber capabilities of other entities including state, local and tribal governments and private organizations, not just the federal government.
He said he thinks the plans DHS has drawn up so far are good, even if the work is often slowed down by cyber incidents that divert the NCCIC’s staff attention to real-time developments. Those incidents also inform future planning efforts, which he said need to include the understanding that a lot of the real-time information about a current or pending attack isn’t held by the government, but by private companies.
“When somebody’s trying to do something that we don’t want them to do and I want to prevent it, I’ve got to look at exactly how I do that,” he said. “For me, it’s like a neighborhood watch. It’s about who has the ability to tell me when somebody’s doing something bad, and I will tell you that in my experience, in cyberspace, the private sector knows those answers more often and with better fidelity and actionability than anyone else. And then when they’ve done something bad, again, it’s the private sector that really knows what’s happened, because they’re the ones who something bad is happening to. For government, it is hard to take what has been a very successful intelligence organization looking at national security issues and copy and paste that onto cybersecurity. It’s going to have an important role, but it’s not necessarily going to be a preeminent role. Some of the best information I’ve ever seen has come from private sector partners that are really focused on these problems, and really have the assets and availability to tell us what’s going on, and then develop solutions and get them proliferated.”
But for the moment, the barriers to that proliferation are numerous, Zelvin said. He says unlike in a disaster in the physical world, where all the responders to an incident tend to share a common purpose, that’s not necessarily true when it comes to cooperation against a cyber threat.
“When you have a natural disaster or a terrorist event, it’s a rush to the incident or to the crime scene,” he said. “In cyber, it’s neither. This is a competitive business, and in some cases the information we’re talking about is how people are making their living. There seems to be a misperception out there that everybody’s going to share. No, they’re not. They’re just not, because in some cases this is their business, in other cases this is about their reputation, and in some cases they’re worried about government regulation. These are valid fears, and we have to understand that.”
Zelvin says when he talks with companies who’ve been victims of malicious cyber activity, he tries to make the case that information sharing is in their own self- interest and in the interest of cyberspace large. For instance, when specific threat data goes to NCCIC, watchstanders there can quickly share it with representatives from the 16 critical infrastructure sectors.
“Do you need energy for your corporation? The answer’s normally yes. Do you need transportation and water? Do you have relationships with the organizations that provide those? No? Well, we do,” he said. “We can take that information and share it. What about the state and local governments? We have relationships with them, and you need them. We have relationships with 200 (computer emergency response teams) around the world. The FBI has people in our embassies. It’s about that collective.”
But Zelvin said frequently, even when companies do see it as in their interest to share information about cyber threats, there are perfectly rational reasons for them not to do so, including the fear of legal liability associated with sharing information with the government.
“There is a lack of clarity here in the private sector, and when you talk to the policy and operations folks, they say, ‘look, we’re happy to share.’ But when it works its way through to the corporation, the lawyers say ‘there’s nothing that says you can’t do this, but there’s also nothing that says you can, so we’re going to err on the side of safety because we’re worried about lawsuits and regulatory issues,'” he said. “Having clarity in our statutes is important, and there seems to be a good amount of public-private agreement on this. But we haven’t been able to advance that so far.”
For its part, Zelvin says government certainly isn’t perfect about sharing what it knows about cyber activity either. The intelligence community in particular, he says, still is trapped in a cultural legacy of “need to know” versus “need to share.” But things are getting better, he says.
“I’ve had a security clearance for 27 years, and the intelligence community is now declassifying in ways I never thought possible,” he said. “There are times when I call my IC partners and ask them to declassify, and when it happens at my level there are times when it happens almost instantaneously. I think we’ve got some work to do at the worker bee level, but we’re getting better processes on how to declassify. And what do we need from the DHS perspective? The private sector just needs to know that something bad is happening. They don’t care who you got it from. If you can share those technical indicators to the best of your ability, that’s what’s really important. Timeliness and confidence are what’s important. We can’t spend an eternity making sure every block is checked, we’ve got to be faster at this and give industry a better confidence level. Because ultimately they’re the defenders.”