Can agencies team up in responding to cyber attacks?
- By William Jackson
- Jul 03, 2013
The National Institute of Standards and Technology is planning guidance on how agencies can better cooperate and respond to cybersecurity incidents.
“Unfortunately, modern computing systems frequently are exposed to various forms of cyber attack,” NIST said in its recently published request for information. Despite use of defensive technologies, some attacks will be successful. The proposed special publication will help answer the question, what comes next?
“This is a challenging area,” said Lee Badger, security components and mechanisms group leader in NIST’s computer security division. And response is complicated by the need for cooperation when security incidents cross agency boundaries. “This happens informally a lot. It is important to do a better job of this,” and the proposed guidelines could help formalize the process.
There is no timeframe at this point for publication.
NIST already has weighed in on the subject of incident response with Special Publication 800-61 Rev. 2, Computer Security Incident Handling Guide. This document offers guidance on establishing and Computer Security Incident Response Team (CSIRT) and responding to incidents within an agency. The proposed publication, which would be SP 800-150, Computer Security Incident Coordination, would focus on improving coordination between agencies and reducing delays when reacting to widespread and cross-agency computer security incidents.
“Special Publication 800-61 does cover incident coordination, but at a high level,” Badger said. “There was an effort to put more guidance for distributed response into it, but we realized there was too much to do.” So rather than delay the publication of SP 800-61, officials decided to create a separate document.
NIST calls the new publication a “substantial expansion” of existing guidance, exploring how CSIRTs can work together to improve response time and information sharing while limiting the risk of exposure of sensitive information. It is seeking input on risks and current challenges to cooperative responses, as well as best practices and lessons-learned. Comments should be sent by July 29 to firstname.lastname@example.org with "Computer Security Incident Coordination" in the subject line.
The new publication would focus “primarily on understanding team-to-team relationships, sharing agreements and the role that automation techniques may play in the coordination of incident response.” It will identify technical standards and procedures to facilitate cooperation in responses.
NIST hopes to build on the experience of existing incident coordination efforts, including the DOD’s Defense Industrial Base and Defense Security Information Exchange as well as Information Sharing and Analysis Centers that share information across industry sectors and among governments. But Badger said the authors want to be as inclusive as possible to identify opportunities and pitfalls for collaboration between organizations.
NIST wants to know how this is being done now, what works, what doesn’t and how shared information is protected and handled. It also wants to find out what information should not or cannot be shared and what restrictions are placed on shared information. It will look at the best ways for organizations to pre-establish relationships among response teams, creating circles of trust that can help leverage expertise and facilitate cooperation by being in place before a crisis.
While information sharing sounds like a good idea, there are serious challenges that need to be considered in planning for cooperative action, Badger said. Sharing information can put reputations at risk by divulging that an incident has occurred, a particular concern for companies. It also can expose confidential information and could enable attackers to gather information that could help in future attacks. There also are legal restrictions on how some information can be shared and used.
“This is an interesting balancing act,” Badger said.