Classified Forum Describes Cyberthreats, Solutions
Threats are both more diverse and more coordinated.
The lines between nation-state and criminal cyber attacks are blurring, and the pace of their onslaughts is increasing geometrically as everyone from private citizens to secure government organizations is targeted. Most importantly, there is no one-size-fits-all approach to either cybersecurity or threat intelligence. Each aspect must be tailored to the threat and the threatened.
Many of these points were brought forward in an AFCEA classified cyber forum earlier this year. Addressing the theme of “Evolving Cyber Threat Intelligence, Means, Methods and Motives,” the forum generated some valuable unclassified observations and conclusions relevant to dealing with today’s cyberthreat.
Several themes that emerged from the discussions. These include the general acceptance that the cyberthreat will continue to increase rapidly and that cyber attacks have now become ubiquitous. One presenter even offered a corollary to Moore’s Law: “The cyber threat will double each year in the future!”
An important observation was that it is not sufficient to identify the technical characteristics of a threat. Increasingly, it is essential to understand the motives so that people can assess how to appropriately respond to specific cyber threats and to help recognize cyber attack campaigns. One speaker described this as the “purple” problem for cyber threat intelligence. We must look not only at the red side—adversaries’ actions—but also at the blue side, particularly the impact or objective is being pursued, to tailor response actions for the increasing number of cyber threats.
Joshua Steinman, special assistant to the president for cyber, in the opening keynote described the philosophy of the White House toward cyber: advocate against closed Internets; maintain ability to defend the nation and its people; pursue bilateral security agreements; and advocate for opt-in security standards. Steinman indicated the White House would be issuing further guidance that would benefit from the data being provided in response to President Trump’s executive order on cyber.
Speakers recognized that threat attribution has improved significantly, although attribution determined by industry sources dominates what is publicly referenced. They also discussed the increasing blurring of the distinction between cyber attacks originating from nation-states and those from criminal elements. In essence, criminals have found an additional market for their cyber exploits in nation-states.
Additionally, the presentations and dialogue repeatedly highlighted that increased use of automation was essential across all aspects of cyberthreat intelligence—collection, analysis and response. Forum speakers strongly expressed the opinion that the goal should be to produce and distribute cyberthreat intelligence data, including actionable information, that is unclassified despite the recognized need to employ classified analysis methods and classified sources in producing unclassified products.
The session highlighted some positive trends. Government organizations have improved cooperation significantly with improved clarity on roles and responsibilities. Speakers also acknowledged improved relationships between government and industry. It was noted that industry sources of threat intelligence have matured very rapidly and are now the primary source of this intelligence for companies. In addition, significant progress has taken place in advancing technologies that can assist with cyberthreat analysis and cyber attack response. Artificial intelligence, machine learning, advanced authentication techniques and software-defined systems were highlighted as very important technology areas.
Several areas of concern emerged. Chief among these were the blurring between nation-state and criminal cyber activities; the recognition that both government and industry are drowning in threat data, highlighting the urgency for improved automation; the idea that government-sourced threat intelligence information is not highly relevant to industry—too much data, not sufficiently timely, not actionable; the notion that the nation’s cyber strategy is not clearly defined, resulting in uncertainty regarding appropriate actions and delays in response to attacks; and the lack of a clear U.S. response to cyber attacks could be unintentionally acknowledging acceptable practices.
The AFCEA committees on cyber, homeland security and intelligence are discussing appropriate follow-up actions based on the forum in several areas: methods to accelerate the production of unclassified threat intelligence information; approaches that could speed up the process of providing feedback to industry regarding threat information provided by industry to the government; priorities for pursuing automation to assist in cyber threat collection, analysis and response; appropriate changes in criteria for U.S. industry to obtain clearances, including roles in the protection of critical infrastructure, versus government contract performance; and concepts that could form the basis for a national strategy on cyber.