Plans to develop automated systems for cybersecurity will build on models like DOE's Smart Grid and FAA's Next Generation air traffic control system.
This is the last of a three-part series on developing a government cybersecurity ecosystem.
A plan to develop an automated system for defending agencies from cyber attacks could look to several existing agency projects that incorporate self-healing network features.
The concepts of a learning, self-healing network are being incorporated — or at least planned — in several current federal programs, including the Federal Aviation Administration’s Next Generation Air Transportation System, which would replace the aging current air traffic control system, and the Smart Grid program being spearheaded by the Energy Department to create an interactive national power distribution and delivery system.
Through a request for information issued in September, the Homeland Security Department is examining the technology needed to create a multi-agency or even a global system that could, through machine learning and automated information sharing, detect and respond to threats.
Development of a self-protecting ecosystem would be a long-term project, and probably one without a definite end-point. “Probably the journey will never end,” said Michael A. Brown, a former federal official and now manager of federal business for RSA, the security division of EMC. But advances in standardizing the language of security and automating continuous monitoring are the first steps. “These are all parts of what is doable in the near term,” he said.
Effective information sharing across domains -- whether automated or manual -- has long been a challenge in cybersecurity, but the ability to gather information in near-real time is improving. Continuous monitoring now is a requirement for compliance with the Federal Information Security Management Act, although the monitoring is periodically frequent rather than really continuous, and reports from agencies are supposed to be made automatically through CyberScope, DHS’s tool for collecting information on the health of agency computer networks.
In monitoring and evaluating IT systems, agencies are supposed to use tools complaint with the Security Content Automation Protocol, which has led to broad industry adoption of SCAP tools.
As early as 2009, Peter Fonash, then acting director of the DHS National Cybersecurity Division and now CTO for cybersecurity and communications, told a House panel that the Einstein intrusion detection system was ready to begin deployment at agency Trusted Internet Connection points and at Networx Managed Trusted IP Service locations.
“The Einstein system helps to identify unusual network traffic patterns and trends that signal unauthorized network activity, allowing US-CERT to identify and respond to potential threats,” Fonash told the House Science and Technology Subcommittee on Technology and Innovation.
The system is being upgraded to provide intrusion prevention as well as intrusion detection, which is a step toward automated defense. “The system, once fully deployed, will provide the government with an early warning system and situational awareness, near real-time identification of malicious activity, and a more comprehensive network defense,” Fonash said.
A primary difference between current automated tools and the envisioned ecosystem is that tools now in use deliver data to a central point or organization, such as US-CERT, where it is analyzed and then alerts are disseminated to local administrators for action. The ecosystem model would share information throughout the system and enable systems or devices to respond on their own.
All of the current innovations, such as CyberScope and Einstein, have their critics, and the best tools and policies are not adequate in themselves, according to a paper on “building a healthy and resilient cyber ecosystem” by Philip Reitinger, the former DHS deputy under secretary for the National Protection and Programs Directorate who has since moved on to Sony Corp.
“We know today that users are not routinely complying with cyber best practices and configuration guidelines. Adoption of security standards is decidedly slow, and early indications are that cybersecurity continuous monitoring will face impediments to adoption,” according to the paper.
Still, “despite the many open questions remaining, the field is ripe for planning and action,” the paper says.
Hence the RFI, which presents a number of questions for consideration by both the public and private sectors, including:
- What is the proper definition of and goals for the envisioned ecosystems?
- What are the most challenging and intractable issues to be addressed?
- What are the current capabilities?
- What standards are needed to advance the concept?
- What is the role of government in developing and implementing such a system?
The deadline for weighing in on these issues was Oct. 15, and DHS and NIST now are evaluating the responses. The next step will be formation of a working group, probably to include the National Security Agency as well as DHS and NIST, to do a gap analysis identifying what needs to be done to move the present state of technology to the desired state. There is no immediate timetable for formation of the group or completion of its work. Interagency processes generally take a while,” and funding is always an issue, the DHS official said.
Whatever the results of the analysis, creation of a self-aware, self-defending and self-healing online environment will not be fast or easy, Brown said. “There is no way you can create the ecosystem by stopping on a dime,” he added. “It’s a journey. I think it’s a big job, but it’s something we felt needed to be done.”
OTHER ARTICLES IN THIS SERIES: