Two intelligence agency deputy chief information security officers (CISO) agreed Feb. 19 at an event organized by AFCEA NOVA that cyber threat data sharing between agencies is a virtue that needs to happen more often and more quickly.
Mike Ryan, Deputy CISO at the National Reconnaissance Office, and Chris Brown, Deputy CISO at the National Geospatial Agency, discussed both similarities and differences in their respective to-do lists, but came down on the same page regarding threat sharing.
Asked about the state of threat-sharing across intelligence community agencies, Brown said that “one of my proudest moments” comes when his team reports on threats it has detected on the agency’s network and shares that intelligence. As for frequency of sharing, he said “it comes in waves.”
“We are doing some of it … and we are trying to do more,” Brown said. He added that effective sharing of threats needs to happen within hours, or minutes, to maximize effectiveness.
“There’s a long way to go” on threat sharing between agencies, Ryan said. Some of that sharing, he said, depends on good human-to-human relationships, but technology has an obviously vital role. “We need as much automation as possible” to do better at sharing, with threat data that is also accompanied by enough background information to increase its meaning and usefulness.
Discussing a day in the life of a deputy CISO, Brown said his focus runs a wide gamut from hiring, workforce training, contractor support, incident response, and supply chain risk management, to name a few. From a process point of view, he said “we continue to get audited like crazy” by inspectors general and for FISMA purposes.
On the threat front, Brown said the agency continues to see email phishing attacks. And while humans remain the weakest link in the security chain, he added, “we really need technology” to capture phishing emails before they get delivered to users.
Regarding the threat spectrum, Ryan said his biggest fear is not an attack that will deny access to data, which he said the agency would detect pretty quickly. Much worse, he said, is an attack that would alter or manipulate data “that affects warfighters in the field – that’s my biggest nightmare.”
Asked about security tools, Brown said the agency is in the process of looking at the current lineup for “gaps and overlaps.” He added, “We just can’t dump a new tool in without asking what one we should take away.” Down the road, he said, networks will tend to be of more hybrid architecture, so a focus on cloud security becomes more important.
Ryan said he is working toward more continuous monitoring of systems. Another problem, Ryan said, is “not knowing how old some of the stuff is” on the network. One solution to better network discovery, he said, is to block access to certain network functions, and then see who complains from the user base.
Asked about supply chain threats, and specifically the threat posed by equipment made by China-based firms such as Huawei, Ryan, responded, “It’s one thing to say we should never buy their stuff.” But he continued, “nobody in the U.S. [is] making chips … and you really can’t tell” with certainty what kind of chips are in equipment assembled by U.S. firms. Given that state of affairs, zero-trust architecture becomes a more attractive solution, he said.