NIST Cybersecurity Workshop: Well-Organized but Concerns Crop Up


(Pittsburgh, PA)  Hundreds of top cybersecurity professionals gathered here at Carnegie Mellon University on May 29 for the second Cybersecurity Framework Workshop hosted by the National Institute of Standards and Technology (NIST) to help develop a comprehensive framework for critical infrastructure industries, as mandated under President Obama's February 2013 Executive Order.  With the goal of producing a framework that can adequately stretch across 16 critical infrastructure sectors by October of this year, NIST hired facilitators to lead three days of discussions across eight break-out groups along four tracks, which NIST says are the areas where "gaps" were identified based on a review of the comments filed by numerous parties in response to an RFI issued by NIST.

The four tracks are the "Business of Cyber Risk," "Threat Management," "Cybersecurity Dependencies and Resiliency" and "Progressive Cybersecurity:  From Basics to Advanced Cybersecurity."  I participated in the first three of the tracks and spent some time talking to my fellow break-out group members, other break-out group attendees as well as some of the NIST organizers and track facilitators.  Based on all this, here are the top takeaways so far:

1.  The process is well-organized although the substance seems to be lacking:   although the NIST organizers get high marks for a well-coordinated workshop, a recurring comment is whether the open-ended nature of the break-out sessions has achieved anything so far.  One of the facilitators told me that the soft nature of this first roll-up-your-sleeves workshop is intentional in order to give all parties an opportunity to provide input - the next workshop in California will present an actual straw-man framework for the attendees to address.

2.  Asset owners need to have a stronger representation:  although a good chunk of the 300 to 400 attendees are asset owners (mostly utilities and telcos with a sprinkling of cable companies and financial institutions), the majority appear to be either consultants or vendors.  Several of the asset owner attendees have remarked that the break-out sessions are heavily tilted toward vendors and that in the smaller groups within those sessions, the ratio of vendors/consultants to asset owners can be five to one.  This criticism harkens back to the process that NIST undertook when it developed interoperability standards for the smart grid, which is an oft-cited model for the current cybersecurity framework process.  During the development of the smart grid standards, several utility representatives remarked that the process was vendor-driven and therefore of lower value to them as a consequence.

3.  Some of the topics veer outside the scope of cybersecurity:  during my break-out session on dependencies and reliabilities, for example, the facilitators widened the scope of the discussion to include all possible dependencies (including human capital, legal and contract-related requirements and other issues). Some of the asset owners in the room balked at this wide scope, arguing that the process should stay narrowly focused on pure cybersecurity matters. As one of these participants said during my session, business practices should be outside the scope of NIST's investigations.  A fear among some critical infrastructure owners is that the NIST process might lay the foundation for regulatory action someday despite its current voluntary and public-private partnership approach.  Thus the further the process strays from the topic of cybersecurity, the wider the potential regulatory field, or so some fear.

Whether NIST can develop a comprehensive framework that addresses cybersecurity in a meaningful way while setting aside too many business practices is an open question at this point. During the plenary session on the second day of the workshop, Bruce McConnell, Acting Deputy Under Secretary of DHS said one of the goals of the framework is to "raise the level of conversation about cybersecurity...The conversation we've been having over the past 25 years has been a technical conversation. There is a gap between information technology risk and enterprise risk management."

Who's Paying for Huawei's Cybersecurity Evaluation? Not Huawei, Apparently.


Under tough questioning yesterday from Silicon Valley-area U.S. Representative Anna Eshoo (D-CA), John Lindquist, the CEO of highly regarded defense contractor and security firm Electronic Warfare Associates (EWA), said that a major American telecommunications company paid for a recent cybersecurity audit of technology from controversial Chinese telecom equipment supply giant Huawei.  Speaking at a hearing on supply chain cybersecurity issues before the the House Energy and Commerce Committee's Subcommittee on Communications and Technology, John Lindquist, President and CEO of EWA was asked by Eshoo who paid for the cybersecurity "seal of approval" that she assumes EWA gave to Huawei.

Eshoo had presumed that Huawei had paid for the evaluation given that Huawei itself has said on several occasions that it has "hired" EWA "to audit our products in order to certify the safety and reliability of the products at the source code."  If that were the case, Eshoo said, it could be the "equivalent of what happened on Wall Street" when the ratings agencies gave glowing marks to some unstable financial institutions that paid the agencies.

To Eshoo's surprise, Lindquist said that in fact Huawei didn't pay for the evaluation but that an unnamed major American telecommunications company did instead.  Lindquist said that an NDA barred him from naming the company.  In his written testimony, Lindquist did note that EWA's business practices, as is the case with many technology evaluation firms, call for the telecommunications company, as the primary beneficiary, to pay for security evaluations of vendor products.

It wouldn't be surprising, then, that a major U.S. telecom company would pay for an evaluation of Huawei's products.  A number of U.S. telecom companies do business with Huawei, including Cricket Communications, Clearwire, Cox and Level 3/BTW, according to a report by Chairman Mike Rogers (R-MI) and Ranking Member C.A. Dutch Ruppersberger (D-MD) of the Permanent Select Committee on Intelligence.  In addition, a number of other Tier 1 telecom providers, such as Verizon, are clearly evaluating if not currently using Huawei technology.

Whichever telco it is, "they are in the process" of contemplating a purchase and "we are in the process of evaluating their system.  The evaluation is by no means complete and we’re only evaluating the radio area network portion," Lindquist said.

Lindquist stressed, however, that "we do not give a seal of approval.  What we do is take known threats and we have very good access in the government to the agreed list of cyberthreats...what we do say is what we looked at and what we found and if we found things, what corrections were made."

Huawei, an equipment and networking giant whose global sales of gear and software skyrocketed over the past ten years, topping $30 bil. in annual revenue, is viewed by some military and cybersecurity specialists as a threat to the security of critical telecommunications infrastructure.  Some Huawei opponents believe that the company is bankrolled and controlled by the Chinese government, which is arguably the most active nation-state engaged in cyber espionage and hacking.  They further suspect the motives of Huawei's founder, Ren Zhengfei, who formed the company after leaving a civilian-ranked engineering post in the Chinese military.

As a consequence, Huawei has the capability of introducing, and incentive to introduce, undetectable backdoors and other vulnerabilities in the products it sells to telecom companies, for the benefit of China's economic and military interests, detractors argue.  Other experts, however, contend that the focus on Huawei, and to a lesser extent another telecom tech giant, ZTE, is a form of paranoia inappropriately focused on Chinese companies due to the often overheated and sometimes nationalistic rhetoric surrounding cybersecurity matters.

Cyber 9/11 Likely to Target Industrial Control Systems, Originate from U.S. IP Address


If a cyber 9/11 were to occur, the most likely targets will be industrial control systems that operate the nation's electric grid and other critical infrastructure. And chances are it won't be initially noticed, partly because the IP address of the attacker will originate in the U.S., two top experts told a Senate Judiciary subpanel today.  "There are no networks in the U.,S. that haven’t been broken into and in many cases you can break into the equipment and break that," former NSA and DHS official Stewart Baker told the Senate Judiciary subpanel on crime and terrorism.

From that perspective, the most likely scenario for a cyber 9/11 to take place is an attack on critical infrastructure where true equipment damage occurs.  "The real risk is that the attacker can hack into industrial control systems and hack into power systems, pipelines" and other essential systems, Baker said.

"I don’t think the first attack, if it’s truly remote will be noticed…it will come from an IP address in the U.S.," Kevin Mandia, CEO of security firm Mandiant said, noting the propensity of attackers to route through vulnerable U.S. systems.   "Almost every single attack we currently respond to there are hop points in the U.S."  But, even the best devised cyber attack is not a sure thing.  "Even from the attacker's perspective, the results will be unpredictable," Mandia said.

Mandatory cybersecurity requirements for critical infrastructure helps boost security, Mandia said. "It has been my experience if there is a standard imposed on your industry, the cybersecurity is better."  Even then, though, threats get through.  "When it comes to critical infrastructure, the majority of cybersecurity programs [Mandiant has been called in to examine] were mature…but they were still breached."

The hearing, aimed at examining law enforcement and private sector response to cyber threats, follows the  introduction yesterday of a bi-partisan Senate bill, the Deter Cyber Theft Act, which requires the Director of National Intelligence to produce an annual report listing foreign countries who conduct cyber-espionage in the U.S.  Both Mandia and Baker clearly identified China as the top foreign country engaging in cyber spying and other activities, with Russia a very distant second.  "China is the reason my company doubles in size every year," Mandia said.

Verizon's Wade Baker: Look for Repeating Patterns in Cyberthreats


Cybersecurity threats follow certain patterns and are not chaotic, Verizon's Managing Principal for RISK Intelligence Wade Baker said today during a webinar to discuss the company's widely reported most recent Annual Data Breach Investigations Report (DBIR).  With acknowledgement to science and spiritual philosopher Gregg Braden, who popularized the concept of repeating patterns in nature called fractals, Baker said that the key to understanding how to manage data breaches is to look for patterns of simplicity.  "If we do, it's really important to how we defend our systems," he said.

If cyber threats are complex, then the methods of managing them become complex too.  But if you look for similar and repeating patterns, then effective systems of combating threats emerge.  "If it’s chaotic, then we have to implement complicated controls," Baker said.  But, "if there are patterns, we can set up logical defenses instead of worrying about the seemingly more complex" and ultimately difficult to implement solutions.

In analyzing the data shared with Verizon by 19 global organizations, "we see these patterns emerge and those patterns are pretty clear and distinct from each other...they're not chaotic."  Citing one analysis of 315 incidents that could be categorized according to associations among actors, actions, assets and attributes (the  4 "As" set of metrics developed as part of the Vocabulary for Event Recording and Incident Sharing (VERIS)), Baker noted that there are ten or twelve patterns that seem to be repeated constantly.

"This is really good news for defenders," he said.  For example, if a firm has intellectual property or trade secrets, then understanding the patterns of groups that target these kinds of assets makes for a much better defense.

During the webinar, Baker added additional insight into the DBIR's findings.  One conclusion from the report is that the number of  breaches for small firms (less than 100 employees) rose substantially between 2011 and 2012, with 193 of the 621 relevant breaches attributable to small companies.  Baker suggested that these are mostly small engineering firms that manufacture parts that will go upstream into the defense industrial base.

Another finding from the report suggests that state-affiliated breach incidents jumped dramatically between 2011 and 2012.  However, Baker suggested that the huge jump in those breaches reflect better methods for identifying state-affiliated attacks and do not necessarily reflect a rise in those kinds of breaches.  "This is an increased ability to recognize that activity," he said, due to better information sharing and the rise of more groups tracking those actors.

Twitter Delicious Facebook Digg Stumbleupon Favorites More