Speaking on behalf of myself,

Dear U.S. Government:

I was reading some interesting articles the past few weeks:

http://www.reuters.com/article/2013/05/15/...
http://www.networkworld.com/news/2013/...
http://www.securityweek.com/dhs-share-zero-day-intelligence
http://www.csoonline.com/article/733557/...
http://www.dhs.gov/enhanced-cybersecurity-services

and with the understanding that:

• my livelihood right now depends on building tools that facilitate data-sharing and trust relationships
• I’m sure there are misunderstandings in the reporting
• this process requires some level of sustainability to be effective
• this process requires some extra care with respect to sensitivity, legal and ethical constraints (not to mention cultural implications)

The USG is causing a huge disservice to protection and defense in the private sector (80%+ of CIKR¹) by creating an ECS that contains monetary incentive for a few large players to exert undue control over the availability, distribution, and cost of security threat indicators. While there may be a legitimate need for the federal government to share classified indicators to entities for protecting critical infrastructure, the over-classification of indicator data is a widely recognized issue that presents real problems for the private sector. ECS as currently construed creates monetary incentives for continued or even expanded over-classification.

The perception of a paid broker-dealer relationship with the USG sets a very unsettling precedent. Private citizens are already concerned about the relationship between the intelligence community and the private sector and these types of stories do very little to help clear the FUD. Compounded with the lack of transparency about what constitutes classified data, how it protects us and the relationship agreement between the entities sharing the data, this type of program could do much more economic harm than good. Many private sector orgs have indicators that the USG would find useful, but have given up trying to share them. The current flow suggests that we would send data thru competitors to get it to the USG, would never scale well in a free-market based economy.

The network

As with the “PDF sharing programs” of the past (err… present?), it also appears to be a system that adds cost to the intelligence network with the addition of each new node, rather than reducing it. High barriers to entry for any network reduce that network’s effectiveness, and in a free market economy, eventually isolates those nodes from the greater network where the barrier to entry is lower. I get it, I understand why certain things are happening, I’m arguing that it’s NOT OK. My intent is to widen the dialog a bit to see where we, as an operational community can step up and start doing a better job of leading, instead of allowing the divide between the USG community and the operational community to widen.

Before tackling ECS, the USG should strongly address the over-classification issue. It should establish efficient and effective means for engaging with existing operational information exchanges that are working now in the private sector. Most useful indicators to the non-govt community are not classified, and in my understanding, much of the classified intel is classified due to its “source, method and/or attribution”, not the actual threat data. Finding a way to mark the data appropriately and then share it directly with a (closed) community will be a good thing. Washing the data thru a classified pipe does nothing to make the data more useful to the non-classified community. While the exchange of classified intelligence problem still exists, figuring out how to scale it to the unclassified environment will more aggressively help solve scaling it in an classified environment (more players can help solve similar problems across many spaces).

Economics

In my opinion, we should be leveraging existing, trusted security operational fabrics such as the ISC (SIE), TeamCymru, Shadowserver, Arbor networks, Internet Identity, the APWG and the ISAC’s (to name a few, based on the most recent industry wide effort, DNS Changer Botnet takedown) that have facilitated great public/private partnerships in the past². Leveraging this existing framework for intelligence exchange would have been a much more valuable investment than what this is perceived to be, or what development has taken place thus far. There are also a number of ISP’s² who actively pursue a better, more cleaner internet that have proven to be great partners in this game.

The tools and frameworks for this type of intelligence sharing have existing semi-developed (workable) economic models and more importantly, they consist of those who actually run the internet (ISP’s, DNS providers, malware researchers, a/v companies, large internet properties, financial institutions, international law enforcement, policy advisors (ICANN/ARIN/etc) and other sector based CSIRTS). These operational communities have already taken down botnets, put people in jail and in some estimates, saved the economy billions of dollars at a global scale over the last few years. The process has proven to work, scale, and is rapidly maturing.

It is my opinion that a subsection of USG agencies are falling behind in the realm of intelligence exchange with the operations space. The rest of the world is moving towards the full-scale automation of this exchange across political boundaries and entire cultures. All this while finding unique and interesting, market friendly ways of reducing our “exchange costs”. As a nation, we’re at a crossroads. There are operational folks from within the USG that actively participate in these communities help make the Internet safe and “do the right thing”. There are elements within the USG (mainly on the “national security” side) that appear to operate in isolation.

The argument I’m sure to hear is “well, wait, we’re working on that!”. In my opinion, whatever “that” is, is mostly a re-invention of existing technologies and frameworks that will mostly only ever be adopted by those that get funding in the .gov space to implement it, which still isolates the USG from what the rest of the operational community is already doing. Competition of ideas is good, it encourages innovation and all, but it’s something we should be taking a hard look at and asking if it’s the best use of our limited resources…

I’ve been pitched my own ideas from enough belt-way startups that it almost makes me want to scream… almost.

The bigger picture

My concern is that, it’s becoming evident that the decision makers for some agencies are making choices that could ultimately isolate their operational folks from the rest of the operational world (whether in terms of principal, or in terms of trust, or fear of legal action, etc). As private industry progresses and parts of the USG fall further and further behind, this can only hurt us as a nation, and as a culture.

My suggestions:

• fix the classification problem with respect to non-attribution type threat intelligence
• parallel to the the classified sharing projects, DHS should be working more aggressively with the rest of industry with as much unclassified intel as possible, figure out where we can bridge the gaps
• encourage participation with things like the NCFTA, SIE, TeamCymru, ArborNetworks, Shadowserver, Internet Identity, the APWG and the ISAC’s when working to share intelligence, not through private 3rd parties whom have a noted history as the industry standards for operationalizing and disseminating threat intelligence.
• encourage long term participation with the FBI at NCFTA, take lessons learned from their adventures in intelligence sharing and locking up bad-guys.

If you want to be more successful (reads: we want you to be more successful), don’t put so much emphasis on standards or how to disseminate classified information, and more on how to aggressively share unclassified intel with your constituents. We have lots of data we’d like to share with you to help protect our national investments. If the USG can get to that place (without invoking something like CISPA, which makes zero sense in a free market economy), the classified problem will solve itself, while only accounting for .001% of the data being shared (reads: will not be such a distraction).

I know some in the USG understand this and are fighting the good fight, but it’s clear that not enough at the higher levels of government do (reads: have you written your elected officials lately?). When you combine this with haphazard style of reporting (terrible at best) and lack of a clear message (reads: translucency), these types of ill perceptions can run rampant and do more economic harm that good to the national process.

I personally will be pushing harder in the coming months in figuring out how we, as the operational community can do more to bring more of USG folks into the fold in terms of building out more sustainable operational relationships. Also, facilitating ways we can share classified intel more aggressively in the future. My goal, is that in the coming year or two, we can change the culture of over-classification while bridging the gap with the rest of the operational industry when it comes to protecting the internet. In order to protect ourselves from economic threats that vastly outweigh our individual business models, there has to be a better solution than the [perceived?] sale of classified intel.

Why we’re re-inventing the wheel, why our federal government clamors for “the need to share intel with industry” but appears to not be listening, at-least to the right people, who have a good record of sharing highly sensitive intelligence globally, and operationalizing it ... is beyond me. Washington is a very large echo chamber, and is such a large economy unto itself, that sometimes I feel like the process can sometimes drown out what’s going on just a few miles down the road.

Sincerely,

Wes.

¹ http://www.dhs.gov/blog/2009/11/19/cikr

²
http://www.fbi.gov/news/stories/2011/november/malware_110911/...
http://www.dcwg.org/isps/
http://www.dcwg.org/detect/
http://www.nytimes.com/2009/03/19/technology/...
http://krebsonsecurity.com/2012/05/microsoft-to-botmasters-abandon-your-inboxes/...

³ As denoted at the bottom of http://www.dcwg.org/detect:

• AT&T
• Bell Canada
• Century Link
• Comcast
• COX
• Shaw Communications
• Telecom Italia
• Time Warner
• Verizon