Threat Info Shared Even Without CISPAMS-ISAC Chair Describes State of Cyberthreat Info Sharing
While organizations wait for Congressional enactment of cyberthreat intelligence sharing legislation, the information security community proactively works to share valuable information among a wide-range of industries.
Information sharing analysis centers, including the Multistate Information Sharing and Analysis Center chaired by Will Pelgrin, all exchange cyberthreat information with one another through the National Cybersecurity and Communications Integration Center, or NCCIC.
"If we're not sharing information among the good guys out there, [information] the bad guys already know, we're just doing ourselves a disservice," Pelgrin says in an interview with Information Security Media Group [transcript below].
Pelgrin cites the umbrella group, the National Council of ISACs, in bringing together different information sharing constituents. "The premise of that national council is to bring multiple levels of ISACs to the table in a meaningful way to not only share actionable information, but to collectively look across sector lines," he says.
Earlier this year, the House passed the Cyber Intelligence Sharing and Protection Act, known as CISPA, which would encourage cyberthreat information sharing between government and industry by providing incentives and liability protections [see: House Handily Passes CISPA], but with a presidential veto threat, the bill has stalled in the Senate [see White House Threatens CISPA Veto, Again].
Although the enactment of CISPA is up in the air, Pelgrin says, "Anything that would help facilitate information sharing at an actionable state is worthwhile."
Until then, he encourages industries to act. "The whole concept is move forward," Pelgrin says. "There are a lot of things that we could throw up as an impediment, but there really are things that we can move forward with."
In the interview, Pelgrin:
- Discusses the current state of cyberthreat information sharing among federal, state, local and tribal governments as well as with the private sector;
- Explains the type of cyberthreat information being shared;
- Describes how MS-ISAC shares cyberthreat information.
Pelgrin is the founder and CEO of the Center for Internet Security, a not-for-profit organization that operates the 10-year-old MS-ISAC. Earlier, he served as the top IT security executive for the state of New York.
Cyberthreat Information Sharing
ERIC CHABROW: The aim of legislation before Congress - such as the Cyber Intelligence Sharing and Protection Act, commonly known as CISPA - is to encourage more sharing of cyberthreat information while protecting businesses against lawsuits and protect citizens' civil liberties and privacy. We will get to CISPA in a moment. But first, what is the current state of cyberthreat information sharing among various constituencies: the federal government, states, local governments and the private sector?
WILL PELGRIN: I think it's best that its been not that we can't do better; we can always improve. I've been doing this for a while now and I can tell you that with the state, local, territorial and tribal governments, which is our mission space, there's a huge difference just over the last few years in the ability to share information. Meaning, our partners out there understand their environments better and understand what's happening within those environments. But more importantly, [it's] their willingness to share that information not just because it will help them, but because they recognize that it will help a great community to be better protected. There are always improvements, but it really has, in my opinion, been an amazing difference between just a few years ago.
I credit a lot of that to the national joint operations center, called the NCCIC, for which I'm pleased to say we have two multi-state ISAC liaisons on the floor right now. As we sit next to DHS, as we sit next to other ISACs like the Financial Services ISAC, FBI and others that are in that joint operational floor, there's a lot of sharing of information that has been really beneficial.
I think you know me well enough now to know that's sort of the fiber of who I am. I believe in information sharing. I started this back in 2002 right after the horrific events of 9/11 about sharing information among state, local, territorial and tribal governments in order to improve our cybersecurity posture in this country. I concluded after a while when I wasn't seeing a lot of sharing initially back then that we all had this feeling that people didn't want to share, and I don't believe that is really the case. I think it really was that we had to make it easier to share. We had to make it so people don't have to think about sharing, and by having people who sit next to other people that cross those jurisdictional lines, it really made it much easier. They didn't have to think, "I need to call Will Pelgrin. Will Pelgrin is right there." It became more natural to do that. I've seen a big difference in it. I'm pleased to say that our TIS multi-state has seen a major growth in it, and how much information we're sharing out to not only the government sector but also to the private sector as well.
CHABROW: Let me try to visualize this. You mentioned NCCIC. Are they literally people sitting next to each other constantly, or is this something that you have meetings regularly? How does that work?
PELGRIN: For the NCCIC, which is the federal joint operational floor, we have two staff members that are on the floor there right now prime time, a little bit over prime-time shifts. They're not there 24/7 but they're there a good portion of the day. It starts probably around 7 a.m. in the morning and the shift ends ... and overlaps a little bit probably around 7 p.m. at night. We have a constant presence there.
As you know, we run a 24/7 operational center here and I'm pleased to say that has connectivity throughout all the states, territories and local governments to be that 24/7 watch center to provide information. I want to stress that information sharing for just sharing isn't the end state. The end state is, "What action can I take based upon the information that you're sharing?" That's the criticality of all of this. It has to be at an actionable state so that we can do something about it. There's so much going on that we can get lost in the din of information so we try to and we strive all the time to ensure that we send out alerts ... and advisories.
Last year alone we sent over 24,000 actionable alerts to our members and partners out there across the board, and some of that included some of the private sector as well as the federal government, but most for the state, local, territorial, and tribal governments. Those were actionable events. The number is much larger than that when you just look at warnings or informational events.
Type of Information Being Shared
CHABROW: When we talk about information sharing, what kind of information? We're speaking now in the summer and there's a lot of news going on about NSA programs, with sharing which deals with metadata. What kind of information?
PELGRIN: Our operational center has partnerships with our state and local governments. What we're looking for is just malicious activity that's going on in their environments with their concurrence. We don't collect any personal sensitive data. It's looking for signatures. The analogy I give is that in the physical arena, when there's a crime that occurs and the police show up, they look for that DNA. They look for that fingerprint that may be left on a desk, lamp or on some physical piece of structure. We're looking for that exact same type of thing on the Internet. We have signatures that we get. We look for those signatures and, through our devices, when a signature lights up saying that we think we have a match, then we contact our partners out there and we analyze that and make a determination whether or not that's an actionable event or not.
CHABROW: How is this information shared?
PELGRIN: It's shared in a number of ways. To go to our website, you'll see that we have an alert map out there, a public alert map. We will tell the general public what we believe the Multi-State ISAC from a national perspective is at from a cyber side. For our individual partners, each of the states will look at their environment and rate their state each week as to what level of alert they're at, and that alert is based on what consequences may be happening within their environment or what threat or vulnerability may exist out there.
We share information via many different mechanisms. We have emergency notification systems. We have secure portals. We have normal transmissions for when it's not sensitive or personal information that's being transmitted. The great news with the partners we have - and I believe this really is a collected effort, not an individual effort - the responsiveness of our partners is tremendous. We can't do this alone. We have to have solid partners. We're very pleased the Department of Homeland Security is our main partner out there as we move forward. We collectively are working with the state, local, territorial and tribal governments to improve the collective posture.
CHABROW: How effective has cyberthreat information sharing been within MS-ISAC, and by this I mean have serious cyber events been averted because of this information?
PELGRIN: The collected view is much more powerful than the singular view. What's happened is that we may see an event that may be going on in one jurisdiction, and if we left it with just notifying that one jurisdiction of that event, they may be able to remediate and may be able to amend it in the first instance. But it didn't do anything for all those others that may be vulnerable. We have looked and we've seen a number of different incidents that are out there that have actually been located in a couple of states, but that, in reality, when we put out notices, 19 states may have been involved in that and were unaware of it at the time and, luckily, we were able to notify them prior to any consequence occurring. A vulnerability that we had identified went out. They were able to see that it was there and remediate that before a consequence occurs. Yes, we've had some good success stories. I'm really pleased that we don't sit back on our laurels and say we're done. Everyday is a day of being more vigilant than we were the day before.
CHABROW: You mentioned earlier that you deal with other ISACs. Can you tell us a little bit about that kind of relationship?
PELGRIN: Absolutely. A great organization is the National Council of ISACs. The premise of that national council is to bring multiple levels of ISACs to the table in a meaningful way to not only share actionable information, but to collectively look across sector lines. While we have our own primary responsibilities, we recognize that the dependency and inter-dependency among all of us is too great to ignore in order to be as secure as we can be. [We ensure] that we're all well-connected both by knowledge of who the other people are, but also what we're doing within our environments and what's going on in those environments to make a secure state. We all recognize there's no 100-percent security that's absolute, but there are a lot of things that are within our control. By taking those, we can minimize at least to where we have to focus on the more egregious stuff that's outside our controls.
CHABROW: Congress is looking into legislation to encourage more information sharing of cyberthreats. Does Congress need to enact new legislation?
PELGRIN: That's a great question and I really don't have a great answer for you. Anything that would help facilitate information sharing at an actionable state is worthwhile in my opinion, whether it's legislation, whether it's executive orders or whether it's just because we believe it's the right thing to do. The whole concept is move forward. There are a lot of things that we could throw up as impediment, but there really are things that we can move forward with, and don't look down the road so far that it becomes daunting.
There's an old adage that it's the start that stops most of us. I'm a big believer of let's just get going. Let's build this in the sky. The expertise and the passion that we have throughout the sectors is tremendous and everyone is trying to do the right thing. Sadly, I think it's still personality-driven; it's still relationship driven, not title driven. That's why I think these groups, such as the National Council of ISACs, are so important, because it builds those relationships that are essential.
With the federal government, what they've done on the NCCIC floor has changed fundamentally how we interact. I don't want people to go away and say we're there yet and that we don't need to do anymore. Everyday is a new day for us. If we're not sharing information among the good guys out there, the bad guys already know, and we're just doing ourselves a disservice.
I'm a lawyer by education. We need to look at the laws in a way that are not an impediment. This should be facilitating our ability to do what we need to do. I don't need to know everything. Some people think information is power. I think of information sharing as power. The power is the community of interest to ensure that our country is as secure as it can be. As a collective group, we can really move mountains.