Center Fortifies Cyberspace Front Line

The National Cybersecurity and Communications Integration Center (NCCIC) features a three-tier classified watch center that includes cybersecurity and threat analysis tools such as the United States Computer Emergency Readiness Team EINSTEIN program.

Public and private sectors unite to mitigate infrastructure vulnerabilities.

The convergence of information technology and voice communications is prompting another merger—this one between government and industry. The establishment of the National Cybersecurity and Communications Integration Center late last year is the first step in unifying the effort to keep U.S. information networks and infrastructure secure and to respond immediately in case of attack. The center increases the U.S. government’s ability to detect, prevent, respond to and mitigate disruptions of voice and cyber communications.

Rear Adm. Michael A. Brown, USN, deputy assistant secretary for cyber security and communications, U.S. Department of Homeland Security (DHS), explains that the National Cybersecurity and Communications Integration Center (NCCIC) is one answer to the public and private sectors’ demand for a single facility to monitor cyber operations. The NCCIC was built with the understanding that the DHS would have representatives from multiple organizations.

“The new center gives us greater capability, and we’ve got greater analytic tools, but the DHS mission is focused heavily on the federal executive civilian branch—the .gov domain. Our other mission, as I’ve said many times, is with the private sector and that’s looking at both the critical infrastructure, key resources responsibilities that we have underneath the DHS mission as well as the [responsibilities to the] public sector. And that’s something, for instance, that the US-CERT [United States Computer Emergency Readiness Team] is responsible for, and it delivers critical information that affects the individual user. We do that through multiple ways with information dissemination to the public,” Adm. Brown states.

The center itself has a three-tier classified watch floor that features a knowledge wall and 61 computer stations that are staffed around the clock every day. Among the tools that are being used to accomplish the center’s mission is the EINSTEIN program, which is a US-CERT automated process for collecting, correlating, analyzing and sharing computer security information across the federal government. In addition, the NCCIC features a malware laboratory where experts can examine and analyze malicious activity to determine the seriousness of threats and to create solutions.

In the event that additional capability is needed, center personnel can reach out to the U.S. Defense Department and the individual services for assistance. The admiral emphasizes that the most important part of the NCCIC is not the technology but rather the boost to analytics when government and industry personnel work as a team. “We are in a race against technology and the adversary. We need to be able to respond in a cycle that is ahead of them in both cases,” he states.

The early phase of the center’s formation involves pulling together government agencies that have been involved in cybersecurity. This includes personnel from the National Coordinating Center for Telecommunications (NCC), which is the operational arm of the National Communications System. The NCC coordinates initiation and restoration of national security/emergency preparedness telecommunications services during a national crisis. It works around the clock as an operations watch center.

The US-CERT is the operational arm of the DHS’ National Cyber Security Division. The team is responsible for analysis, warning, information sharing, vulnerability reduction, mitigation and assistance to national recovery efforts for critical infrastructure information systems. Both the NCC and US-CERT report to Adm. Brown.

Two other organizations that are part of the NCCIC are the National Cyber Security Center (NCSC) and the DHS’ Office of Intelligence and Analysis (I&A). Both the NCSC and the I&A support the DHS’ responsibility to coordinate with other cybersecurity organizations inside the government during cyber events.

The goal of bringing these organizations under one roof is to draw out the most successful elements of established government organizations and increase efficiency, transparency, integration and collaboration. The single facility enables members of these agencies to mingle on a constant basis, the admiral explains. This is critical as the DHS provides the cybersecurity for the 18 critical infrastructure and key resources (CIKR) sectors that are its responsibility. Most of the owners and operators of the CIKR are in the private sector, so working closely with them is extremely important, Adm. Brown adds.

To address the need to protect nongovernment-owned infrastructure, the NCCIC already has been interoperating with various government agencies and corporate entities in the operations center.

The next few months will be spent determining how to best operate together. The center’s second phase will include increasing the department’s private sector partnerships; however, the admiral emphasizes that the private sector already is partaking in the NCCIC’s work. For example, the NCC has a number of industry communications sector representatives as members, and the NCCIC is key to bringing these professionals into the government’s operations processes and procedures.

Adm. Brown relates that the federal and private sectors are monitoring networks on a real-time basis to identify vulnerabilities and mitigate risks. “Major carriers tied to the communications sector are all capable and do participate in the operations. But this is the first real-time construct where the private-public capabilities are all co-hosted,” he says.

Philip Reitinger, deputy undersecretary, DHS National Protection and Programs Directorate, was the keynote speaker at the opening of the NCCIC. Reitinger came to the DHS after serving as Microsoft Corporation’s chief trustworthy infrastructure strategist.

The admiral notes that while the US-CERT and the NCC have shared a location for some time, their actions have been “geographically separated,” and at times this resulted in “less than an optimal use of the capabilities on hand.” Even though the NCCIC is still in its early stages, he believes that bringing these organizations together in one location will create a robust and more complete situational awareness of the information technology and communications infrastructure.

“We are merging and synchronizing operations, as opposed to merging the organizations, and that’s just the beginning. There is a lot more we want to do with the public-private partnership in building out capabilities and capacity. Specifically, we are looking for different representatives from other organizations in the federal government who have an understanding of operations to sit on the [center] floor and be part of the watch,” Adm. Brown says.

On the private sector side, a number of opportunities exist for collaboration. For example, certain industries already have created information sharing and analysis centers (ISACs). A number of computer, telecommunications, communications and infrastructure companies created the Information Technology ISAC (IT-ISAC), and companies such as Qwest, AT&T and Verizon are participants.

Adm. Brown allows that industry representatives will follow a similar working model to the new standard operating procedures and handling of steady-state and crisis operations. As new companies join the NCCIC, they will collaborate and share information with their government counterparts.

“If we know that there is a specific corporation that brings operational capability and visibility [to network security], we want to be able to take advantage of that, create a structure of policies and procedures, and go through the legal reviews that are required to have that capability [in the NCCIC],” Adm. Brown explains. This public-private partnership focuses on the U.S. operational cyber and communications infrastructure and will determine how to tie that into the infrastructure the U.S. allies use, he adds.

But the federal government and industry are not the only sectors that have been busy coordinating the efforts in cybersecurity. Individual state and local governments are part of the Multi-State ISAC (MS-ISAC). All 50 states, the District of Columbia, local governments and U.S. territories participate in this collaborative organization. The MS-ISAC’s goal is to provide a common mechanism for raising the level of cybersecurity readiness and response in each state and with local governments. The center fosters information sharing and early warning of cybersecurity threats. The admiral states that maintaining communications with organizations such as these is another way to improve network situational awareness.

State and local organizations also collaborate about cybersecurity through the DHS State, Local, Tribal and Territorial Government Coordinating Council, which enables representatives to meet members at different government levels and to connect with federal agencies. Unlike the MS-ISAC, the coordinating council only has 30 members, so government organizations must wait for a seat to become available before nominating someone from their group to join the council.

In a time when President Obama is calling for all organizations involved in homeland security to “connect the dots,” the admiral explains that the NCCIC will improve how this is done in the cyber arena. Among the organizations that the center personnel work with on a regular basis are the Defense Department, Secret Service and Federal Bureau of Investigation, so they can share information and create common situational awareness with these groups. This activity has been part of the mission of the NCSC and continues as part of the NCCIC organization, where a physical structure enables the dots to be more effectively connected, the admiral relates.

Adm. Brown points out that the skill sets required to work in the cybersecurity realm are different than the qualifications generally found in computer scientists. As in other organizations—both public and private—one of the biggest challenges the NCCIC and the DHS face is the limited number of qualified people to meet staffing needs. “We’re looking for analysts and engineers who can work together. And we’re not the only ones who are looking for these skills; both the private [sector] and other government organizations are looking for these professionals, and that’s the challenge—people,” he says. To resolve this issue, the DHS has increased the number of cybersecurity professionals it is hiring (SIGNAL Connections, December 2009).

Although information technology professionals are the most important part of the cybersecurity equation, Adm. Brown notes that some specific technical capabilities would help these people do their jobs more effectively. Technologies that reduce the need for manpower would be particularly useful, he says. “We need greater analytic tools, and we need greater visualization tools to understand what’s occurring on a real-time basis and perhaps proactively. These are tools that would meet and defeat that threat before it gets to us. That’s a significant challenge,” he states.

This last technical goal is scheduled to be the next step in the EINSTEIN program. While EINSTEIN 1 enabled cybersecurity experts to identify when an intrusion occurred, and EINSTEIN 2 detects intrusions in real time, EINSTEIN 3 aims at finding a way to prevent an intrusion by anticipating it.

WEB RESOURCES
DHS Office of Cybersecurity and Communications: www.dhs.gov/xabout/structure/gc_1185202475883.shtm
Multi-State Information Sharing and Analysis Center: www.msisac.org
US-CERT: www.us-cert.gov
National Coordinating Center for Telecommunications: www.ncs.gov/ncc
DHS Office of Intelligence and Analysis: www.dhs.gov/xabout/structure/gc_1220886590914.shtm
Information Technology Information Sharing and Analysis Center: https://www.it-isac.org