«Written Testimony of Mr. Mark G. Clancy, Chief Executive Officer, Soltra Before the Committee on Homeland Security United States House of ...»
This is important to note because as a company builds information sharing products it will need to support a range of needs and maturity levels. It will also need to have the capability to receive feedback on existing products in addition to the ability to consume new submissions from the community. Finally, a company will also need to create methods to address the level of trust needed between members of a community as that community scales and the parties become more remote to each other.
CISA IMPLEMENTATIONIt has only been six months since CISA was signed into law, and while there has been a rapid fire of activity in that time, more work certainly remains to be done. Guidance issued on how to submit information under CISA by DHS/DOJ adhered to the letter of the law and described private-to-government sharing, but was silent on private-to-private sharing. This created some confusion concerning the scope of liability or when protections might apply. As an example, the FS-ISAC had to send a memo to all its members to clarify that the protection in the law did apply to private-to-private communications within the FS-ISAC membership. As recently as Thursday, June 9, 2016, DHS advised that CISA covers private to private sharing and that it would be included in the revised guidance required by Congress on June 15, 2016.
Soltra is one of the handful of companies that already has enrolled in DHS’s Automated Indicator Sharing (AIS) program. As required by law, in March 2016 DHS opened access to its AIS platform along with the procedural documents of how to submit data to comply with the requirement in the law related to personal information. DHS has been a helpful partner in this process, and as is normally the case in any program, there are a number of areas that would
benefit from clarification at this juncture. They include:
1. Additional guidance is needed from DHS on the definition of Personally Identifiable Information (PII). Thus far, the definition of PII in the AIS submission guidance differs from the definition of PII in other DHS programs and was not defined in the Act. The vast majority of information sharing about cyber threats does not involve any personal information, but the lack of clarity as to which definition would be used for personal information across DHS programs needs to be made clear. The financial sector sent a letter on May 11, 2016 to DHS and the U.S. Department of Justice asking for clarification on this matter.
2. Current “Lessons Learned” Using the AIS System: Streamline the process for signing up for AIS: To enroll in the AIS program, participants need to execute two agreements with DHS, enroll to get an authentication certificate from an approved FedBRIDGE provider, submit network address information and technical details of the sharing platform to be used.
Digital Certificates: The AIS process requires all users to obtain a digital certificate from one of the three FedBRIDGE providers which has become a cumbersome process.
As background, these certificates are traditionally issued to individuals to support strong authentication and email encryption whereas the use case for AIS is to authenticate a machine used for sharing within a company. At this juncture, the AIS system requires a single person within the company to obtain the certificate which then has to be loaded into the server to communicate with the AIS system. That automated process actually requires paper documentation that has to be sent to DHS via the U.S. mail system. While the need for the authentication is critical, there is an inherent disconnect between the ultimate goal of the AIS system which is machine-to-machine. Going forward, it would be more helpful for a system to be created that allows for an organization level credential to be issued to the server used by the company to participate in the program. Other submission methods such as the web form and fax do not have the same authentication requirements.
AIS Changes to STIX/TAXII Fields: Various aspects of the law as well as implementation have caused DHS to modify aspects of the STIX/TAXII fields. AIS also includes a series of “required” fields in STIX data submitted to the department which if not included, will reject any attempted submission from a company. It would be helpful for DHS to specify those up-front in order to help companies understand what needs to be done in advance of connecting to the AIS system.
Clarify how CISA protections apply to CISCP: The AIS program does not support submissions of Proprietary Information (PROPIN) nor Protected Critical Infrastructure Information (PCII), although DHS does indicate information submitted under the CISCP program can receive protections for PROPIN or PCII. Many companies are used to submitting both PROPIN and PCII related information and it would be critical to ensure that companies can continue to do so, hopefully using the AIS system for sake of ease.
DHS should also issue guidance on how the CISCP program fits under CISA to provide for greater clarifications.
Add a Test Environment Where Companies Can Ensure Its AIS Interface Works Effectively: As is the case with many systems, it is preferable to be able to test whether or not a company’s systems are interoperable with the AIS platform. Short deadlines in the law required the AIS system to be stood up quickly, and at this point, DHS does not have a system integration or test environment available. As a result, a company must attempt to work out the various issues in a live production environment. Moving forward, a test environment would be helpful for other companies and may allow for greater participation and ease of use in the future.
NEW DATA POINTS TO ADD TO AISThere are three main data points that the private sector would like to see added to the AIS system
to help increase the effectiveness of the AIS system:
1. Types of Threat Actors: It would be exceptionally helpful if the AIS data could include an assessment of the type of threat actor behind the activity when that is known. It is clear that there are practical challenges of “naming names” in an unclassified context. However, examples exist, including in the 2013 Defense Science Board report, “Resilient Military Systems and the Advanced Cyber Threat,”3 that includes a six tier scale that would provide sufficient context to companies without naming specific actors.
2. Defensive Measures: One of CISA’s objectives was to support the development of “defensive measures”. While more work will be needed to get to that point, AIS could add in recommendations to how recipients might use the AIS data sets. For example if a set of AIS information was to include the suggested defensive measure of “block, mitigate, or monitor” it would inform consumers the best type of “defensive measure” to employ even if detailed 3 http://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdf recommendations are unavailable. This would be an important benefit to the AIS system that could bring a greater number of participants into the system.
3. Feedback Loop and Context to Data: Context is important for all companies who participate in the AIS program. As the AIS system continues to be fine-tuned, there are a number of issues that would be helpful to review and clarify which may increase greater connectivity and participation overall. As we know, the spectrum of possible participants will bring with them different skills, capabilities, and maturities so for those submitting to AIS the downstream recipients want to understand the context and credibility of the information from AIS. These types of questions are foundational issues that have come from the variety of sectors Soltra supports, including those that are participating in the AIS program or those who have indicated they intend to participate in the near future. Industry participants will want to be able to select the type of data they want to receive from AIS, which could include sector-specific or even crosssector information. Levels of “trust” associated with the data will be important and industry participants will want to understand what process DHS will use if AIS members ask for more specific information from the AIS system, including the ability for DHS to reach back out to the original submitter of the data. Ultimately, DHS will need to be able to communicate how its internal process is set up to identify and vet the data submitted, a challenge that many ISACs have gone through themselves. The DHS guidance does mention a process that will be put in place to deal with false positives and mechanisms to address updating data and it will be critical that DHS provide clarity on that quickly.
CYBERSECURITY INFORMATION SHARING AND COLLABORATION PROGRAM
(CISCP) AND PRIVATE SECTOR SECURITY CLEARANCES UNDER CISCPMany of Soltra’s customers and community members participate in the CISCP program, which is widely viewed as a beneficial program that facilitates cross-sector engagement with government.
It brings private-sector and government analysts together at quarterly in-person meetings, the Advanced Technical Threat Exchanges (ATTE). CISCP also allows the private sector to work on the National Cybersecurity and Communications Integration Center (NCCIC) floor, giving participants access to DHS, LE and IC analysts. We are seeing an increase in production around CISCP analysts turning FS-ISAC reports into CISCP Indicator Bulletins.
CHANGES TO SECURITY CLEARANCES NEEDEDChallenges continue to exist in obtaining security clearances for companies. First, after the cybersecurity attack on the Office of Personnel Management (OPM), clearance times are much longer.
Second, it would be helpful if there was more transparency into the process with key performance metrics being made available to Critical Infrastructure and Key Resources (CIKR) members or their ISACs. It should include monthly breakdowns by sector and clearance types of the number of new clearances requested, the number of investigations completed, the aging of applications by stage, the number of reinvestigations initiated/completed per month, as well as median times for each stage.
Third, there have been a number of changes to the security clearance program that has caused challenges to many companies, including those who have historically had individuals on the NCCIC floor. As background, private sector companies have two routes to have essential personnel cleared for access to Classified Information. The first is the Private Sector Clearance Program (PSCP) initiated via the sector specific agency and sponsored/operated by DHS, and which holds clearances to the Secret level. The second route is by executing a Cooperative Research and Development Agreement (CRADA) with DHS. With a CRADA in place the firm needs to have a Facilities Clearance (FCL), which allows it to hold staff clearances up to Top Secret and have access to the NCCIC floor.
A recent change that greatly impacted a number of ISACs was the requirement to have the FCL in place for their company. This was not a previous requirement of the CRADA process for CISCP as DHS rolled it out and was added at a later date by the Defense Security Service (DSS.) A number of ISACs did not have FCLs current and therefore were removed from the NCCIC floor leaving no representation in the coordination process for those sectors. These ISACs do not have classified work areas in their offices and were using the NCCIC floor for any handling of classified materials. The requirements for obtaining the FCL are determined by the DSS. One attribute of this process is a requirement to clear top executives or board directors for companies.
This program requirement made a lot of sense in the Defense Sector when the main objective of the FCL was managing contractors working on defense system projects. With the cybersecurity threat, the majority of the attack surface is in the private sector and many of the companies are multinationals with non-US citizens on corporate boards or executive management, rendering the existing scheme less tailored for successful application to today’s environment.
The CISCP program with DHS requires a CRADA be in place for the receipt of unclassified information such as Cyber Threat Indicators. As a direct result of the change requiring the FCL for the CISCP CRADA, a number of financial sector firms are in the process of ending their CRADA with DHS and going back to using the PSCP program to avoid the entanglement of having top executives or board members without cybersecurity responsibilities having to hold clearances which are orthogonal to their duties for the company. Again, this is to receive unclassified information from the DHS CISCP program.
The ISAC’s that have an FCL will participate in CISCP via the CRADA and then be able to share unclassified information from CISCP with their members. As a practical matter, when classified information is shared with the private sector, this is done in a U.S. Government Facility with the appropriate FCL in place. It is unclear how ISACs that do not have the FCL will participate in the CISCP program going forward.
In addition to the problems with the CRADA and FCL, the problems and frustration with the clearance processes remain.
NEXT STEPS Implementation of the Cybersecurity Information Sharing Act is moving forward quickly and DHS, DOJ and Congress are to be commended for how quickly the AIS system has been stood up, and the various guidance documents issued on time. As with every system, there are lessons learned and items that can be improved, and we look forward to working closely with DHS and others to achieve our collective goal.
Soltra and Soltra Edge are bringing cutting edge innovation and technical capabilities to the cybersecurity information sharing process. Soltra Edge is providing a simple and easy solution by providing the core backbone and technical processes that have previously prohibited many companies from sharing, thinking that the process is too cumbersome or difficult just to get started. Soltra is helping companies in all sectors to increase the ability and likelihood that information sharing can help provide vastly improved cybersecurity defenses and ultimately make it harder and more expensive for attackers. We look forward to working with this Committee, Congress and the Executive Branch, as well as with all of our private sector partners to achieve our collective goals.