The Homeland Security Department is about to launch a new approach to make cybersecurity information sharing easier.
In the next couple of months, the U.S. Computer Emergency Readiness Team (U.S. CERT) will begin using two emerging technical specifications called STIX and TAXII to automate how cyber threat information is shared with the public and private sectors.
Brad Nix, the deputy director of U.S. CERT, said STIX, which stands for Structured Threat Information eXpression, is a no-cost method for machine-to-machine sharing of cyber threat indicators.
“STIX is a collaborative effort to develop standardized and structured language to represent cyber threat information. The framework is intended to convey a full range of potential cyber threat data elements. It’s set up in a way that allows the actual sharing of the information to be expressive, flexible, extensible as well as automatable,” Nix said Wednesday in an interview with Federal News Radio after a panel discussion
at the Cybersecurity Integration Summit sponsored by the Advanced Technology Academic Research Center in Washington. “The really neat thing about STIX is, and I’ve seen some demos or pilots that have been done with different types of visualization platforms, they have taken some of the messages that have been shared across STIX and they have been able to marry up threat information, actor information and vulnerability information in a way that you can very easily visualize what’s actually happening.”
TAXII, which stands for Trusted Automated eXchange of Indicator Information, defines a set of services and message exchanges. Nix said when they are implemented, TAXII enables sharing of actionable cyber threat information across product and service lines.
“Theoretically what could happen with TAXII, if an organization has their own threat information sharing standard, they could still leverage the TAXII set of services for message exchange,” he said.
Works within existing standards
Over the years, disparate cyber threat information sharing standards have emerged as there has been no one consensus way to tag and distribute the data.
The Center for Strategic and International Studies (CSIS) issued a series of recommendations around cyber threat information sharing in March.
CSIS says any cyber threat information sharing effort must build upon existing structures, limit personal information and take advantage of existing peer-to-peer relationships, while also recognizing there is a cost-benefit analysis for these processes and agreements. Nix said part of the reason STIX and TAXII are attractive is the fact both specifications don’t replace existing standards, but works within them.
As part of this effort to implement STIX and TAXII, U.S.-CERT will open access to servers running these specifications to promote cyber information sharing with its public and private sector partners.
“We want to set up an environment that is risk rated at the right level to facilitate the sharing of information, but still provides the appropriate levels of confidentiality, integrity and availability controls that would be required for an organization that actually depends on the information,” Nix said. “The idea behind the use of the cloud for the STIX/TAXII server is to enable the access to the information with the appropriate level of control so that organizations can submit information but also can retrieve information that is relevant to them. We want to protect the anonymity of information that is shared from the partners who are actually sharing the information, but also make sure that when we set up the actual information it’s getting back to the people that it needs to.”
Nix said the cloud infrastructure ensures the information always is accessible to the right organizations at the right time.
“We are very excited within our organizations for its actual deployment because it will really go a long way to better inform the decisions we are making on a day- to-day basis, and the information that we are actually sharing, especially with our dot-gov and critical infrastructure partners for them to better protect their environments,” he said.
Still struggling with anonymity
The issue of anonymity is a big one for the government and the private sector.
It’s the one issue that has stopped Congress and the Obama administration from agreeing on cyber legislation. This year the House has passed two bills and the Senate Intelligence Committee passed its version in March. All three bills would give some sort of liability protection to the private sector for sharing cyber threat information with the government.
In the meantime, the White House isn’t waiting for Congress to act. President Barack Obama signed an executive order in February creating a Cyber Threat Intelligence Integration Center (CTIIC) to coordinate, collect and share data from across the government.
DHS also has been running several initiatives with mixed success over the last few years to promote more information sharing, including the Enhanced Cybersecurity Services Program (ECS) and a voluntary program for businesses under the January 2013 executive order creating the cyber critical infrastructure framework effort.
The use of STIX and TAXII has been in the pilot or test stage for about two years, but only now is DHS ready to expand its use to a wider audience.
While STIX and TAXII helps bring the information together, Nix said the biggest challenges remains building the relationships and trust.
He said DHS is trying to establish a community of trust through its Cyber Information Sharing and Collaboration Program (CISCP).
Nix said CISCP brings together the public and private sectors, mainly critical infrastructure providers, to share cyber threat information in that trusted environment in near-real time.
“Within CISCP, government and industry partners contribute threat data. All this threat data adds to the volume of information that is available for analysis by our analytical team. Because the act of providing threat or attack data may harm competitive or other commercial interest of our partners, we take a lot of significant steps to ensure the source of the data is protected,” he said. “That’s primarily done through our protected critical infrastructure protection program, which is statutorily exempt from the release of information that would otherwise be required by Freedom of Information Act requests or state sunshine laws and act.”
Nix said U.S.-CERT provides information back to the critical infrastructure providers in several ways, including bulletins that indicate new threats and vulnerabilities in machine-readable formats.
He said member companies also receive analysis bulletins, which are more in-depth and provide general remediation information, and alert bulletins that give early warning of a potential or real vulnerability that would have a major impact on their systems.
“This is a program still in its infancy. Trust is only going to be as good as the relationships you can build over the course of any particular program. I see the CISCP program as part of that trust relationship,” Nix said. “The ability to get a person or possibly multiple people in the organization a top secret clearance and access to the floor of the NCCIC as part of the program is important. We do that so we can have face-to-face discussions with people so they can see what measures we are taking to protect information and what actions we are taking in order to better serve our constituency. I think if that face-to-face interaction wasn’t such a big deal I don’t think we would highlight or make it such an important part of the program.”