A multiagency group hopes to create a cyber ecosystem that could learn to automatically assess and respond to threats. Where would humans fit in the loop?
This is the first a three-part series on building a government cybersecurity ecosystem.
Since its inception, the Internet has grown wild, which has spurred innovation, activity and information sharing, but has left security and standards unattended. The result is an online environment where outlaws can roam free.
Now a multiagency effort wants to impose a little order with a structured cyber “ecosystem” that could automatically assess and respond to threats, learn from previous incidents and even heal itself.
Through a recent request for information issued in September, the Homeland Security Department and the National Institute of Standards and Technology are examining the current state of technology and the advances needed to create what they call a healthy and resilient system capable of using a defensive concept called Automated Collective Action. The goal is a broad-based, multi-agency or even global system that could, through machine learning and automated information sharing, detect, mitigate and respond to threats while maintaining mission-critical operations.
“We need automation because we are being attacked in an automated fashion and we need to respond in an automated fashion,” said a DHS official.
In addition to determining how — and if — technology can provide the interoperability, automation and authentication necessary to create this capability, one of the key questions being considered is where humans would fit into the decision loop. With attacks occurring and evolving at the speed of IT, human response times no longer are adequate to counter many threats, even with a trained workforce available to do the analysis and make decisions.
But false positives and unintended consequences are facts of IT systems, and some observers are concerned that turning over too much authority to the machines could do more harm than good. So the effort is moving ahead at a deliberate pace. “We want to make sure we have as much input as possible,” the DHS official said.
The goal of Automated Collective Action is defined in the RFI as processes within the system or community of interest that pick automated courses of action to be carried out by the ecosystem in response to cybersecurity threats.
“Policies, procedures, technology and a high level of trust are necessary to enable automated collective action,” according to the DHS/NIST document. “An appropriate level of human intervention might be required to ensure unintended consequences do not result from flawed courses of action. Determining which cybersecurity events are normal and which are unauthorized or malicious remains a major challenge.”
Like environmentalists, who are encouraged to think globally and act locally, a secure cyber ecosystem would combine local response with global awareness. The concept is not entirely new, and pieces of it already are being developed in the form of standards and best practices, such as the Security Content Automation Protocol (SCAP) developed by NIST for use by agencies in assessing, monitoring and reporting on system security status.
But moving from these isolated parts to an integrated, autonomous ecosystem that crosses enterprise boundaries remains a challenging task, the RFI acknowledges. “Implementing automated collective action in defense of the cyber ecosystem will require a partnership and a common collective vision among the private sector, academia, government and consumers.”
Much of the impetus for a secure cyber ecosystem is to correct the shortcomings of a networked environment that was not developed with security in mind, said Michael A. Brown, a former fed and now manager of federal business for RSA, the security division of EMC.
“It’s an attempt to create a more secure, operational relevant ecosystem,” said Brown, a retired rear admiral who recently was director of cybersecurity. “It’s difficult because the government didn’t require certain things when the private sector developed these abilities,” such as interoperability, automation and trustworthy authentication of both people and devices.
The RFI, which Brown helped to write, is an effort he said to determine “what the art of the possible is right now to accomplish this.”
NEXT STORY: Putting cybersecurity on the diplomatic agenda