Saturday, October 05, 2013

Red Sky Weekly: It shouldn’t be so hard!

I just read a piece in my RSS feeds where the head of NSA’s outreach to the corporate community for public/private partnering and information sharing was on the podium at the Chamber of Commerce. The speech was reported by Federal News Radio and posted to the internet, and as I read it, it took me back to two years ago when I left the government. I was the architect and operating director of the operational arm of the DoD public/private partnership run from the DoD Cyber Crime Center. It was called the DoD/Defense Industrial Base Collaborative Information Sharing Environment (say DICE --it's an acronym that could only come from the government!).

There were several reasons for my leaving, but the truth is, on the government side, the politics were a real bear, and I wasn't having much fun. For the government, the motivation became not as much about helping companies protect themselves, but more about budget and control. There were (are) big dollars in the federal budget associated with cyber, and everyone wanted their piece --NSA, DHS, DoD… and so the marketing machines spin up. The food fight begins. Messages become mixed, companies feel forced to work with all of them, and for many reasons, many do --but mostly out of concern for future acquisition and contractual concerns as Federal Acquisition Regulations go through updates to include cyber reporting requirements.

And you know what? The government should be able to work with the public. In fact, the government should work for the public. What does that mean? That means that NSA, and others, should willingly share cyber protective information and intelligence with the public, without the expectation of anything in return. The American cyber landscape needs help. Companies need help. So quit politicking and making speeches about how good it is. Quit asking companies to sign frameworks, and cooperative research and development agreements, and get security clearances.

Just tell us what you think we need to know, and don’t ask for anything in return.

It shouldn’t be that hard. But it is...
To demonstrate my point, I’m going to take this out of the cyber realm for a moment and show you a message that probably everyone, even non-smokers, will understand.

The surgeon generals of nearly every country in the world put messaging on packs of cigarettes. Some are more elaborate than others, but the same message appears on all -- “Smoking Cigarettes will kill you”, or in the case of this New Zealand pack of smokes, the message on the front is pretty straight forward, but on the back is a full page ad and a picture of a rotted foot! Why am I talking about the message on a pack of cigarettes? Everyone knows that cigarettes kill right? 

It works because this message is simple, ubiquitous, and because it’s been published for so long, that a very high percentage of the global smoker community knows…. They may choose to smoke, but it could (probably will) kill you. 

Now try this one.. I received this warning in an email from the FBI earlier this week. Sorry for the resolution.. It’s the banner that appears at the bottom of reports that get pushed out to tens of thousands of people from the the group formerly known as Infragard. It’s funny. Nearly everyone in my office has or has had a security clearance. Two of us were communicators in the military but neither one of us could actually decipher the meaning of this banner --instructions on how/where we could send or use this report. 

So, I’d like to share this reporting with members of the Alliance, but the banner is a ‘Warning’ --”(U) Warning:... It is subject to release restrictions as detailed in the Homeland Security Act of 2002, as amended… “ and “It is to be controlled, stored, handled, transmitted, distributed and disposed of in accordance with DHS and FBI policy for FOUO information…”

So what exactly does the Homeland of Security Act of 2002, as amended, say about release of information?

What is the DHS and FBI policy for FOUO information state? 

And what happens if I don’t know and share it with someone who might use it to protect themselves or their company but I inadvertently go sideways on these rules? Am I going to be fined? Go to jail? Will the black helicopters swoop down and take me away? Do I really need to go look this up?

Why is this so hard? 

When I talk about Red Sky Alliance, and why members join us, I tell them this…

Red Sky was funded by a group of companies who wanted to share information between themselves, or wanted to work with the government, but for various reasons were not able, or they just found it really hard. 

Why? In the beginning, most members fell into one or more of these categories:

They all just wanted help… but...

  • Many weren’t invited to work with the intelligence community program (mentioned earlier);
  • Some of the companies were not considered ‘critical infrastructure’ (and therefore couldn’t go, or didn’t want to go, to DHS);
  • Or they were concerned with bringing in law enforcement (typically the FBI),
  • Or they wanted to participate with the DIB folks under DCISE, but the doors, for various reasons, were closed to non-defense contractors,
  • Or perhaps the rules associated with working with government information sharing (see the banner above!) turns off the companies to participating (that banner is only the beginning!)
  • Or trusting the government with internal company data is a massive leap of faith that many will just not take,
  • Or, they loved the services offered by current Red Sky analysts, and wanted to support us in our venture (THANK YOU!!!)

This is why we started Red Sky Alliance. There was an opportunity. It came in the form of fixing many of the issues associated with dealing with the government --heavy rules, DSS visits, CRADAs, costs associated with participating, high false positives rates (or, as one put it "criminally inconsistent" quality) of information received, trust issues, security clearances, etc. Again, a topic for another (very long) blog.

So how did we fix it?

  • Red Sky speaks PGP (and we're working on TLS). The government speaks SIPRNET. The two don’t talk. And with Red Sky, you don’t need any special gear, software, or DSS visits! Wuhoo!
  • Red Sky only has UNCLASSIFIED data. Do you know how hard it is to find good unclassified threat data?  Certainly some of the government data might be cool, but it's nearly always classified, and therefore, unusable. We don’t use government data.. and we’ve written over 100 technical and intelligence reports anyway…  so here’s the dirty little secret.. the best stuff doesn’t always come from them! (shhhh.. we don’t want anyone to know!)
  • With some of the government programs, “you get what’s in the fridge” (yes, someone actually said that!”). With Red Sky Alliance, you get what all of us have in the fridge…. and the membership casts a really, really wide net… 

    When was the last time someone showed you pictures of some of those pesky hackers, what they want, how they operate, and how you might protect your company from them… without making you sign a 75 year non-disclosure agreement, checking your clearance at the front door, after your long flight to Washington, requiring a DNA sample and placing a chip in your head? (just kidding about the chip… although, you might want to break out your tinfoil hat!)

Here’s the bottom line.. 

We do our best to make Red Sky simple, pain free, smart, completely usable, and timely… is it perfect? No, but we try really hard. Here’s how:

  1. Red Sky data is completely unclassified. You can use it however you need to protect your company or your customers as long as you can maintain positive control over the data.
  2. Unlike subscriptions, where most of the data gets tossed, many of our members tell us that they process and use every piece of information that we give them.
  3. You get the ability to ask questions and share notes with companies large and small, who, just like you, only want to protect themselves.. and they are all experts in their field --just like you.
  4. Red Sky will make your team more efficient. Even if you’re a small team and just realizing the problems of APT, targeted corporate espionage, or determined adversary threats, don’t repeat work. Ask the membership. They’ve been through it already. They know the pain. They know what the 24 hour workdays feel like, the uncertainty of it all, the nervousness of job insecurities when briefing the board, and best of all.. how to get through it.

It shouldn’t be so hard.

Don’t feel comfortable jumping into a collaborative just yet? Give us a call. We can help. 

Neuberger talks of NSA's efforts to help companies in three different options: general, targeted and operational efforts. 

Red Sky has, and does, deliver all three today:

General: The social network environment is a great way to share information. It's informative, assistive, and allows those who can use the data to pull from it and protect themselves. Companies share information, lessons learned, forensics and early warning. Our dedicated analysts take that data and turn it into something useful in the form of a Fusion Report and a list of indicators that go with that particular story.

Targeted: For the last six months, Red Sky's Manchester, NH based Wapack Labs has been writing targeted threat intelligence, technical fusion and warning products for folks who are members of the Alliance, but need help dealing with the data. In most cases, our requests have come from members who know they need threat intelligence but don't have the internal capability to do it themselves. Our job? Show them the wolves closest to the sled today, then what to watch for next, and then after that --all specific to the requester, not the general community.

Operational: Many of the Red Sky members are massive managed security service providers --Red Sky data is used in their MSSP operations to protect data. Heck at least one of our companies protects the government! Second, the Lab in Manchester hosts the backend of monitoring solutions that will allow us to ensure that your current MSSP isn't letting bad stuff through, or for those without an MSSP, the operational arm in Wapack can help you decide exactly what kind of protections you need to put in place.

It's all about money... but not government budgets. It should be about how companies should spend the money they have to protect the products or services they create.  

It shouldn’t be so hard.

It isn't in Red Sky.  I'll be running around the NY to DC corridor over the next two weeks. Give us a call. I'd love to show you how easy it is. 

Until next time,
Have a great week!
Post a Comment