Part 1 of 2: Data for Improved Cybersecurity Outcomes - podcast episode cover

Part 1 of 2: Data for Improved Cybersecurity Outcomes

Jul 26, 202419 min
--:--
--:--
Listen in podcast apps:

Episode description

Welcome to “HSDF THE PODCAST,” a collection of policy discussions on government technology and homeland security brought to you by the Homeland Security and Defense Forum. 

In this first of a two-part series, an expert panel with representatives from DHS, FBI, the White House and industry discussed the latest developments around Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), integration of cyber regulation efforts, and how agencies make decisions about what cyber threat information to share publicly without giving adversaries an edge.

Featuring:

  • Former Congressman Jim Langevin
  • Christopher Butera, Senior Technical Director, CISA
  • Neal Ziring, Technical Director, Research Directorate, National Security Agency
  • Tom Afferton, President, Cyber Mission Sector, Peraton (moderator)


This discussion took place at the HSDF’s Cybersecurity Symposium on July 10th, 2024. 

Follow HSDF THE PODCAST and never miss latest insider talk on government technology, innovation, and security. Visit the HSDF YouTube channel to view hours of insightful policy discussion. For more information about the Homeland Security & Defense Forum (HSDF), visit hsdf.org.

Transcript

Tom Afferton, President, Cyber Mission Sector, Peraton (moderator)

Thank you , megan , thank you , congressman , for joining us again , Chris and Neil .

So , as a way of introduction , megan mentioned , I head up the cyber mission sector at Paraton , so we support customers where cybersecurity , information , warfare , 10 vendor for the NSA , and we also support CISA as well Cybersecurity Division , information Operations Division , integrated Operations Division . Sorry , off to a great start .

One of the things that we've seen , though , in supporting both customers , is that we see the challenge with this increase of data coming from increased monitoring and increased visibility into critical infrastructure , and we've seen at the NSA that they've been through a large-scale data management challenge as well .

Going back to the signals , intelligence , enterprise , and so that intersection of the tidal wave of data that's coming and the last panel certainly talked about that with what do you do with that data , how do you manage it and , most importantly , how do you derive benefits from it for operations , and the mission is what we're going to cover .

We're going to start , though , with the front end , if you will , which is on the policy front , and so in some ways , congressman , this panel is your fault , right , but you were one of the commissioners on the Solarium Commission .

You were really at the creation of the National Cyber Director , as you've been involved for many years , you've advocated for data sharing . What do you think we've accomplished and what's left to accomplish in terms of data sharing and data policy as it relates to cybersecurity ?

Former Congressman Jim Langevin

Sure , thanks for the question . You know I've long believed going back . Actually , first of all , I want to say well , I'm thrilled to be on this panel too . Great group , I appreciate the work that you all are doing in your own right . I appreciate the work that you all are doing in your own right .

You know , I've always believed that those who have information have the power . I've always believed that . That's back to my days when I was Secretary of State , and I've always believed that the power of the home of people and I had to make that information available to as many people as possible my days on the Intelligence Committee and my national security work .

I've always believed that good intelligence is always going to be the pointy tip of the spear , and so that's why the work that is done in our intelligence community , and certainly the NSA , is very critically important .

And then in my work in cybersecurity , I always believe that use of data is going to help us to get to a stronger and better place of cybersecurity . And so we've come some of the way , but still a long way to go .

That when I first started this journey in cybersecurity , if we could broadly share cyber threat information quickly at network speed , we'd inoculate everybody very quickly and we'd all be better protected . I thought that was going to be easy . That was a real wake-up call .

And then the lawyers got involved and they said , oh , we're not sharing in the private sector because we're concerned about antitrust violations and all that . And so we came away from that recognizing , ok , we need to change the law . And then we passed the Cybersecurity Information Security Act of 2015 .

And we thought , great , this is going to solve all the problems . That turned out not to be true and we only had a limited amount of sharing .

And so fast forward to Solarium and many other initiatives that have taken place and we're at a better place now , and I think one of the highlights I will point out is the work being done at CISA and the known exploited vulnerabilities list that they put out . I think it's a real value add .

And just recently there's a private company that I advise MidSite is the name of the company and they basically do a kind of credit rating for the cybersecurity , indicating how secure a particular company might be or an entity might be , and it shows that government is patching at a faster rate the known exploitative vulnerabilities than private sector , especially when it

comes to critical infrastructure point of vulnerabilities than private sector , especially when it comes to critical infrastructure . And I think a lot of that deals with the fact that Congress gave the system has binding operational directive authority and so they can require that they move more quickly to close vulnerabilities .

The government has to close vulnerabilities more quickly and it leaves the question open , you know , should private sector have that kind of requirement , at least some kind of a timeframe ? So there are good things happening out there but , as always , more work yet to be done .

Tom Afferton, President, Cyber Mission Sector, Peraton (moderator)

Great Bonus question . We talked about this earlier in the green room as it relates to policy . So the recent Supreme Court ruling rolling back in effect the Chevron defense as it relates to regulation , and can you give us some insights on what do you think will change ?

I know it's early days , but welcome your insights on what the impact of that ruling will be .

Former Congressman Jim Langevin

Yeah , so my limited , you know , knowledge and experience with the Chevron decision so far , just on a cursory level , I look at it and I say you know , this court is the court that just keeps on giving . I think it was ill-conceived . I disagree with it .

We're going to go from , you know , deferring to the subject matter experts at regulatory agencies and departments , and now the courts , or they say they want to leave that to the Congress to work . I think it's going to be a step back toward moving quickly to address , you know , problems or close off vulnerabilities .

When you have a department agency that you know that has a comment period , that they listen to the comment from the public and experts and then promulgate a rule of regulation that you know it gets us to , you know , hopefully a really decent outcome . And now that outcome is kind of in doubt . I think it's weekend based on .

Now , you know it's kind of referring to the Congress to get more into the details and what I will say is , again , the former member of Congress . You know we all have to know a little bit about a lot . Former member of Congress .

You know we all have to know a little bit about a lot , and then you know , each of us might do a deeper dive in a particular subject and become subject matter experts .

It's going to be near impossible to get to the kind of granularity and detail that the departments and agencies went through the regulatory process , and I think it's going to be a problem in terms of it's a step back from getting us to where we need to be on cybersecurity or better regulation in general .

Tom Afferton, President, Cyber Mission Sector, Peraton (moderator)

Thank you , Chris . We're going to move to a different front lines . You were in the front lines in the response to the storm from SolarWinds . What did you learn there and specifically , what did you learn in terms of the importance of data sharing from that experience ?

Christopher Butera, Senior Technical Director, CISA

So , first off , thanks for having me here and thanks to the congressman for participating and specifically taking that last question that I don't think Nealer wanted to answer so SolarWinds . So in my previous role I was head of CISA's threat hunting and detection and response team .

So that was kind of a big event for us and for most people probably in this room and really , I think , one of the pinnacles of changing the way we do cybersecurity , especially in the federal space . So a lot of policy and legislation came after SolarWinds . So , like specifically , one of the key things was the cyber EO .

That had lots of different tasks specifically for CISA and for other federal government agencies around improving cyber threat detection capabilities , improving logs for cyber investigations , improving software supply chain security . So all three of those tasks increase the amount of data that we are trying to collect and store and analyze exponentially .

So those are really good things for cybersecurity in the federal space but also present some significant challenges for us . But there was lots of other good things that came out of that as well .

So the Cyber Safety Review Board is another great example of something that's been working quite a bit lately and has covered some really important incidents and , I think , also looking at when you look at the data types that we're talking about and compare that to maybe the data types that we were collecting 10 years ago .

Compare that to maybe the data types that we were collecting 10 years ago , you know , really focused on collecting , for example , network data at , you know , usually at the boundary , and we thought that was pretty sufficient to do a pretty good job of detecting and protecting networks .

And now the asset types have just both , you know , increased exponentially , as well as the diversity of those asset types has increased quite substantially . So we have to think about , you know , collecting host-based data . We have to think about , you know , collecting host-based data . We have to think about collecting mobile data .

We have to think about collecting cloud asset data and IoT data and all these other kind of data domains that we hadn't kind of really been focused on before . And then you add in , you know , the last panel talked a lot about artificial intelligence . I don't think we've even started really kind of to figure out how to detect incidents in artificial intelligence .

I don't think we've even started really kind of to figure out how to detect incidents in artificial intelligence systems , specifically outside of the normal kind of cybersecurity matters .

So there's certainly a lot of new challenges that have evolved since then and , you know , also thankful for the NDA authority in 21 that gave CISA persistent hunt access inside the federal networks . That allowed us to kind of access all this additional data sources to help improve cybersecurity protection for the federal government .

Tom Afferton, President, Cyber Mission Sector, Peraton (moderator)

Great so , and we'll get to Neil in a minute . But it was clear from the preparations and the introductions you have similar roles between you and Neil . Your agencies have different responsibilities but there are some overlaps . We've seen publicly an increased collaboration with the NSA and CISA . Can you ?

Christopher Butera, Senior Technical Director, CISA

give us some additional insights into that collaboration .

Yeah , sure , so I'll spill the beans , but yeah , so , like Neil and I talk quite regularly , it's really good to have a touchpoint that has a similar role in another organization , and there's not a lot of those touchpoints for me and for some of the people on our staff , so it's really good to have someone else to kind of bounce ideas off of talk about some

of the emerging priorities . Neil and I talk about a pretty wide variety of things . We were just talking about BGP in the green room , but really we talk a lot about emerging vulnerabilities , how this might be a new and interesting one , how we might kind of defend against that .

We talk about a lot about cyber research and development , ways we can collaborate between our organizations in that area . We talk a lot about different services and successes and pitfalls we've seen from some of those services .

So we've , for example , have a similar protective DNS service that NSA runs for the Dib and we also run a similar service for the federal government and the critical infrastructure . So we collaborate in quite a few of these different areas .

And then data is , of course , a big thing and how we actually are using data to support our cyber defense mission is something that we talk about quite often , and how do we build advanced and things along that those lines . But happy for neil to yeah , let me .

Neal Ziring, Technical Director, Research Directorate, National Security Agency

let me add just a bit . Uh , I mean , I really enjoyed speaking with chris because he brought a very different viewpoint to some of these problems than we get on the national security side . Um , I think that our , our workforces have done a much better job at collaborating over the last few years .

Uh , you may note , in the last few years we've had a lot of co-sealed advisories and things like that . That's been , I think , really great , and both of us are continuing to collaborate with our international partners , which we believe is also very important .

On the data sharing side , I think we're doing better at individual sharing , like between analysts working on a certain problem , but , like Congressman said , there's still a long way to go , a lot of work to do on sharing data , as I might say , a matter of course , and part of that is we live somewhat in different worlds .

A lot of what NSA does is in the classified world and nearly all of what CISA does in the unclassified world does is in the classified world and nearly all of what CISA does in the unclassified world . But we are working to make progress in those areas , not only on sharing data , but also sharing analytic tradecraft and analytics , which are also very important .

Tom Afferton, President, Cyber Mission Sector, Peraton (moderator)

So , Neil , Going back to my opening remarks , we've seen some parallels between the challenges that CISA , among other agencies , are facing now with large-scale data , the importance of data provenance and , rolling back with something the last panel talked about . Your organization has faced similar challenges at a large scale in the signals intelligence domain .

What lessons learned can be applied there from that application ?

Neal Ziring, Technical Director, Research Directorate, National Security Agency

Lots . How long do we have again ? I should also note that I was announced as Technical Director of Research , but that's a very new position for me just a few weeks . For several years before that I was technical director of cybersecurity directorate and that's where I interacted with Chris , sort of as a direct counterpart .

Nsa has had to deal with sort of large data challenges and data security and data compliance for a very long time . I spent several years like 06 to 09 , directly wrestling with those problems and we believe we have a lot of good lessons there . So I tried to distill it down to sort of three key lessons .

The first one is that if you're going to have mission data whether it's cyber mission data or intelligence mission data you have to manage it intentionally and purposely . You can't just say , oh's cyber mission data or intelligence mission data . You have to manage it intentionally and purposely right .

You can't just say , oh , here comes some data , we're just going to ad hoc it . No , not good enough , especially as the scale goes up . And that is what helps you keep that data protected .

Keep it within the compliance bounds of your particular mission , and in the intelligence mission we have very strict compliance regime and cyber as well , and getting that maximum mission value out of that data . So NSA does this , and a big part of that is data tagging right .

When you come into possession of a piece of data whether it's you collected it yourself , you generate it yourself , you got it from a partner you got to tag it at the earliest practical stage . You want to have a general purpose infrastructure to handle all that the movement of data , the tagging of it , the protecting it .

Don't make every single application system do that for themselves , because , one , they can't afford it and , two , they're trying to build an application . Right , they're focused on that . And thirdly , understand and track your analytic data flows right .

You're collecting this data not for just the fun of collecting data , but because you want to analyze it and get mission value out of it .

And that can include , like big production analytics , that can include small ad hoc ones that you create for a particular mission problem , and even little do-it-yourself things that analysts are going to do in , you know , jup , jupiter notebooks .

You got to be able to track all that and , uh , that lets you understand the contribution of these analytics to your mission so that you can then focus your , your attention , where you're getting value or where you have a gap and , uh , and if you have a new problem , you know where to plug in um so that you're able to sort of be most responsive to the new

mission need that you've encountered . And , lastly , that form of tracking and understanding your analytic data flows allows you to be most effective at sharing , declassifying , if you need to right often a big deal for us and being able to collaborate with others where you might want to share data .

If you know where the data's been and how you created it , that's a huge step towards being able to share it . So I'm sorry to rattle .

Transcript source: Provided by creator in RSS feed: download file