EnablingDistributed SecurityinCyberspace

BuildingaHealthyandResilientCyber EcosystemwithAutomatedCollectiveAction

March23,2011

EnablingDistributedSecurityinCyberspace
BuildingaHealthyandResilientCyberEcosystemwithAutomatedCollective Action

ExecutiveSummary
Likenaturalecosystems,thecyberecosystemcomprisesavarietyofdiverseparticipants privatefirms,nonprofits,governments,individuals,processes,andcyberdevices(computers, software,andcommunicationstechnologies)thatinteractformultiplepurposes.Todayin cyberspace,intelligentadversariesexploitvulnerabilitiesandcreateincidentsthatpropagateat machinespeedstostealidentities,resources,andadvantage.Therisingvolumeandvirulence oftheseattackshavethepotentialtodegradeoureconomiccapacityandthreatenbasic servicesthatunderpinourmodernwayoflife. Thisdiscussionpaperexplorestheideaofahealthy,resilientandfundamentallymoresecure cyberecosystemofthefuture,inwhichcyberparticipants,includingcyberdevices,areable toworktogetherinnearrealtimetoanticipateandpreventcyberattacks,limitthespreadof attacksacrossparticipatingdevices,minimizetheconsequencesofattacks,andrecovertoa trustedstate.Inthisfuturecyberecosystem,securitycapabilitiesarebuiltintocyberdevicesin awaythatallowspreventiveanddefensivecoursesofactiontobecoordinatedwithinand amongcommunitiesofdevices.Powerisdistributedamongparticipants,andnearrealtime coordinationisenabledbycombiningtheinnateandinteroperablecapabilitiesofindividual deviceswithtrustedinformationexchangesandshared,configurablepolicies. Toilluminatesuchacyberecosysteminaction,onemightlookattodayspracticeknownas continuousmonitoring,inwhichsystemmanagersuseavarietyofsoftwareproductsto automaticallydetectandreportknownsecurityvulnerabilitiesinnetworknodes.Insome cases,systemmanagersfurtherconfiguretheirsystemstoautomaticallyremediatedetected securitydeficiencies.Toofferananalogy,continuousmonitoringistoahealthycyber ecosystemassmokedetectorsandsprinklersystemsaretoasmartbuilding. Attheotherendofsophisticationintheorderlymanagementofacomplexsystem,wedraw inspirationfromthehumanbodysimmunesystem.Topaintapicturethatmirrorsthebodys abilitytodefenditselfiscomplex.Itmightincludelayereddefensesandcountermeasuresthat workintandem;specializedroles;powerfulmethodsforrapidlyidentifyingattackers;surge capabilities;andtheabilitytolearnandrapidlyadapt.Acompanionanalogymaybemadeto thepublichealthsystemandtheCentersforDiseaseControlandPrevention(CDC).Here,cyber equivalentfunctionsmightincludethreatandincidentwatch,datadissemination,threat analysis,interventionrecommendations,andcoordinationofpreventiveactions. Automationisoneofthreeinterdependentbuildingblocksofahealthycyberecosystem,along withinteroperabilityandauthentication.Automationcanincreasespeedofaction,optimize decisionmaking,andeaseadoptionofnewsecuritysolutions.Ahealthycyberecosystem mightemployanautomationstrategyoffixed,localdefensessupportedbymobileandglobal defensesatmultiplelevels.Suchastrategycouldenablethecyberecosystemtosustainitself

March23,2011

andsupportedmissionswhilefightingthroughattacks.Further,itcouldenabletheecosystem tocontinuouslystrengthenitselfagainstthecyberequivalentofautoimmunedisorders. Interoperabilitycanbroadenandstrengthencollaboration,createnewintelligence,hastenand spreadlearning,andimprovesituationalawareness.Thispaperpositsthreetypesof interoperabilitysemantic(i.e.,sharedlexiconbasedoncommonunderstanding),technical, andpolicyasfundamentaltointegratingdisparatecyberparticipantsintoacomprehensive cyberdefensesystem.Itexamineshowthecybersecuritycommunityhasachievedsomeearly successesbyexplicitlyseparatingthemanagementofsecurityinformationfromthe managementofsecurityfunctionsinanapproachcalledsecuritycontentautomation.Such successesinclude:developingnamingconventionsandsharedlistsandcatalogsofthe fundamentalelementsthatweidentifyhereastheecosystem;creatingandusingmachine readablelanguagesandformatsforexpressingsecuritypoliciesorencodingsecurity transactions;anddevelopingandusingknowledgerepositoriesforbestpractices,benchmarks, profiles,standards,templates,checklists,tools,guidelines,rulesandprinciples,amongothers. Thepaperalsolooksatsomechallengesassociatedwithexpandingthisapproachtoensurea widelydistributed,automated,collectivedefense. Authenticationcanimprovetrustinwaysthatenhanceprivacyanddecisionmaking.Itis integraltomanycapabilitiesbeyondcyberdefense,andthepaperlookstotheemerging NationalStrategyforTrustedIdentitiesinCyberspace(NSTIC),detailedbelow,tobuildashared foundation.Thepapercallsforidentificationandauthenticationtechnologiesthatdeliver acrossfiveoperationalobjectives:security,affordability,easeofuseandadministration, scalability,andinteroperability.Additionally,thepapercallsforconsumerguidesthatrate technologiesacrossallfiveobjectivesandassistsystemdevelopersandownersinmaking phasedimprovementsandselections.Forautomatedcyberdefense,itcallsforstrong standardsbaseddeviceauthentication,includingforsoftware,handhelddevices,andsmall, oftenwireless,devicescomposingmassivelyscalablegrids. Thepaperalsodrawsoncurrentresearchonnetworkenabledenterprisesthatisrecasting traditionalnotionsofcommandandcontrolinthedirectionoffocusandconvergence.Focus providesthecontextanddefinesthepurposesofanendeavor,butisagnosticregardingwho mightbeinchargeorparticularlinesofauthority.Convergencereferstothegoalseeking processthatguidesactionsandeffects,butrecognizesthatcontrolworksinanunconventional mannerinhighlydistributedsystems.Thepaperpresentsafivelevelmaturitymodelfor ecosystemfocusandconvergencethatisassociatedwithincreasingagilityandprovidesan approachfordefininghowtoachieveandemploythesevariouslevels.Ecosystemmaturityis furtherexploredthroughadiscussionofhealthyattributeseightfortheecosystemand eighteenforparticipantsandexchanges. Thepaperconcludeswithabriefdiscussionofincentivesandrecommendationsfortheway ahead.Itpositsthattheslowadoptionofavailablebestpracticesandtechnologiesintheface ofincreasingcyberattacksindicatesanimbalanceofincentivesandproposesthatbetterand morewidelydisseminatedaggregatedandanonymizedinformationaboutthefrequencyand actualharmofcyberattacksisneeded.Despitethemanyopenquestionsremaining,thefield isripeforplanningandaction.Feedbackonthispaperandcommentonallaspectsofthe problemarewelcomeatcyberfeedback@dhs.gov.
March23,2011 3

TableofContents
ExecutiveSummary............................................................................................................................... 2 BackgroundandPurpose ...................................................................................................................... 5 TheCaseforaMoreSecureCyberEcosystem ..................................................................................... 5 BuildingBlocksforaHealthyCyberEcosystem.................................................................................... 8 BuildingBlock1:Automation........................................................................................................... 8 BuildingBlock2:Interoperability................................................................................................... 11 BuildingBlock3:Authentication.................................................................................................... 17 KeyConcepts....................................................................................................................................... 18 Focus,Convergence,andMaturity ................................................................................................. 18 AttributesofaHealthyCyberEcosystem ....................................................................................... 22 AttributesofHealthyParticipants .................................................................................................. 24 IncentivesandAdoption ..................................................................................................................... 26 WayAhead.......................................................................................................................................... 27 Glossary............................................................................................................................................... 28

March23,2011

BackgroundandPurpose
ThispaperwaspreparedunderthedirectionofPhilipReitinger,DeputyUnderSecretaryforthe NationalProtectionandProgramsDirectorate(NPPD),U.S.DepartmentofHomelandSecurity, withsupportfromtheNPPDCyber+StrategyStaff,thefederallyfundedHomelandSecurity SystemsEngineeringandDevelopmentInstitute(HSSEDI),andtheNPPDOfficeof CybersecurityandCommunications(CS&C).In2010,NPPDsponsoredagovernmentworkshop todiscussadraftofthispaper.Recommendationsfromthatworkshophavebeen incorporated. Thispaperexploresafutureahealthycyberecosystemwherecyberdevicescollaboratein nearrealtimeintheirowndefense.Inthisfuture,cyberdeviceshaveinnatecapabilitiesthat enablethemtoworktogethertoanticipateandpreventcyberattacks,limitthespreadof attacksacrossparticipatingdevices,minimizetheconsequencesofattacks,andrecovertoa trustedstate. Thispaperpresentsthreebuildingblocksasfoundationalforahealthycyberecosystem: automation,interoperability,andauthentication.Thepaperthenconsidershowthesebuilding blockscontributetoecosystemmaturityandexploresincentivesforcreatingsuchasystem.It concludeswiththoughtsonthewayahead. Theenvisionedendstateisfocusedspecificallyoncapabilitiesthatcanbeachievedinthenear andmidtermbyutilizingstandardsbasedsoftwareandinformationtostrengthenselfdefense throughautomatedcollectiveaction.Thispaperismeanttoprovokediscussionandfurther explorationofthetopic. Thispaperisavailableonlineathttp://www.dhs.gov/xlibrary/assets/nppd-healthy-cyber-ecosystem.pdf. Commentsandfeedbackarewelcome,andmaybedirectedtocyberfeedback@dhs.gov.You mayalsocontactcyberfeedback@dhs.govifyouareinterestedinhostingadiscussiononthis topic.

TheCaseforaMoreSecureCyberEcosystem
Cyberattackshavebecomemorefrequent,morewidespread,andmoreconsequential. Forecastsfor2011andbeyondprojectcontinuedincreasesinboththevolumeandvirulenceof cyberattacks.Thesemostlyunattributedincidentsreducetheavailabilityofthisvitalmedium forinformationexchangeandimpairtheabilityoftheinformationenvironmenttobeamission multiplierandsupportmoreeffectiveandefficientbusinessprocesses.Needlesstosay,an insecureenvironmentalsoweakenstheprivacyofcyberecosystemparticipants.

March23,2011

Atthesametime,theNationissignificantly expandingthecybercapabilitiesthatpower itseconomyandsupportitshomelandand nationalsecurity.Thetransformationsbeing undertakeninthefinancial,healthcare, energy,transportation,homelandsecurity, defense,andintelligencesectorsare predicatedonanexpectationthatcyber devices(computers,software,and communicationstechnologies), communicationsnetworks,andembedded controlsystemsforcriticalinfrastructureswill beavailableandperformasexpected.(As examples,seeFigures1and2forprofilesof TheNextGenerationAirTransportation SystemandSmartGrid.) Cyberdefensetodayisfoundedonadhoc, manualprocesses;yetcyberattacksoften followawellknown,systematicescalation pathbeginningwithreconnaissanceactivities andextendingtogainingentry,establishing persistence,settingupexternal communicationspathways,andconducting attackoperations.Ifcyberdevices communicatedinnearrealtimewitheach otheraboutattacks,andtookcoordinated securityhardeningresponseactions consistentwithadefinedpolicyframework, thencriticalbusiness,missionandprivacy objectivescouldbebettersupported,and manysecurityriskscouldbemanaged proactivelyanddynamically.Automated defensescouldbeeffectiveattheearliest, leastcostlystageofthelifecycleaswellasat thelaterstagesofanattackwhenmalicious codeandotherattackelementspropagateat machinespeed.Thesedefensescouldbe effectiveagainstallthreatsincludingfinancial fraud,identitytheft,andadvanced,persistent threatsthatexploitunauthorizedaccessto intellectualpropertyandsensitive information. InJanuary2003,theSlammerworminfected some247,000Internethosts.Over90

Figure1:NextGenerationAirTransportationSystem (NextGen)
NextGenisacomprehensiveoverhaulofU.S.nationalairspace systemfromairtrafficcontroltoairtrafficmanagementand fromgroundbasedtosatellitebasedcapabilities.Itis employingcontinuousrolloutofimprovementsandupgrades tomakeairtravelmoreconvenientanddependable,more economical,andmoreenvironmentallyfriendly,while ensuringflightsareassafe,secureandhasslefreeaspossible. NextGenoffersadvantagestoallstakeholders:consumers, serviceproviders,neighbors(e.g.,noisereduction),andthe environment. TheNextGenportfolioisorganizedintosevensolutionsets, eachfocusingonaseriesofrelatedoperationalchangesthat togetherwillbringaboutthemidtermsystem. TheNextGenInformationSystemsSecurityArchitecture addresseshowto: KeeptheBadStuffOut(externalboundary protectionandcertifiedsoftwaremanagement MakeSureYouKnowToWhomYouAreTalking (identityandkeymanagement) IfTheyGetIn,MakeSureYouFindThemandDeal WiththeProblem(intrusiondetectionandresponse) MinimizeDamageOnceIn;DontLetitSpread (internalpolicyenforcement)

http://www.faa.gov/nextgen/

Figure2:SmartGrid
SmartGridcomprisestheelectrictransmissionand distributionsystemsandmyriadsoflocalareanetworksthat usedistributedenergyresourcestoservelocalloadsand/orto meetspecificapplicationrequirementsforremotepower, villageordistrictpower,premiumpower,andcriticalloads protection. Electricgridstakeholdersrepresentingutilities,technology providers,researchers,policymakers,andconsumershave workedtogethertodefinethefunctionsofasmartgrid,and theyhaveidentifiedthefollowingcharacteristicsor performancefeatures: Selfhealingfrompowerdisturbanceevents Enablingactiveparticipationbyconsumersindemand response Operatingresilientlyagainstphysicalandcyberattack Providingpowerqualityfor21stcenturyneeds Accommodatingallgenerationandstorageoptions Enablingnewproducts,services,andmarkets Optimizingassetsandoperatingefficiently http://www.oe.energy.gov/smartgrid.htm

March23,2011

percentoftheinfectionsoccurredwithin10minutesofrelease,andthewormachieveditsfull scanningrate(over55millionscanspersecond)inapproximately3minutes.WhileSlammer didnotcarryamaliciouspayload,thevolumeoftrafficitproducedswampednetworks,causing disconnectedATMs(over13,000reportedbyasinglebank),cancelledairlineflights,and disruptedelectionsand911services.Cleanupcostsworldwidewereestimatedatbetween $750millionand$1.2billion 1 2 .Recently,morehighlysophisticatedandtargetedattackshave beenregularlyreported. Imagineafuturewherecyberdeviceshaveaninnateabilitytocorrelateoperational informationandtodeducethatadeviceintheirdomainhasbeeninfectedwithpossible malware.Oneindicatormightbeanunusuallyhighnumberofrandomconnectionrequests andacorrespondinghighfailurerate.Thescenario: Ahealthydevicedetectsaninfectioninanotherdevice.(Adiscussionofhealthy participantspersons,devices,andprocessesisprovidedlaterinthispaper); Thedevicestopsreceivingandforwardingmessagesfromtheinfectedsourceand informssurroundinghealthydevicesabouttheidentityofthesuspectedthreat; Healthydevicesreceivingthethreatalertemployathresholddefensetominimizethe riskoffalsealarmsthatis,theydeferactionuntilalertsarereceivedfromsomepre determinednumberofindependentdevices; Thealertthresholdisreached,andparticipatinghealthydevicesstopreceivingand forwardingmessagesfromtheinfecteddevice,effectivelyneutralizingitsabilityto spreadtheinfection;andfinally

Communicationsarereestablishedwhentheinfecteddevicesarecleaned. Somesimulations 3 4 indicatethatabout30to35percentofdeviceswouldneedtocooperatein orderforsuchacourseofactiontowork.Thesenumbersareimportant,becausetheyindicate thatsuccessisnotdependentontheparticipationofallorevenamajorityofdevices; therefore,largescaleinfrastructuremodificationisnotrequiredtomaketheecosystem fundamentallymoresecure. 5 Thedefensespresentinahealthycyberecosystemcouldinterveneatessentiallyanypoint duringcomplexattacks.Forexample,analertcouldcomefromtrustedandauthenticated sourcessuchasotherdevicesinsidetheinfrastructurethatdetectanomalousbehavior, anothercompanyorentityunderattack,amonitoringservice,ortheUnitedStatesComputer
1

SeanP.Gorman,RajendraG.Kulkarni,LarieA.Schintler,andRogerR.Stough,LeastEffortStrategiesfor Cybersecurity,http://arxiv.org/ftp/condmat/papers/0306/0306002.pdf 2 AnilAnanthaswamy,Internetimmunitysystempromisestodefangwormattacks, http://www.newscientist.com/article/mj20327215.000internetimmunesystemcouldblockviruses.html 3 Gormanetal 4 Ananthaswamy 5 SeeUsingExternalSecurityMonitorstoSecureBGP,PatrickReynolds,OliverKennedy,EminGunSirer,andFred. B.Schneiderathttp://www.cs.cornell.edu/fbs/publications/NexusBGPtr.pdfforanotherindicatorthat ecosystemhealthcouldbeimprovedwithmarginalimpacttoexistingdevices,protocols,andoperations. Reynoldsetalsaythatdeployinganexternalsecuritymonitortoarandom10%ofautonomoussystemsinthe Internetsufficestoguaranteesecurityfor80%ofInternetrouteswherebothendpointsaremonitored.

March23,2011

EmergencyReadinessTeam(USCERT).Iffromanexternalsource,thealertcouldcomedirectly intoanentityssystemsandinaformatsuchaseXtendedMarkupLanguage(XML)thatcyber devicescouldread.Inresponsetothealert,theinfrastructurecouldautomaticallycheckitself thennotifyofficialsoftheexactlocationandextentofcompromiseorofsusceptibilitytoa potentialattack.Inresponse,adigitalpolicy(i.e.,machineinstructions)couldbedeployedto takeinfecteddevicesoffline,changetheconfigurationofhealthydevicestohardenthem againstpotentialattack,blocktheincomingmalware,orblockoutboundtraffictothereceiving site(s).Immediatelyupondetectionofacompromise,adigitalpolicycouldbedeployedtoalert othersofthesituationandbeginsharingdiscoveriesinaninformationexchangeformatthat couldbeauthenticatedandautomaticallyfedintocyberdevicesinothercyberinfrastructures. Ahealthycyberecosystemwouldinteroperatebroadly,collaborateeffectivelyinadistributed environment,respondwithagility,andrecoverrapidly.Witharichwebofsecurity partnerships,sharedstrategies,preapprovedandprepositioneddigitalpolicies,interoperable informationexchanges,andhealthyparticipantspersons,devices,andprocessesa healthycyberecosystemcoulddefendagainstafullspectrumofknownandemergingthreats, includingattacksagainstthesupplychain,remotenetworkbasedattacks,proximateorphysical attacks,andinsiderattacks;improvethereliabilityandresilienceofcriticalinfrastructures;and betterassureprivacy,businessprocesses,andmissions.

BuildingBlocksforaHealthyCyberEcosystem
BuildingBlock1:Automation
AutomatedCoursesofAction(ACOAs)arestrategiesthatincorporatedecisionsmadeand actionstakeninresponsetocybersituations.Automationfreeshumanstodowhattheydo wellthink,askquestions,andmakejudgmentsaboutcomplexsituations.Automationallows thespeedofresponsetoapproachthespeedofattack,ratherthanrelyingonhumanresponses toattacksthatareoccurringatmachinespeed.Withtheabilitytoexecuteatmachinespeed, defenderscouldgetinsidetheturningcirclesordecisioncyclesofattackers.Further, automationcouldmakeiteasiertoadoptandadaptneworprovensecuritysolutions. OnepotentialinspirationforACOAsisthehumanimmunesystem,illustratedinFigure3. 6

SeeImmunology,diversity,andhomeostasis:thepastandfutureofbiologicallyinspiredcomputerdefenses, AnilSomayaji,JournalInformationSecurityTech.,Vol12,Issue4.September2007, http://portal.acm.org/beta/citation.cfm?id=1324630,forausefulsurveyofthisfield.

March23,2011


Figure3:OverviewofHumanImmuneSystem
InternalSystem(defendersandsignaling) 1. Defendersare specialists:patrollers,killers, cleaners,orhelpers 2. Allcells thatare partofthe body(self) present anidentifierthatis knowntodefenders 3. Patrollersdetectandcounterinvaders cells thatdontpresentaknowngoodidentifieror thathave aknownbadidentifier(antigen) 4. Countermeasuresmaydisable toxicchemical action,preventmovementacrosscellwalls,or destroythe invader 5. Helperssoundthe alertandactivate rapid productionofmore patrollersandkillers 6. Helpersguide killersandcleanerstothe detectionsite 7. Patrollers,killers,andcleanersalsofloodthe bloodstream,lookingforanyotherantigens 8. Helpersmayactivate supplementarykill mechanisms(e.g.fever) 9. Killerscause invadersandinfectedcellstodie andcleanersengulf them 10.Specializedpatrollersandkillersthatare primedwiththe invadersidentifierare producedtorememberandprotectagainst future invasions

EntryPoints(e.g.,eyes,mouth, nose) 1. Trapsandfilters(e.g.,mucus, mastcells) 2. Detectionandearlywarning (smell,taste) 3. Antipathogenicproperties ( e.g.,tears,saliva)

2 3

Skin 1. Encapsulatingphysicalbarrier 2. Detectionandearlywarning (touch) 3. Antibacterialandantifungal properties(e.g.,acids)

Theinternalsystemisactuallytwointerrelatedsystems:onethatisstationaryandlocaltocells (cellmediated)andonethatisglobaltotheentirebody,movingthroughoutitviathe bloodstreamandlymphsystems(humoral).Eachoftheseinterrelatedsystemshasitsownlocus forsustainment(e.g.,thymus,bonemarrow)andsophisticatedmechanismsforsynchronized activity. 7 8 Ahealthycyberecosystemmightemployanautomationstrategyoffixedlocaldefenses supportedbymobileandglobaldefensesatmultiplelevels.Suchastrategycouldenablethe cyberecosystemtosustainitselfandsupportedmissionswhilefightingthroughattacks. Furtheritcouldenabletheecosystemtocontinuouslystrengthenitselfagainstthecyber equivalentofautoimmunedisorders.Forexample,withinanorganization,cyberdevicesthat directlyprovideenduser,mission,orbusinessfunctionalitymightmaintainahighawarenessof userbehavior,expectations,andservicelevelagreements,betunedtosenseandrespondto usersituations,signallocaloruserlevelstatustoorganizationaldevices,andcorrelate discoveriesandsynchronizeresponseswithorganizationaldevices.

7 8

HumanPhysiology/TheImmuneSystem,http://en.wikibooks.org/wiki/Human_Physiology/The_Immune_System HowYourImmuneSystemWorks,http://health.howstuffworks.com/immunesystem.htm

March23,2011

Cyberdevicesthatprovideormanageorganizationwideconnectivityandservicesmightbe tunedtosenseandrespondtoorganizationalsituations,signalorganizationalstatustouser leveldevices,correlatediscoveriesandsynchronizeresponseswithuserleveldevices,and providesupportoraugmentationtousersituations.Enforcementoforganizationalpolicies suchasprivacyprotectioncouldbesynchronizedacrossuserandorganizationallevels. Inadditiontotheabilitytosignalandsynchronizeacrosslevels,eachlevelcouldhaveinternal synchronizationandanalysiscapabilities.Forexample,alldevicessupportingusers,orclasses ofusers,couldshareafocusandconvergenceapproachthatwouldincludesecuritypolicies andpooledanalyticresources,ascouldalldevicessupportingorganizationalservicesorclasses ofservices.Inturn,anorganizationcouldshareinformationandcoordinateactivitiesor synchronizeACOAswithalargerbusiness,political,orgeographicdomain,orwiththeworld widecyberenvironment. Cyberdevicesendowedwithstrongfeedforwardandfeedbacksignalingmechanismsthat assumeandcanaccommodatecommunicationsfailuresandoperatinginanenvironmentwith trustedendtoendidentificationandauthenticationofallparticipantswouldenjoya heightenedabilitytoobserve,record,andsharewhatishappeningtoandaroundthem.In turn,theycould: Proactivelytakepreventivemeasures; Rejectrequeststhatdonotfittheprofileofwhatisgood,apriori,forthemselvesorthe largercyberenvironment; Sensemaliciousactorsandautonomouslyrefinetheevidencecapturedfordiagnosisor insupportofthedevelopmentoffuturepreventionmethods;and Autonomouslyenactdefensiveresponsesorevenbuildsuchresponsesinrealtime. 9 AcompanionsourceofinspirationforACOAscomesfromthepublichealthsector,althoughfor manyprocessesinthisdomain,automationissomedistanceaway.Publichealthservices conductpopulationhealthsurveillanceandreacttothreatstotheoverallhealthof communities.ThestatedmissionoftheCentersforDiseasePreventionandControl(CDC)is: tocollaboratetocreatetheexpertise,information,andtoolsthatpeopleandcommunities needtoprotecttheirhealththroughhealthpromotion,preventionofdisease,injuryand disability,andpreparednessfornewhealththreats. 10 ThecyberequivalentofaCDCmight performfunctionssuchasthefollowing: Watch:Gatherdataoncyberthreatsandcybersecurityoutbreaksthatareanalogousto theinformationaboutdiseasesreportedbyhealthcareproviders. Datadissemination:Providedataaboutthespreadanddangerofthreatstohelp communitiesandorganizationsplanprotectivemeasuresandresponses.

CyberLeapYearSummitCoChairsReport, http://www.cyber.st.dhs.gov/docs/National_Cyber_Leap_Year_Summit_2009_CoChairs_Report.pdf 10 TheCDCMission,http://www.cdc.gov/about/organization/mission.htm

March23,2011

10

Cyberthreatanalysis:Investigateanddiagnosecyberthreatsinthecommunity.Where possible,verifyoutbreaksofnewcyberthreatsandunderstandthecauses,extentand impactoftheseoutbreaks. Interventionanalysisandrecommendations:Provideacost/benefitanalysisofpotential interventionsandmakerecommendations. Coordinationofpreventiveactions:Coordinateresponsestrategiesandtheirexecution, forexample,theequivalentofquarantiningandvaccinationstrategiesorcyber patrollingforfraud. 11

BuildingBlock2:Interoperability
Interoperabilityallowscybercommunitiestobedefinedbypoliciesratherthanbytechnical constraintsandpermitscyberparticipantstocollaborateseamlesslyanddynamicallyin automatedcommunitydefense.Interoperabilityenablescommonoperationalpicturesand sharedsituationalawarenesstoemergeanddisseminaterapidly.Thecreationofnewkindsof intelligence(suchasfusedsensorinputs),coupledwithrapidlearningatboththemachineand thehumanlevels,couldfundamentallychangetheecosystem. Unfortunately,withincybersecuritytoday,manyavailabledevices(e.g.,firewalls,fileintegrity checkers,virusscanners,intrusiondetectionsystems,antimalwaresoftware)operate independentlyandneitherexchangedatanorhaveconsistentsecuritypolicies.Eachofthem mayhavebeendevelopedbyadifferentvendor,perhapsevencompetitors,withoutadherence tointernationallyacceptedopenstandards.Inothercases,thestandardsarenotyetmature. Thus,intodaysecosystem,collaborationispossiblebutdifficult.Wemustreachapointwhere theonlybarrierstocollaborationacrossdevices,people,andorganizationsarethosewe choosetoimposebypolicy,notthosethatareimposedonusbytechnology. Threetypesofinteroperability 12 arefundamentaltointegratingthemanydisparate participantsintoacomprehensivecyberdefensesystemthatcancreatenewintelligenceand makeandimplementdecisionsatmachinespeed: SemanticInteroperability.Theabilityofeachsendingpartytocommunicatedataand havereceivingpartiesunderstandthemessageinthesenseintendedbythesending party.

11

AnapproachthatisalsoinspiredbypublichealthmodelsisdescribedinCollectiveDefense:ApplyingPublic healthModelstotheInternet http://www.microsoft.com/mscorp/twc/endtoendtrust/vision/internethealth.aspx.Inthisapproach,accessto otheronlineresourcesiscontingentuponthehealthofadevice.Devicesseekingaccessmustbeableto demonstrategoodhealththroughatrustedhealthcertificate.Ifthedeviceshealthlevelisacceptable,then accessisgranted.Ifasecurityconcernisidentified,thentheentitybeingpetitionedforaccess(anInternet ServiceProvider,forexample)couldprovideanoticethatassiststheuserinaddressingthesecurityconcern, renderadviceorassistance,ordirecttheusertoresourcesforremediation. 12 NationalStrategyforTrustedIdentitiesinCyberspace(NSTIC)

March23,2011

11

TechnicalInteroperability.Theabilityfordifferenttechnologiestocommunicateand exchangedatabaseduponwelldefinedandwidelyadoptedinterfacestandards. PolicyInteroperability.Commonbusinessprocessesrelatedtothetransmission, receipt,andacceptanceofdataamongparticipants.

Withincybersecurity,allthreetypesofinteroperabilityarebeingenabledthroughanapproach thathasbeenrefinedoverthepastdecadebymanyinindustry,academia,andgovernment.It isaninformationorientedapproach,generallyreferredtoas[cyber]securitycontent automationandcomprisesthefollowingelements. 13 Enumerations.Thesearelistsorcatalogsofthefundamentalentitiesofcybersecurity, forexample,cyberdevicesandsoftwareitems(CPE);deviceandsoftware configurations(CCE);publiclyknownweaknessesinarchitecture,design,orcode(CWE); publiclyknownflawsorvulnerabilities(CVE);orpubliclyknownattackpatterns(CAPEC). Enumerationsenablesemanticinteroperability. LanguagesandFormats.Theseincorporateenumerationsandsupportthecreationof machinereadablesecuritystateassertions,assessmentresults,auditlogs,messages, andreports.Examplesincludepatternsassociatedwithassets,configurations, vulnerabilities,andsoftwarepatches(XCCDF&OVAL);securityannouncements(CAIF), events(CEE),malware(MAEC);riskassociatedwithvulnerability(CVSS),sensor collectionandcorrelation(ARF),andUSCERTsecuritybulletinsandincidentreports (NIEM).Languagesandformatsenabletechnicalinteroperability. KnowledgeRepositories.Thesecontainabroadcollectionofbestpractices, benchmarks,profiles,standards,templates,checklists,tools,guidelines,rules,and principles,amongothers.Inmanyrespects,knowledgerepositoriesserveasthe cybersecuritycommunitymemoryandenablepolicyinteroperability.Examples includeInformationAssuranceChecklistshousedontheNationalChecklistProgram website(http://checklists.nist.gov/),DepartmentofDefenseSecurityTechnical ImplementationGuides(STIGs),andvendorguides."

Figure4presentsahistoryofU.S.Governmentsupportedsecuritycontentautomationefforts alongwithprojectedachievementsthrough2014.Projectionsarebasedoncurrentresourcing andtheinterestsofalargelyvolunteerandselfdirectedcommunity.Figure4alsoillustrates howstandardsbuilduponthemselvestoexpandfunctionalityovertime(e.g.,theexpansionof configurationmanagementcapabilitiesfromdesktopstonetworks).

13

SeetheGlossaryattheendofthispaperforthefullnameofthevariousnamedstandards.

March23,2011

12

Figure4.HistoryandNearTermForecastofCyberSecurityAutomationStandardsDevelopmentActivity

March23,2011

13

Anotherwaytoapproachtheevolutionofcybersecuritycontentautomationisthroughastrategic considerationofwhatisneededandpossible.Figure5presentsanarrayofsecurityfunctionsthat canbetransformedbycontentautomationandexchange.Standardssupportingthefirstwave areextantanddocumentedinNISTSP800126,TheTechnicalSpecificationfortheSecurity ContentAutomationProtocol 14 .Manyofthestandardsnecessarytosupportthesecondwaveare indevelopmentnow,andsomeofthechallengesassociatedwithbridgingthetwowavesare discussedlaterinthissection.Thethirdwaveidentifiesalogicalprogression.Aswiththe historicaltransitionfromecommercetoebusiness,succeedingwavesbuildincapabilityand becomemorestrategicinfocus.
Figure5:StrategicConsiderationofCyberSecurityContentAutomation

Testing, attestation, and assurance Software Assurance Engineering Remote Assessment Design Vulnerability Assessment Configuration Assessment Remediation SupplyChain Assurance

Collaborative threat intelligence Malware Analysis Sensingand Warning Structured Threat Information Incident Reporting Enterprise Reporting

Asset Inventory Compliance Management Event Management

Response

Architecture

Network Device Assessment

Forensics and Damage Assessment

Recovery Reconstitution

Modelingand Simulation

Thesuccessofanysinglefunctionandtheintegrationoffunctionswithinandacrosswaves dependonsemantic,technical,andpolicyinteroperability.Thesethreetypesofinteroperability arethemselvesinterdependent,andtheymatureaseachadaptstochangesintheother.Some levelofsemanticinteroperabilitymustbeachievedandsomevisionofpolicy(orprocess) interoperabilityisnecessaryinordertosuccessfullydevelopandemploytechnicalinteroperability. AsimpleexamplewouldbethepublicationofUSCERTbulletinsinXMLblobs.Thetechnical standardsmustbeunderpinnedbysender/receiveragreementonthemeaningofthecontentand byagreementonhowtheXMLstructuredbulletinsaretobereceivedandprocessed.Inturn, achievementsintechnicalinteroperabilityenableadvancesinsemanticandpolicyinteroperability, andtheseadvancestriggerfurtheradvancesintechnicalinteroperability.
14

NISTSP800126Rev1,DRAFTTheTechnicalSpecificationfortheSecurityContentAutomationProtocol(SCAP): SCAPVersion1.1,January11,2011,http://csrc.nist.gov/publications/PubsSPs.html

March23,2011

14

Advancesinsemanticandpolicyinteroperabilityalmostalwaysstartwithpersonsandprogressto devices.Further,advancesininteroperabilityhaveshorttermadvantages.Forexample,thefirst waveofsecuritycontentautomationisenablingtherecentfederalcommitmenttocontinuous monitoring,andprogressinthesecondwave,combinedwithgainsachievedduringthefirstwave, isenablingXMLbasedincidentreportingtotheUSCERT. ThethreewavesofautomatedsecurityfunctionsdepictedinFigure5canbesummarizedas progressalongthreeaxes:

Figure6:AxesofProgress

Axis Space Time Capability

Progression Fromhoststonetworksandapplications Fromstatictodynamic Fromconfigurationtointegratedpolicyandaudit

Athirdwaytoexaminecybersecuritycontentautomationisthroughthegeneralizedfunctional modelinusebythestandardscommunity.AsillustratedinFigure7below,thesecurityfunctions containedinthismodelgenerallyrepresentthefirstwaveplusaportionofthesecondwave. Securitycontentautomationstandardsthatcanfacilitatetheexchangeofinformationwithand amongfunctionsareannotatedadjacenttoeachfunction,input,oroutput.

March23,2011

15


Figure7:GeneralizedFunctionalModelInformingStandardsDevelopment

Thismodelislifecycleorientedandenterpriseororganizationfocused.Capabilitiesare expectedtobuildononeanother(fromlefttoright).Eachfunction(e.g.,assetinventory, configurationguidanceanalysis,vulnerabilityanalysis)isviewedasablackboxandassumedto beprovidedbycurrentorfuturecommercialproducts.Integrationacrossfunctionsisalso assumed.ThecurrentmodeldoesnotaddressformulationordynamicevolutionofACOAs; however,itdoesprovideareasonablefoundationforACOAexecution. Ingeneral,thefunctionscanbeorganizedintopreincidentdetection(assetinventory, configurationguidanceanalysis,andvulnerabilityanalysisplusthreatanalysis)andpost incidentdetection(intrusiondetectionandincidentmanagementplusthreatanalysis).This organizingconstructalignswiththewavespresentedinFigure5above.Asillustrated,the structuringofthreatinformationisasecondwaveactivity.Theefforttostandardizethreat alertsandautomatethreatanalysismayprovemorecomplexthanprevioussecuritycontent automationeffortsbecausestandardizationmust: Bridgethesetwooperationaldimensions(preandpostincidentdetection);and Addvalueforenterprisesthatlackautomatedcapabilitiesononesideortheother.

Inaddition,onthewhole,thepostincidentdetectionspaceislessstandardsbasedthanthe preincidentdetectionspace.Advancesinsemanticandpolicyinteroperabilityregarding

March23,2011

16

whatconstitutesareportableincident,whatattributesbestsupportincidentmanagement,and howtheseattributesaretobesourcedandsharedareneededtoadvancetechnicalstandards andinteroperability.

BuildingBlock3:Authentication
Authenticationshouldenabletrustedonlinedecisions.Nearlyeverydecisioninanonline environmentinvolvesresourcesandactorsatadistance.Whenneededforadecision, authenticationprovidesappropriateassurancethattheparticipantsareauthenticorgenuine, anditshoulddosoinawaythatenhancesindividualprivacy.Inahealthyecosystem, authenticationcouldextendbeyondpersonstoincludecyberdevices(e.g.,computers; software,orinformation). Authenticationiscriticaltocyberdefensebecausecommunicationsandcontentattributionare essentialfactorsinsecuritydecisions.Authenticationisalsofoundationaltomanycapabilities beyondcyberdefense. 15 Inahealthycyberecosystem,sendingandreceivingpartiescouldbeknownandaccountable fortheiractions,butprotectanonymitywhereitmaybeneededtopreservethepurposeofthe exchange.Consumersofsharedcyberawarenesscouldjudgethetrustworthinessofproviders andtheircontributions,andproviderscouldconfirmthatrequestersareauthorizedaccessto suchinformation.Authenticationmechanismscouldbestrongenoughtoprotectagainst identitytheftandspoofing,whileatthesametimeremainaffordable,easytouseand administer,scalable,andinteroperable.Theycouldalsobedesignedtoenhanceindividual privacybyallowingvoluntary,optinregimes. Commonauthenticationtechnologiesrelyon(1)somethingyouknow(e.g.,passwords),(2) somethingyouhave(e.g.,digitalcredential),or(3)somethingyouare(e.g.,biometrics).Each ofthesetechnologieshascharacteristicsthatimpactsecuritystrength,affordability,easeofuse andadministration,scalability,andinteroperability.Significantconsiderationsincludeeaseof integrationintoemerginganddeployeddevicesandsoftwareapplicationsandeaseof exchangeorfederationacrossnetworksandorganizations. Unfortunately,intodaysmarket,systemdevelopersandownersfindfewifanytechnologies thatdeliveronallfiveoperationalobjectives:security,affordability,easeofuseand administration,scalability,andinteroperability.Theusualapproachistodivideupenterprises andusepopulationstocontrolandvarytheobjectivethatgetsoptimized.Thiscreatesa complexlandscapeofmultipleauthenticationtechnologieswithlimitedinteroperability, vulnerablesecurityseams,andbarrierstobusinessororganizationalchange. Ahealthycyberecosystemcouldhavestandardsbasedauthenticationtechnologiesthatdeliver morecomprehensivelyacrossallfiveoperationalobjectives.Tosupportneartermdecisions, consumerguidesthatratetechnologiesacrossallfiveobjectivesandassistsystemdevelopers andownersinmakingphasedimprovementsandselectionscouldbeavailable.Forautomated
15

.Foradditionaldetail,seetheNationalStrategyforTrustedIdentitiesinCyberspace,availableat http://www.dhs.gov/xlibrary/assets/ns_tic.pdf

March23,2011

17

cyberdefense,ahealthycyberecosystemcouldhavestrongstandardsbaseddevice authentication,includingsmallandusuallywirelessdevicescomposingmassivelyscalablegrids. Finally,ahealthyecosystemcouldhavebroadwaystoexpressandmanagetrustthatcombine trustattributesaboutpeople,transactions,technology,andinformationintonewdecision frameworksandmetrics.Suchframeworkscouldrecognizethattrustisnotabinaryorstatic state,butisfluidandconditioneduponevolvingoperationalandenvironmentalfactors.

KeyConcepts
Focus,Convergence,andMaturity
The prevailing construct for cybersecurity isillustrated in Figure 8. Cybersecurity processes are acombinationoflocalandglobalactivities.The Figure8.PrevailingCybersecurityConstruct distribution of activities between local and global may differ from process to process, activity to activity, participant to participant, or event to event. The range of localtoglobal extends from the circuitry within a single cyber device (e.g., a mobile phone, personal computer, medical device, or electric grid component) to distributed software applications, data centers, networks, and clouds. To successfully defend against active and intelligent adversaries in suchcomplex and uncertain networked environments, current thinking suggests the need for a new view of command and control, one that emphasizes agility,focus,andconvergence: Inbrief,agilityisthecriticalcapabilitythatorganizationsneedtomeetthe challengesofcomplexityanduncertainty;focusprovidesthecontextanddefines thepurposesoftheendeavor;convergenceisthegoalseekingprocessthatguides actionsandeffects.....Focusasareplacementforcommandspeaksdirectlyto whatcommandismeanttoaccomplishwhilebeingagnosticwithrespecttothe existenceofsomeoneinchargeorparticularlinesofauthority.Similarly, convergencespeaksdirectlytowhatcontrol(theverb)ismeanttoachievewithout assertingthatcontrolasaverbispossibleordesirable. 16 Assuggestedearlier,thispaperfocusesprimarilyonhownetworkeddevicescanbecomeactors intheirownandthenetworksdefense.Toillustratearangeofcapabilitiesthatsuchdevices

16

Agility,Focus,andConvergence:TheFutureofCommandandControl,DavidS.Alberts(OASDNII),The InternationalC2Journal,Vol1,No1,2007,http://www.dodccrp.org/files/IC2J_v1n1_01_Alberts.pdf

March23,2011

18

willbegintoembody,wepresentafivelevelmaturitymodelinFigure9. 17 Themodelconsiders FocusandConvergence(F&C)intermsofincreasingagility,thatis,effectivenessindealingwith changeovertime.Aswithothermaturitymodels,Level5representsthehighestleveloffocus andconvergence,whileLevel1representsthelowest.Thefivelevelmodelisnotanormative scale.Thatis,Level5isnotalwaysbetterthanLevel3.Communitiesmayopttooperateat lowerlevelsforreasonsofcost,efficiency,orotherreasons.Describingtheecosysteminterms ofmultiplelevelshelpsillustrateanddemonstrateasystemshightolerancefordiversity,as differentcommunitieswillinevitablyhavedifferentneedsandbeindifferentstagesof evolutionatanygivenpointintime.Forexample,thereareanumberofoutdatedsystem componentswithinthenationscriticalinfrastructurethatarenotabletointerfacewith modernsystemsbutwillremainanimportantpartoftheecosysteminthenearterm.The abilitytoleapfrogfromthislegacytechnologytoamoderncyberinfrastructureissomething thatshouldbeexplored.
Figure9:FocusandConvergenceMaturityModelforNetworkedEnvironments

F&CMaturityLevels Level5 EdgeF&C Characterizedbyarobustlynetworkedcollectionofdevices havingwidespreadandeasyaccesstoinformation,sharing informationextensively,interactinginarichandcontinuous fashion,andhavingthebroadestpossibledistributionof decisionrights.TheobjectiveofEdgeF&Cistoenablethe communitytoselfsynchronizeinanagileandadaptable manner. Characterizedbymultipledevicesworkingtogethertowarda commonpurposeandunderasingle,sharedplan.Involvesa considerabledelegationofdecisionrightstothecommunity. Aimstodevelopsynergiesbynegotiatingandestablishing sharedintentaswellasasharedsecuritypolicy,establishing orreconfiguringroles,couplingactions,andbyengendering arichsharingofresourcesandawareness. Characterizedbymultipledevicesrelatedbymutualsupport forintent,expressedaslinksbetweenandamongsecurity policiesandactionsthatreinforceandenhanceeffectsalong withsomepoolingofresourcesforspecifiedactivities. Characterizedbyapartitioningoftheproblemspaceamong devicestoavoidadversecrosseffects.Establishmentand maintenanceofthepartitionsrequireslimitedinformation

Level4 Collaborative F&C

Level3 Coordinated F&C

Level2 Deconflicted F&C

17

AdaptedfromtheNorthAtlanticTreatyOrganization(NATO)NetworkEnabledCapability(NEC)C2Maturity Model,February2010,www.dodccrp.org

March23,2011

19

F&CMaturityLevels sharingandinteractionamongdevices. Level1 IsolatedF&C Characterizedbyindividualdevicesexercisingfocusand convergenceonlyovertheirownresources.Hence,thereis nosharedobjective;neitheristhereinformationdistribution noranyotherinteractionamongdevices.

Toconsiderhowsuchamodelmightbeapplied,aframeworkfordefiningandthinkingabout thespaceofallpossibleF&Capproachesishelpful.ThreevariablesdefinetheessenceofF&C, andthustheF&CApproachSpaceisillustratedinFigure10below.

Figure10:FocusandConvergence(F&C)ApproachSpace 18

AsFigure10illustrates,anyfocusandconvergenceapproachmaybeviewedasafunctionof threeinterrelateddimensions: 1. Theallocationofdecisionrightstothecommunity;

18

NATONECC2MaturityModel

March23,2011

20

2. Thepatternsofinteractionthattakeplacebetweenandamongdevices;and 3. Thedistributionofinformationamongdevices. Figure11summarizeshowthesethreedimensionsvaryamongtheF&Clevels. Figure11:DimensionsofFocusandConvergence 19

Increasedagility(movingfromthebottomlefttotoprightwithintheF&Capproachspacein Figure10)canbeviewedas: Theabilityofdevicestoadopteverwiderrangesofapproaches; Theabilityofdevicestorecognizeandadoptanappropriateapproach,whichis determinedbythenatureofthesituationandhowitislikelytoevolve;and Theabilityofdevicestochangeapproachesifnecessaryinatimelymanner.

ConsideringF&Cwithinanapproachspacealsosupportsagrowingrecognitionthattheremay benosinglebestsystemdesignorconfiguration,nobestprocessforallsituationsand circumstances.Ratherthanoptimization,theuncertaintyinthemissionspacecombinedwith thediverseandinteractingeffectsofcountermeasuresandthecomplexityinherentin collectiveactionleadtoaneedforagility.Thismightmeanthatdevicesroutinelyoperateat lowerlevelsofF&CforeconomybuthavetheabilitytoswitchtohigherlevelsofF&Cfor selectedsituations.ItmightalsomeanthatroutineF&Clevelsvarybydevicesrolesor locationswithintheecosystem.

19

NATONECC2MaturityModel

March23,2011

21

Increasedagilityamongcyberdevicesisnecessarilydependentuponandexistsinsynchrony withtheagilityoftheorganizationsthatownandoperatethemandthebusinessormission processesthatconsumetheirservices.Thethreebuildingblocksdescribedearlier automation,authenticationandinteroperabilityincreaseagilityandenablecollectivecyber defense.Decisionrightsoriginatewithpersons,organizationsandbusinessprocesses;and interoperabilityensuresthatanydelegationtocyberdevicesiscommunicatedinawaythat bothhumansandmachinescanunderstand.Automationprovidestheabilitytoactupon delegateddecisionrightsatmachinespeed,andauthenticationallowsthedatanecessaryfora givendecisiontobetrusted.

AttributesofaHealthyCyberEcosystem
Lookingattheecosystemthroughbuildingblocksandmaturitylevelshelpsenvisionhowa healthyecosystemmightworkandhowitmightselfdefendthroughautomatedcollective action.Thissectionbeginstoexaminethedesiredendstate.Whatmightbedifferentina healthyecosystem?Whatmightbethevalueadded? Inahealthycyberecosystem,wemightfind: Informationconnectedacrossspaceandtime.Informationdiscoveredorcreated inonepartoftheecosystemconveysrapidlytoothersratherthanbeingsiloed,e.g., informationispreservedinwaysthathelpdiscoverpatternsovertimeandcanbe configuredtoprotectPersonallyIdentifiableInformation(PII)andothersensitive data. Rapidandessentiallyuniversallearning.Machineslearnfromeachotherand peoplelearnfrommachines. Greaterattribution.Machinesandhumansworktogethertoimproveattribution whereneededwhileenhancingprivacy. Newanalytics.Datafrommultiple,otherwisediscretesources(e.g.,sensors,red teams,troubletickets)arefused,aggregatedorotherwisetransformedtocreate newintelligence. Greaternetworkreach.Securitycontentisseparatedfromdeliverymechanisms andmanagedasanecosystemasset.EarlierresearchinTailoredTrustworthy Spaces 20 resultsinpowerfulnewwaystoworkacrossmultipletrustorclassification levels. Newdefensivetactics.EarlierresearchinMovingTargetDefense 21 ,combinedwith sharedsecuritypoliciesandnewintelligence,enablesnewcoursesofactionsuchas dynamicnetworkingoruncertainty.Inotherwords,attacksonlyworkonce(i.e.one victimoronedevice)ifatall.

20

FederalCybersecurityGamechangeResearchandDevelopment(R&D)Themes, http://cybersecurity.nitrd.gov/page/federalcybersecurity1 21 FederalCybersecurityGamechangeResearchandDevelopment(R&D)Themes

March23,2011

22

LifecycleFeedback.Richfeedbackloopsfromoperationsintothefrontendof systemandtechnologylifecyclesreducecosts,shortenadoptioncycles,and improveecosystemhealth.

Anotherwaytoexaminethedesiredendstateisthroughthequalitiesorattributesthebuilding blocksmighthelpcreate.Ahealthycyberecosystemmightbe: Inclusive.Encompassingcapabilitiesembeddedinaneverwideningwebthat extendsfarbeyondtraditionalnotionsofthepublicInternetorofinformation technology(IT)andservices.AhealthycyberecosystemwouldincludetheSmart GridwithitsenergycontrolledhomenetworksandIPaddressableappliances,the nextgenerationoftheNationalAirspaceSystemwhichtakesadvantageofsatellite capabilities,andthelargenumberoflegacydevicesandcontrolsystemswhichmust interoperatewiththenewesttechnologies. Effective.Abletodefendagainstalltypesofcyberthreats,includingsupplychain attacks;remoteornetworkbasedattacks,includingthoselaunchedbysophisticated andwellresourcedattackersusingpersistentmethods;proximateorphysical attacksoradverseevents;andinsiderordisgruntledemployeeattacks. Smart.Abletosensetheenvironment,recognizepatterns,andshareinformationin nearrealtimeacrosssectorsandcommunitiesatboththehumanandmachine levelsinordertoassureauthorizedtransactions,preventthemostserioussecurity breachesandincreaseresponseeffectivenesswhenbreachesorotheradverse eventsdooccur. Barrierfree.Havingsecuritychoicesinstantiatedinconfigurabledigitalpolicies ratherthanbeinghardwiredinnetworkorsystemdesignsorimposedby technologylimitationsorshortfalls.Designerswoulddesignwiththeassumption thateverythingwillbesharedwitheveryone,andtheonlybarrierstocollaboration wouldbethoseimposedbypolicy. Optimized.Havingcapabilitiesanddecisionmakingallocatedamonghumansand machinessoastobestleveragethestrengthsandcycletimesofeach,consistent withmaintainingagility.Further,havingcyberdefenseorganizedsothatmachines defendagainstmachinesandpeopledefendagainstpeople. Understandable.Havingsecurityexpressedinuserorstakeholdertermsratherthan inspecializedsecurityjargonandrecognizingthateveryoneisacybersecurity stakeholder.Forexample,stakeholdersmightwantglobalvisibilityintothecyber environment,theabilitytoquerytheenvironmentandgetbackahighfidelity answer,andtheabilitytorationalizesecuritycosts. Assured.Abletosustainconsumerconfidenceovertime.Thismightmeanmoving beyondtraditionalsecuritynotionsofpreventingunwantedtransactionsto ensuringtherighttransactionsoccur,whichcouldcontributemorebroadlytoa senseofconsumersafetyandtrustinsectoroperationsfortransportation,energy, health,etc.

March23,2011

23

Usable.Havingassembly,configuration,operational,andperformanceproperties thatarestraightforwardandwellbehaving,ratherthanoverwhelmingly complicated,brittle,anderrorprone.

AttributesofHealthyParticipants
Justashealthyindividualsareessentialtohealthycommunities,healthyparticipantsare essentialtoahealthycyberecosystem.Cyberecosystemparticipantsincludepersons(both individualsandentities),devices,andprocesses. Personswhoareunhealthycyberparticipantsmightlackawarenessorskills,ortheymaynot bewhotheyclaim.Personswhoarehealthycyberparticipantsmighthavecontinuingaccess toarangeofeducation,trainingandawarenessopportunities,includingbutnotlimitedto exercises,simulations,andfullyimmersivelearningenvironments.Further,theymighthave validatedskillsthathavebeencodifiedfortheiroccupationsorpositionsandstronglyproofed cyberidentities. Unhealthycyberdevices(computers,software,andcommunicationstechnologies)lack awareness,functionality,orcapacityorfeaturepurposefuldeceptions.Healthycyberdevices are: SelfAware.Havingtheabilitytocollectinformationaboutsecurityproperties,draw conclusions,andreportoractupontheconclusions. UserAware.Havingtheabilitytocollectorreceiveandprocessinformationabout supportedusers,missions,orbusinessprocessesorassignedroleinalargercyber infrastructureplusabilitytodrawconclusions,reportoractupontheconclusions,and implementpoliciesthatassureuserprivacy. EnvironmentallyAware.Havingtheabilitytocollectorreceiveandprocessinformation aboutthesecurityofsurroundingcyberdevicesofinterestorthecyberenvironment, drawconclusions,andreportoractupontheconclusions. Smart.Havingtheabilitytoretrospectivelyexamineeventsandassociatedresponses, correlatehistoricalpatternswithcurrentstatusdata,andeitherselectfromarangeof ACOAsorformulateanewACOA.ExamplesofACOAsthatmaybedeployedinnearreal timeincludefilteringorreroutingtraffic,cordoningoffportionsofthenetworkor applications,changingaccesslevels,reconfiguringassets,andquarantiningusers. AutonomouslyReacting.HavingtheabilitytoinitiateanACOA. Dynamic.Havingtheabilitytoalterappearanceorpersona.Ideally,alterationsare enactedoncycletimesthatareshorterthantargetacquisitionandattackexecution times.Forexample,todayssystemstendtorelyonselectedsystemparametersfor security,suchasdurationoftimeoutsorcorruptionthresholds.Typically,these parametersarechoseninadvanceandfixedforthelifetimeofthesystem.Future devicescouldmaketheseparametersvariable.Additionallyoralternatively, virtualizationcouldbeemployedtoprojectmultipledecoysystemstoconfuseattackers andtofrequentlyrollbackactualsystemstoaknowngoodstateinordertoobviate
March23,2011 24

Collaborative.Havingtheabilitytoworkinpartnershipwithotherparticipantstocollect andassesssecurityinformation,andselect,formulate,oralteranACOAintendedto counteranattackorsustainpriorityservices. Heterogeneous.Havingtheabilitytocollaboratewithotherparticipantsusinga commoncommunicationschanneldespitedifferencesinaffiliation,securitypoliciesor servicelevelagreements. Diversifying.Havingtheabilitytosensetheappearanceorpersonaofsurrounding devicesandtomakeoneselfdifferentfromotherdevices. Resilient.Forcyberdefensepurposes,havingsufficientcapacitytosimultaneously collectorreceiveandassesssecurityinformation,executeanyACOA,makealterations totheACOAasneeded,andsustainagreeduponservicelevels. Trustworthy.Performingasexpectedandonlyasexpecteddespiteenvironmental disruption,userandoperatorerrors,andattacksbyhostileparties.Threeapproaches forachievingtrustworthinessaresoftwareassurance 22 ,hardwareenabledtrust(e.g., TrustedComputingGroupbasedtechnologies,associatedsystemarchitecturessuchas NetworkAdmissionControlorTrustedNetworkConnectionandtrustedvirtualization) anddataprovenance(e.g.,metadatatagsandlabelscontainingidentity,origin,and transformationhistory).

Unhealthyinformationexchangesshouldbeexpensiveordifficulttoadapt.Ortheymightbe easilycompromised,disrupted,orcorrupted.Healthyinformationexchangesare: Secure.Secureexchangesarethoseinwhichtheidentitiesofallparticipantsinan exchangeareauthenticated,appropriatedigitalidentitiesandminimumattributedata areasserted,andthevulnerabilityofanycommunicationsintheexchangeto unauthorizedinterception,diversion,access,use,modificationordisclosureis minimized 23 . EnvironmentallySustainable.Environmentallysustainableexchangesarestructured forthemostrationaluseofcyberresources(leasteffort),arebandwidthfriendly,easy toadminister,andeasytoachieve(forexample,arebroadlyincorporatedinto commercialsolutions). Rapidlycustomizable.Rapidlycustomizableexchangesareenabledbyuser configurableprofiles,parametersandrulesandbyopenapplicationprogramming interfaces(APIs).

22 23

DHSSoftwareAssuranceProgram,https://buildsecurityin.uscert.gov/swa/ NationalStrategyforTrustedIdentitiesinCyberspace(NSTIC)

March23,2011

25

Lightweightandlooselycoupled.Lightweightandlooselycoupledexchangesarethose thatareachievablewithexistinginfrastructureandwithminorupgradestoexisting toolsandservices,ratherthanthroughapproachesthatrequireextensiveredesign.

Ecosystemgeneratedvalue,desiredecosystemandparticipantattributes,andecosystem buildingblocksallworktogether.Forexample,anecosystemwiththeabilitytomake automatedadjustmentstoconfigurationinresponsetotrustchoiceswouldofferincreased reliabilityandresilienceforsupportedbusiness,socialandcivicprocesseswhileimprovingthe privacyandcivillibertiesofusers.Anecosystemwithsuchabilitieswouldalsobeself defending.Aselfdefendingecosystemwithhumaninvolvementcouldforceattackerstotake morerisksandbemoreexposed.Theseactivities,combinedwithgreaterattribution,could enablelawenforcementorotherdeterrencetobemoreeffective.Ahealthyecosystem,in otherwords,mutuallyreinforcessecurity,usability,reliability,andtheprotectionofprivacyand civilliberties.

IncentivesandAdoption
Weknowtodaythatusersarenotroutinelycomplyingwithcyberbestpracticesand configurationguidelines.Adoptionofsecuritystandardsisdecidedlyslow,andearlyindications arethatcybersecuritycontinuousmonitoringwillfaceimpedimentstoadoption.Thisindicates animbalanceofincentives,wherebydefendersarenotincented,butattackersare. Apersistentchallengeintodaysecosystemistheinabilitytoestablishlevelofharmasaresult ofacyberincidentbeitlossofintellectualproperty,privacy,consumerconfidence,business opportunity,oressentialservices.Suchinabilitymaybedueinparttoalackofagreementon howtoestablishextentinahighlyinterconnectedenvironmentaswellashowtomeasure, validate,andcommunicateeffects.Itmayalsobedueinparttoalackoftrust,whichimpedes informationsharingandcollaboration. Earlier,thispaperproposedtypesofactivitiesthatmightbeassociatedwithanappropriately automatedanddistributedCyberCDCthatperformsthreatandincidentwatch,data dissemination,threatanalysis,interventionanalysisandrecommendations,andcoordinationof preventiveactions.Inadditiontopromotingcyberhealthamongcommunities,sucha capabilitycouldprovidevendorsandsystemownerswiththeinformationandinsightneeded todiagnoseproblemsandevaluateoptionsforneworimprovedcapabilities.Onewaytoget startedisthroughincreasedsharingofanonymizedcyberincidentandmitigationdata. Aggregationandanalysisofsuchdatamightleadtoanimprovedabilitytoshowhow investmentsincyberhealthcanreduceoperatingcosts,improvebusinessagility,oravoid extensivemitigationcosts(e.g.,thecostofdataleakageprotectionsoftwarecomparedwith thecostofmitigatinglargescaleidentityinformationdisclosure).Suchinsightswouldlikely strengthenconsumerdemandforhealthyproductsandservicesandreducerisksto participants.

March23,2011

26

WayAhead
Whilethispaperhaspresentedacomprehensiveviewofahealthycyberecosystem,thereare manyopenquestions.Onthemoretechnicalside,theyinclude:Cantheongoingworkon securitycontentautomationberepurposedforselfdefense?Willcommercialproducts conformtoopenstandards?Towhatextentcanfocus,convergence,andagilitybe decentralizedtocybersystemsinanautonomic(i.e.,selfmanaging)fashion?Canautonomic defensesscaletoencompasslargescale,distributedandmultidomainenvironments(e.g., mobiletelephony,IPbasednetworks,andcomputingplatforms),andifso,whatelementsof trustwouldberequired? Moreover,thepathtosuccessfulrealizationisunclear.Whatarethebusinessdriversthatwill incentthenecessaryinvestments?Whataretheappropriaterolesandresponsibilitiesofthe publicandprivatesectorindeliveringthehealthyecosystem?Whichelementsshouldbe prioritizedforearlyrealization? Asahealthycyberecosystememerges,governancequestionsbecomesalient.Willsystem ownerscededecisionmakingtothecommunity?Whosetspolicyforinterenterprise informationexchangeanddeploymentofcountermeasures?Whatliabilityregimesapplyfor collateralconsequencesofcountermeasuredeployment(orthefailuretodeployknown countermeasures)?Whatlegalauthoritiesshouldlocalandnationalgovernments,aswellas internationalentities,havetocompelactionbydevicesownedbyorservingprivatepartiesin ordertosecurethelargercybercommons? Clearlythefieldisripeforplanningandaction.Theauthorswelcomefeedbackonthispaper, andcommentonallaspectsoftheproblem.Wearecontinuingourownanalysis,andweplan topublishourfindings,togetherwithyourfeedback(tocyberfeedback@dhs.gov),inasequel paperandaproposedactionplanthat,ataminimum,identifieskeygamechanginginitiatives foreachofthethreebuildingblocks.Potentialgamechanginginitiativesmightinclude: Piloting,demonstration,andrapidpromulgationofcommunityandintercommunity ACOAsforcollectivedefense Piloting,demonstration,andrapidpromulgationofsecuritycontentautomation standardsforfunctionsdescribedinthesecondandthirdwavesofFigure5 BuildinguponthedraftNSTICtoachievestandardsbaseddeviceauthentication, includingsmallandoftenwirelessdevicescomposingmassivelyscalablegrids.

March23,2011

27

Glossary
GeneralTerms Cyberdevicesisageneraltermusedtorefertocomputers;softwaresystems,applications orservices;electroniccommunicationssystems,networks,orservices;andthe informationcontainedtherein. Cyberparticipantsreferstopeople,processes,anddevices. Informationstructuringreferstomethodsandstandardsthatorganizedatainto componentsandrelationships.AgeneralexampleofstructuredinformationisaUnited Statesaddress.Itscomponentsarestreetnumber,streetname,city,state,andzipcode. Stateshavefixedtwodigitcodenamesandzipcodeshaveaspecifiedfiveorninedigit format.AnexampleofstructuredcybersecurityinformationisCommonPlatform Enumeration(CPE),anamingschemeforsomeelementsofcybersystems.Thetoplevel componentsofaCPEareplatformname,hardwareparts,operatingsystemparts,and applicationparts.Structuredcybersecurityinformationisnecessarytoautomate activitiesthatidentifyandmanagecyberdevicesandtheircomponents,describeand managesecurityconfigurationsandvulnerabilities,identifyandtrackattackersandattack tools(e.g.,maliciouscodeorbotnets),detectanddescribeeventsandattacks,express andexecutecybersecuritypoliciesorcoursesofaction,describeandprovidenoticeof cyberposture,andsoon. Cyberinformationexchangereferstosharingrelationshipsandprotocolsthatallowcyber participantstopublishandsubscribe,signal,orrequestandrespondwithcybersecurity informationusingconsistentsemantics.
AssessmentResultsFormat CommonAnnouncementInterchangeFormat CommonAttackPatternEnumerationandClassification CommonConfigurationEnumeration CommonEventExpression CommonPlatformEnumeration CommonVulnerabilitiesandExposures CommonVulnerabilityScoringSystem CommonWeaknessEnumeration IntrusionDetectionMessageExchangeFormat IncidentObjectDescriptionandExchangeFormat MalwareAttributeEnumerationandCharacterization NationalInformationExchangeModel OpenVulnerabilityandAssessmentLanguage SecurityDescriptionandExchangeFormat ExtensibleConfigurationChecklistDescriptionFormat

StandardsAcronyms
ARF CAIF CAPEC CCE CEE CPE CVE CVSS CWE IDMEF IODEF MAEC NIEM OVAL SecDEF XCCDF

March23,2011

28

March23,2011

29