A new Congress proposal for a cybersecurity data sharing setup
The best listening experience is on Chrome, Firefox, or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
To organize cybersecurity, agencies need to organize their data. Beyond data lakes or data stores, important as they are, government needs what you might call a concept of operations. This is where one of the key recommendations of the US Cyberspace Solarium Commission comes in. To know more, Federal Drive with Tom Temin spoke with the senior director of the US Cyberspace Solarium Commission, Robert Morgus.
Tom Temin: The commission recommended this environment of joint collaboration, let’s talk about the goal first, and then we’ll talk about how it could be constructed.
Robert Morgus: Of course, thank you for having me, Tom. The joint collaborative environment is, as you said, a recommendation that the commission made in March 2020. The underlying idea is to create a collaborative environment, as you can probably see from the title that help pool federal government data on cyber threats. and cyber incidents, and ultimately allow the private sector to go online and both share information and then glean information. I think the way we look at this particular proposal being implemented, if it comes to fruition over the next few years, is not a few steps, where you have to work on the federal / government side to get the information that the different departments and agencies are collecting from both the high side and the low side, we have to get all kinds of things consolidated, standardized and somehow interoperable, shared in this environment, then the second step will be to figure out a way to plug in the private sector
Tom Temin: And would that include the entire federal government, that is, the intelligence community, the Department of Defense, and civilian agencies?
Robert Morgus: It’s a good question. And I think ultimately the answer should be yes. Whether we get there or not, I think it’s still an open question. I think the model for something like that looks at the UK where they have the national cybersecurity center. And most importantly over there, they’ve got some kind of a high side story, basically in the building, they have a low side story. And these two are talking to each other. But they’re not necessarily in the same environment, I think I could see something similar with the joint collaborative environment where you have a high side that’s plugged in and talking to the low side potentially providing information, but you do not necessarily have all of the high status flowing directly into the environment,
Tom Temin: Almost like a Bletchley Park for the 21st century,
Robert Morgus: No different, no different.
Tom Temin: And where does the commission envision this common collaborative environment to live? It would probably be, I guess, an agency that would be the CEO, if you will, to operate it?
Robert Morgus: Yes, I think that’s the logical place for that, given the kind of interest on the Fed Gov side, then plugging in the private sector would be scissors. at DHS, I think that makes the most sense, given the number of points of contact they have both within the federal government and on the federal government side. And then with the private sector, the key then becomes how you fit the intelligence community into it. And this is a relationship that I know, DHS and the fort, for example, are already working on this relationship. And that’s something that I think still needs to be ironed out.
Tom Temin: And for that to happen. I mean, it’s easy to say, yeah, I’m a big data store, and everyone contributes all of their data. But it seems that a lot of preparatory work would be needed on the part of the agencies to be able to share data. And there would have to be some sort of process by which the data could be interoperable. How do you see it all working?
Robert Morgus: Yes. So there are a few things that need to happen. And I think the first big move will be an authorization from Congress, because it has to be funded and authorized before it can be done. And I think part of that has to be kind of a likely nudge up the hill to get federal departments and agencies that are collecting relevant data on cyber threats, data on cyber incidents, to start talking to each other about the way they make sure that this data can interact with, with data from other agencies, right. So standardization, interoperability, there also needs to be some kind of conversation about the real infrastructure that would allow this right. I mean, when we talk about a common collaborative environment, we think of a cloud environment, what does that mean, in terms of connecting agencies? What kind of infrastructure do they need to modernize so that they can somehow interact with the cloud environment hosted by DHS?
Tom Temin: Yes. So, I mean, a lot of agencies already have cloud computing resources and contracts that they use both the DoD and now the intelligence community, as well as civilian agencies. So these existing mechanisms, although I guess have different levels of security, different levels of applications that they have in there, are you looking for something that would be totally separate from all of that?
Robert Morgus: Not necessarily, although you are talking about environmental safety. And I think that’s, that’s one of the big challenges something like that faces, because it’s supposed to be open to the outside at the same time. The private sector will go online, but you also want to make sure that you are not leaving the field open to adversaries.
Tom Temin: Well. And so let’s imagine that there is a joint cooperative environment, that it exists and there is 88 petabytes of data, what the application would be and how it would work in terms of detecting and responding to Rent.
Robert Morgus: So I think the great thing the environment would be able to do would be to provide more real-time environment than what we have now. I don’t know, Tom, the anecdote we hear about how information flows between departments and agencies right now is the most common form of data sharing your information sharing is right now, Microsoft Outlook, the environment would allow people to share data faster. I think the key is that you’re sort of approaching real time, when you talk about data sharing at this point, ideally you would see agencies, departments, and agencies logging in and sending their feeds straight to the environment. and allow others to sort through query that dataset, research tactics, TTPs, that they can sort of glean and see how they could better protect their own networks. Ultimately, I think you’d like to see the private sector, eventually, probably starting with that kind of big, critical infrastructure, private providers plugging in, the same way we would see departments and agencies, though, like i said at first i think it’s kind of a two step process the first step is to get the fed guvs house in order before you can really bring some sort of meaningfully to the private sector,
Tom Temin: I think the metadata would be just as important as the data, because in order to do research to query a database, you have to know what there is. And so the metadata about what’s in there and who it’s available to, would seem like a really important imperative to have at the center,
Robert Morgus: I would, I would think so. And, as we have seen, we have heard about the value of metadata especially in threat analysis, and in particular in translating threats in different environments, to different departments, different agencies, different types of assets. defensive. So yeah, I think the amount of metadata will be just as important as some of the granular indicators of compromise and the like.
Tom Temin: And for this database, let’s call it data, Lake, whatever you call it, that data stores this environment, I can imagine it sending out real-time alerts like algorithms attached to data, detecting things, but also as a research environment where people can go back and look at the long context, for example, of what was going on or whatever research purpose they might have, the environment as you see it. plan to support both real-time alerts and queries, as well as art store-based search of data that may no longer be operationally relevant?
Robert Morgus: I think in an ideal world, yeah, I think it’s going to take a while to get there. I think I think of the success of the environment sort of within two years, five years within 10 years, after it’s kind of cleared and starts to be implemented. And I think within the two-year timeframe you see it more as some sort of relevant real-time information-sharing environment, that for most of the federal government, especially on the civilian side, the aisles are plugged in, as you increase the timeframe from two to five years, you start to see more longitudinal data, more opportunities for people to connect from a research perspective, and you start to integrate the high side. And after five years, I would like the environment to accommodate critical infrastructure providers and have a clear process within the plugin. And then sort of in the longer term. I think what’s potentially really interesting about this would be the kind of development ops opportunity and the opportunity for people to start building apps and creating new widgets in the environment to make that happen. a little easier, a little more accessible for people.