When it comes to cyber intelligence, more isn’t necessarily better, civilian and military cyber leaders cautioned Tuesday.
Quality, transparency and integrity are more important than simple volume, a panel at the Symantec government symposium said.
When it comes to quality, “I rely on the trusted information clearing houses that different organizations run,” said Maj. Gen. Sarah Zabel, vice director of the Defense Information Systems Agency, citing as an example the Pentagon’s Defense Industrial Base Cybersecurity Program and its DIB Cyber Incident Reporting & Cyber Threat Information Sharing Portal — known as DIBNet.
DIBNet shares “unclassified and classified cyber threat information,” according to its website. Defense officials say the technical indicators are carefully vetted. The Department of Homeland Security has tried with varying levels of success to replicate the DIB program across other vital industrial sectors.
Although each sector is different, they all require certain baseline characteristics. One is transparency, said Transportation Security Administration CIO Steven Rice.
“When you’re in these information sharing environments, you need a level of transparency … everyone needs to understand their roles.”
Among the rules of the road that need to be laid out upfront, said Rice, is what would be done with information provided by the private sector. “What are the rules of engagement for any information that will be provided? And what are the escalation procedures that you would have … when there is an anomaly discovered .. from a stakeholder that needs to be communicated across the industry base?”
In part that’s because, as Zabel pointed out, “In many cases, when a commercial partner comes in … with information they want to share, they’re happy that the government knows, they don’t really want their competition to know it.”
David Blankenhorn, the chief technology officer for government contractor DLT Solutions raised what he called the “integrity issue.”
“It’s important to get trusted data,” he said. “We need to ensure that the threat feeds are legit.”
Without vetting, he explained, threat feeds could be turned against those they were supposed to protect.
“If I were a bad actor and I wanted to create a decoy or a red herring, I would come to you and say ‘Here’s a threat that I’ve seen, here’s a signature’ … and I could make it look really good. And then all of a sudden [vital parts of the system] are being locked down” on your network, because they bear the fake “indicators of compromise” provided by the bad guys.
“It’s an issue of trust,” said Blankenhorn, “but it can’t can’t be blind trust.”
The other panelists agreed. Speaking of trust, Rice said, “This is not something that happens overnight. This is something that has to be built over years.”