Data-Driven Framework Attacks the Cyber Monster
If you think of the cyber threat as Godzilla, you can see the need for a framework that optimizes limited resources. As the beast attacks the building, those individuals located on the ground floor—for example the architects and engineers—worry about being stepped on by its feet. Those on the next floor up, the systems engineers, see the knees and want protection from being kicked. The next level, the incident responders, see the claws and worry about what those claws can do. Higher in the building, the operators see the shoulders and are focused on how big the threat might be based on the shoulder size. The customers at the top only see teeth and flames. All of those in the building understand the threat of Godzilla, but they only see the monster from their vantage point. The solution on one level might not be the best solution for the overall threat or the best use of limited resources.
Patrick Arvidson, special assistant to the Office of the National Manager for National Security Systems, National Security Agency (NSA), speaking during the AFCEA Defensive Cyber Operations Symposium, said he believes that comparing the cyber threat to Godzilla is a way to show how different perspectives need to be incorporated into a framework. This enables decisions to be made based on all the data and the right priorities.
Giving a real-life example, he explained that, “When the Berlin Wall fell, it was because the Russians could not afford to modernize and win in that environment.” The Russians had to prioritize because “when many things are going up but resources are flat, you prioritize.”
The problem is, if you ask different U.S. government agencies to prioritize their top 10 challenges, you will receive different lists, and the lists will also be different even within organizations in the same agency, Arvidson continued.
The Defense Information Systems Agency (DISA), the Defense Department chief information officer (CIO) and the Joint Staff and the services are among those who “argued about Godzilla for months,” Arvidson reported. “They argued about the feet and the claws and the different threats. At the end, they realized that many networks with lots of complexity mean that there is not a one-to-one solution. They realized that a framework was needed so decisions could be made on where the application of resources would make the biggest difference in thwarting the action and intent of the adversaries, not necessarily every tactic it uses," he said.
Such a framework, the Department of Defense Cybersecurity Analysis and Review (DODCAR), is sponsored by the DOD deputy CIO for cybersecurity, the NSA deputy manager for National Security Systems and the DISA director. It is a threat-based, analysis-driven, repeatable process to synchronize and balance cybersecurity investments; minimize redundancies; eliminate inefficiencies; and improve all-around mission performance.
DODCAR performs threat-based cybersecurity architecture assessments to ensure DOD leadership has the insight and knowledge to make well-informed, prioritized cybersecurity investment decisions to enable dependable mission execution of the unclassified and secret environments.
This effort puts Godzilla into a framework people can understand, Arvidson said. The top layer addressed the strategic objective of the adversary, which is to get in, stay in and act. The next layer is the operational objective of the enemy to be persistent and move laterally. Another layer is knowing the intent of the attack, such as target applications or wipe out a disk drive.
The best defense might not be to prevent the tactic but they need to stop the action, Arvidson stated.
If you have a framework, you can figure out what the adversary is doing instead of trying to guess. It creates a way to talk about the threat, he said and provides a heat map and a capability list along with an assessment of how well the capabilities perform. With the score in the framework, you can tell where there is investment against the threat and where there is no investment and define the gaps. Having both threat prioritization and gap identification allows resources to be applied in a more successful manner.
“This is the biggest impact I have seen because it facilitates discussion. We are not talking the same language and the adversary is killing us because of it.” Arvidson concluded.