Department of Homeland Security, Fusion Centers & the Cyber Security Liaison Program: A sharing of intelligence
By: Kevin L. McLaughlin
March 9, 2013
The amount of data available through electronic means is hard to wrap your mind around and even more daunting is trying to figure out how to gather and collect the disparate pieces of data that exists in organizations that have suffered a cyber attack or that have suffered a negative cyber event. The reality of the internet and its associated connectivity is that if one organization is experiencing a certain type of cyber event so are a lot of others. The puzzle associated with how to share attack information with others and, more importantly, receive actionable information about attacks other organizations are receiving is one that we need to solve if we want to be able to successfully mitigate or reduce cyber attacks being launched against our organization to a manageable level. An issue felt by private corporations is that they do not perceive that a safe harbor for their sharing of information that may be of interest to the intelligence communities exist. There are some private sector partners who are heavily involved in a program of information sharing such as the National Counsel of ISACS (http://www.isaccouncil.org), National Initiative for Cyber Security Education (NICE), the NIST National Security Cyber Security center of excellence and the DHS National Cybersecurity and Communications Integration Center (NCCIC) all of which are good starting points for reaching out to and providing private sector Information Assurance professionals with avenues into the Cyber Security information reporting pipeline. One of the primary issues with most of the programs is that they are, even if inadvertently, almost exclusively focused on critical infrastructure partners. This focus on critical infrastructure, most likely prompted by the Cyber security Act of 2010 which is in place to increase collaboration between the public and the private sector on cyber security issues, (Jilani, 2011) leaves other private organizations wondering what they should do with the myriad of data that is captured by their security alerting infrastructure. “What can businesses and Uncle Sam do, together, to reverse this dangerous trend? There must be three areas of immediate focus. First, the public and private sectors need to share more information – more parties must be included and new platforms used (Bataller, 2011; Newbill, 2008)”. Items such as large scale data loss going to a foreign country are often remediated and no mention of the event is made outside of the corporate walls.
The U.S. government Department of Homeland Security (DHS) has established Fusion centers across the country in order to collect, analyze, and share information to assist in preventing, protecting against, and responding to crime and terrorism. These Fusion Centers often work in coordination and partnership with urban or regional Terrorist Early Warning Groups (TEWGs) so that relevant terrorism information can be processed, analyzed and shared quickly. Often times the fusion centers work closely with the US-CERT (http://www.us-cert.gov/) to share information about Cyber incidents and relevant data but once again the majority of education and use surrounding this partnership and the usage there-of is primarily focused on federal agencies and private sector critical infrastructure partners.
On a daily basis we hear about a major negative cyber event (Denial of Service against the CIA website, Denial of Service against the U.S. Treasury website, the U.S. Census Bureau being hacked, China has stolen yet another item of sensitive data, Wiki leaks, etc.) that was experienced by a U.S. Federal, State, Local, Private or Non-Profit institution and the significant negative impact caused by that Cyber event. With the Cyber threat being espoused by many Senior U.S. government officials as one of the most significant threats to the homeland it is understandable why cyber crime and negative cyber events are items of great interest to DHS and the Fusion Centers. Unfortunately, in the author’s experience as a private sector partner who was tightly involved with regional and state fusion centers, there is a limited structure outside of the Federal Government and law enforcement agencies for passing information along to these regional fusion centers and an even more limited structure for the fusion centers to pass actionable warning and cyber event data to the non-government agencies in their area of responsibility (AOR). Even if a structure for bi-directional information sharing was in place the private organizational sector WIIFM (what’s in it for me) factor still needs to be determined; without an incentive for taking the time to fill out a basic event information report and send it to their local Fusion Center very few cyber security professionals will take the time to do so. Further, it is difficult for private sector resources to get the clearances necessary for them to receive effective and relevant information from their fusion center partners.
In early 2011 the University of Cincinnati’s (UC) Office of Information Security (OIS) in partnership with their state of Ohio and Federal DHS liaisons came up with a plan and program to make it simple for the private and educational sector to share negative cyber event data with their regional Fusion center. The UC model poses that every organization, not just a critical infrastructure partner, that has a cyber security person or team provides a Cyber Liaison Officer (CLO – pronounced See-Low – name credited to Greg Seipelt, ISO at UC, 2011) to attend quarterly CLO group meetings with their regional Fusion center liaison. These meetings will be used to share information and build strong working relationships and understanding as to why the cyber events within their organizations are of tremendous value as intelligence to their brethren across the U.S. and to educate each other on the concept that knowledge is understanding and that the sharing of cyber event knowledge will allow them to design more effective defenses and protection for their organization’s cyber infrastructure and its associated data.
The CLO program can be used to establish the private sector web reporting infrastructure that allows each identified CLO to create a Cyber Event Report (CER) quickly and easily and then with one push of a button submit that report to their Regional or State Fusion center for analysis and, if appropriate, further dissemination. Two types of actionable reports could then be created by the Fusion center, classified and unclassified; the unclassified reports can then be sent broadly across the CLO community. Theoretically, a broad based dissemination to the CLO community can be sent from the Fusion centers to their CLO partners. The creation of this type of Cyber event information can be focused on providing actionable intelligence to the CLO partners.
An example of how this concept works can be seen in the following hypothetical story.
The day was proving to be an exciting one for team Havoc, the ACME Company’s cyber Red Team, as the cyber attack they had launched against ACME’s premier web application pwnd it and provided deep access to the information in ACME’s core research database. Glacier, the Red Team leader was evaluating the successful compromise and figuring out how ACME was going to be able to best remediate the vulnerabilities his team had just found when he noticed an abnormality in the data stream he was analyzing.
“Hey Blackout come over here”, Blackout was the team’s best data stream analyst. “What’s up boss man?” “Take a look at this streaming data; it looks like it’s already outbound for a foreign IP address. I’m thinking we’ve already been hacked and have a serious issue here. What do you think?” “Whoa boss man, that’s one pretty little hack job and yea, it looks like we just lost all the research data on project X.”
Glacier notifies ACME’s Cyber Incident Response Team (CIRT) briefs them on the incident and sits down to write his internal report. Glacier, being ACME’s CLO for the local Fusion Center then opens up his web browser after finishing his internal report, goes to the Fusion Center’s reporting application and then provides an ACME approved sanitized version of the Project X hack that includes all the detail on the attacker and the type of attack used but more generic information about the attack vector and what may have been compromised. Glacier knows and understands that his Fusion Center contacts don’t really care about any of the ACME proprietary information, employee names or anything like that; they just want enough information to understand the hack and provide information to the rest of the U.S. CLO community to enable them to establish proper prevention measures against the hack, or to be able to detect whether their organization was suffering from the same negative cyber event.
The upside to the private CISO community is that they now get relevant and verified data from across the country and the DHS can cover the WIIFM for their private CLOs by providing their qualified security resources, many of whom had Secret and Top Secret clearances in the past, with updated and reactivated clearances. Yes, there is a cost to the Government agency to do the clearance checks but this is a commodity that no one else can provide the X-Special Agents, X-military, etc. who have moved into the private sector and the draw of maintaining one’s clearance level seems to continuously be undervalued by Federal agencies who remain puzzled as to why they can’t get enough interest in their programs. Those of us who have proudly served, who are strong patriots and who now find ourselves working Cyber Security operations in the private sector are ready to continue serving but we need to show and demonstrate a clear value add to our corporate leaders and to ourselves.
Bataller, Erik. (2011). Cyber Partnerships. InformationWeek(1295), 21-24.
Jilani, Salman Shah. (2011). Cyber Security. Southasia, 15, 51-52.
Newbill, Raymond. (2008). Intelligence sharing, fusion centers and homeland security. DTIC Online.
Conceptual assistance rendered in conversations with my friend and colleague Greg Seipelt, University of Cincinnati Student and Cyber Security Professional and with my University of Cincinnati students who participated in all of our Red vs Blue Team Cyber Security events.
© Kevin L. McLaughlin – properly cited use is encouraged