Page 10 - index
P. 10
In order to actually achieve a sustained and productive national capability, we need to establish a
credible early warning mechanism for cyber that relies on the ability not just to share information but
also to correlate and analyze the information to identify patterns and trends of abnormal,
anomalous, or even malicious behavior to prompt the issuance of alerts and warnings, and even
recommended protective measures. Such information then would be shared with stakeholders
broadly to raise awareness and provoke risk management actions.
Currently, too much effort, energy, and resources are spent on response and recovery. An
operational capability with an early warning mechanism would allow the United States to improve
detection, prevention, mitigation, and response to cyber events that may become incidents of
national or even global consequence. By flipping the equation, not only do we improve our overall
national cyber protection profile, but we also make it more difficult and more costly for the
adversaries, no matter their level of sophistication.
This model is not without precedent. Through leveraging technology to gather, correlate, and
analyze data streams related to climate and weather, the United States has been able to
significantly improve the ability to predict serious weather events and by issuing early alerts and
warnings, along with recommended protective measures, reduced the impact of such events and
likely saved lives. Similarly, through leveraging technology to gather, correlate, and analyze health
data streams with the appropriate privacy protections, the United States has been able to
significantly improve the ability to predict serious health events such as measles outbreaks and the
H1N1 virus, and by issuing early alerts and warnings, along with recommended protective
measures, reduced the impact of such events and likely saved lives.
In the same way, the United States can create a comprehensive and sustained national capability to
improve detection, prevention, mitigation, and response to cyber events that may become incidents
of national or even global consequence by identifying patterns and trends of unusual, anomalous, or
even malicious cyber activity that would prompt timely alerts and warnings and even recommended
protective measures.
Accordingly, the improved sharing of threat indicators between industry and government,
remembering that such indicators are not personal information but instead include items such as IP
addresses and file hashes is an important step, but not the only step that is necessary to improve
our ability to protect, defend, and respond to cyber events of national or even global consequence.
Creating a truly functioning operational capability, not just the push and pull of information, but the
necessary analysis to identify troubling behavior and issue early warnings to stakeholders is critical.
Lastly, there is another important information sharing step that does not require legislation and
should be implemented immediately. When large scale cyber intrusions occur, the government is
often engaged not just to assist with mitigation and remediation, but also from a role in law
enforcement and investigation. Such a process will typically identify the tactics, techniques, and
procedures utilized by the intruder, and may also identify what protective measures had they been
in place might have reduced the impact or prevented the event altogether. An after-action report will
often identify findings and recommendations resulting from the investigation.
10 Cyber Warnings E-Magazine – September 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide