Feds to battle cybersecurity with analytics

For the federal government to better secure its information systems and support cybersecurity in the private sector, departments and agencies will need to dramatically improve the way they collect, analyze and share information about emerging threats, current and former government officials are cautioning.

At a government IT conference convened by Akamai, a content delivery and cloud service provider, officials stressed the importance of casting a wide net for gathering information about cyberthreats, calling for the advancement of new standards and protocols to automate information sharing across the public and private sectors.

"The more participants we have in our process, the better that process is going to be," said Danny Toler, acting assistant secretary at the Department of Homeland Security's Office of Cybersecurity and Communications.

Phyllis Schneck, who recently stepped down as a deputy undersecretary handling cybersecurity at DHS, observed that challenges arise both from the human element involved in computing, and the fact that computers themselves have limitations.

"Computing is about people and machines," she said. "We're all human. We actually can't get trained out of clicking on a link. We can try, we can get most of it, but we're going to click."

'Situational awareness' in cyber

Security firms offer a bevy of products that can intervene to mitigate the damage from a person clicking on a malicious link, Schneck said. But she envisions a much larger, global pool of threat data that could be tapped instantly and automatically to keep machines from falling prey to malicious actors, a system that would be aided by "big analytics" capabilities to make sense of the massive trove of data.

"Real-time, we also want computers to have this same kind of backstop. You want to look at what arrives at a computer and what it should and shouldn't act on. So computers are not smart -- you can quote me on that -- they're just fast," she said.

Her vision sees a "situational awareness" that would take general networked computing activity in the same direction as DHS' evolving EINSTEIN threat detection and response system, which she says has been moving from "a system of vaccines to now an immune system" to better protect government and private-sector systems.

"That could happen all over our internet with knowledge that comes from companies like Akamai that see a big, broad perspective of the world," Schneck said.

"If we could get our internet to recognize something bad and attack it," she added, "we could start to look at how we not only end the idea where instructions are simply run without thinking about it, but also be able to warn ... at the speed of light all the others that might be relevant across the network."

Advancing intrusion prevention

At DHS, the EINSTEIN team has been advancing the third element of that program, which focuses on intrusion prevention, building on the other two pieces that monitor data flows and detect when an intrusion has occurred. Toler described a pilot program through which DHS is trying to expand EINSTEIN's threat prevention apparatus by drawing on a mounting store of data that is helping to build out the program's analytical capabilities.

"At this point, that prevention is based on signature capability, so it's blocking known knowns," Toler said. "But as we increase our analytical capability, we're looking to increase those known knowns, but also looking with EINSTEIN III to shift into non-signature based capability."

The government's efforts to expand coordination on cyber issues don't end at the country's borders. Christopher Painter, the State Department's coordinator for cyber issues, described his organization's aims to promote cyber norms in U.S. diplomatic missions, and to help developing nations build up their infrastructure in the area. Regardless of the subject of the meeting, Painter said, cybersecurity issues are generally on the table.

"This is something that comes up in almost every bilateral meeting we have," Painter said. "Whether it's cyber or not, these issues come up."

Officials also recognize that there is a balance to be struck in the collection and sharing of data, and that privacy and civil rights groups have a role to play to ensure that consumers' personal information is not unduly compromised in the name of security. There can also be cultural barriers between the public and private sectors, as some businesses are reluctant to share data with authorities for fear of exposing themselves to legal liabilities, or out of frustration that the government is stingy with the information that it shares in return with outside entities.

There are no such hindrances in the cybercriminal community, Schneck argues.

"The adversary has no problem sharing information," she said. "They work with an alacrity that we will never see because we actually have a civil way of life to protect. So for us, partnership is mandatory if we're going to bring this together."