“The biggest challenge we have as an industry is fragmentation within the security organization” of enterprises, said ThreatConnect CEO Adam Vincent at the Security Innovation Network showcase in Washington Thursday.

“If you look at the market for information sharing, the ecosystem, it’s really, really, inefficient,” added Department of Homeland Security Assistant Secretary for Cyber Policy Robert Silvers. “There’s a lot of legacy, manual processes, sending emails of PDFs. You have incomplete information awareness with some people just talking to others bilaterally … all the information isn’t getting out to all the people. It’s the kind of market an innovator would want to disrupt.”

But the problems aren’t limited replacing legacy systems.

“When I go into security organizations, even when I’m talking to the CISO, in many cases they don’t have a good picture of what their architecture is, it’s highly fragmented across the different parts of their ecosystem with different products, different strategies, different people … they aren’t communicating well,” said Vincent.

Part of the challenge, said Marcus Sachs, chief security officer at the North American Electric Reliability Corporation, was that technology wasn’t the issue with information sharing.

“Machines will trust other machines when we tell them to, but people aren’t like that,” he said. “Where we struggle is how do you get what you’ve got processed by somebody’s eyes? … The eyes are the portal to the brain.”

But that interface has limitations, he explained. “Lines and lines of code aren’t so good” at conveying information.

As an example, he said his eye could immediately pick out those members of the audience not wearing jackets. “They are the outliers,” he said, like the tiny anomalies security personnel were supposed to find in vast volumes of log data.

David Hahn, the chief information security officer for Hearst Corp., said that he had “developed an ecosystem of technologies, of service providers, of vendors that are all helping protect … It’s not just me and my team.”

He said he had contracts with “probably all of the leading security companies.”

“It gets very noisy and dysfunctional at times,” he said.

When considering a new security product, he said, “another feed of really great stuff is always fine,” but what he needs to pay attention to to is: “What is my architecture, where’s it going to fit?”

“Right now I’m just collecting all of it,” he said of the multiple inputs. “It becomes very complex.”

His approach, he said, was to “bring my vendors together to look at it from a total ecosystem point of view — to figure out what am I managing?”

Silvers said DHS was attempting to help by creating what he called a “world clearing-house for cyber threat indicators … Shared at machine speed” through the Automated Indicator Sharing program.

“The vision for this product is that an attack seen anywhere in the  world can only be used one time because it’s then reported in and shared out without everyone else” who can then protect themselves against it, he said.

The post DHS official: Info sharing market ripe for disruption appeared first on FedScoop.

DISA’s Maj. Gen. Sarah Zabel discussed cyber intelligence and threat information sharing

When it comes to cyber intelligence, more isn’t necessarily better, civilian and military cyber leaders cautioned Tuesday.

Quality, transparency and integrity are more important than simple volume, a panel at the Symantec government symposium said.

When it comes to quality, “I rely on the trusted information clearing houses that different organizations run,” said Maj. Gen. Sarah Zabel, vice director of the Defense Information Systems Agency, citing as an example the Pentagon’s Defense Industrial Base Cybersecurity Program and its DIB Cyber Incident Reporting & Cyber Threat Information Sharing Portal — known as DIBNet.

DIBNet shares “unclassified and classified cyber threat information,” according to its website. Defense officials say the technical indicators are carefully vetted. The Department of Homeland Security has tried with varying levels of success to replicate the DIB program across other vital industrial sectors.

Although each sector is different, they all require certain baseline characteristics. One is transparency, said Transportation Security Administration CIO Steven Rice.

“When you’re in these information sharing environments, you need a level of transparency … everyone needs to understand their roles.”

Among the rules of the road that need to be laid out upfront, said Rice, is what would be done with information provided by the private sector. “What are the rules of engagement for any information that will be provided? And what are the escalation procedures that you would have … when there is an anomaly discovered .. from a stakeholder that needs to be communicated across the industry base?”

In part that’s because, as Zabel pointed out, “In many cases, when a commercial partner comes in … with information they want to share, they’re happy that the government knows, they don’t really want their competition to know it.”

David Blankenhorn, the chief technology officer for government contractor DLT Solutions raised what he called the “integrity issue.”

“It’s important to get trusted data,” he said. “We need to ensure that the threat feeds are legit.”

Without vetting, he explained, threat feeds could be turned against  those they were supposed to protect.

“If I were a bad actor and I wanted to create a decoy or a red herring, I would come to you and say ‘Here’s a threat that I’ve seen, here’s a signature’ … and I could make it look really good. And then all of a sudden [vital parts of the system] are being locked down” on your network, because they bear the fake “indicators of compromise” provided by the bad guys.

“It’s an issue of trust,” said Blankenhorn, “but it can’t can’t be blind trust.”

The other panelists agreed. Speaking of trust, Rice said, “This is not something that happens overnight. This is something that has to be built over years.”

The post Cyber intelligence: More isn’t always better, warn officials appeared first on FedScoop.

(pixabay)

LAS VEGAS – Apple announced at the 2016 Black Hat USA security conference Thursday that it is planning to launch a new bug bounty program, which will offer cash to security researchers who find and reveal undisclosed vulnerabilities in the company’s products. Payouts can reach as high as $200,000.

The bug bounty program will begin in September on an invite-only basis and will first focus on the latest version of iOS, Apple’s mobile operating system.

Though the company had previously provided an official channel to share flaws in Apple’s technology, Thursday’s announcement represents the first time Apple has created a publicly visible bug bounty program.

Uber, Twitter, Facebook and even the Department of Defense have all leveraged bug bounty programs in the past to find vulnerabilities and thereby patch security holes. Such bounty programs are typically structured to limit or control the digital environment where the actually hacking occurs — with certain, affected systems quarantined from other business operations.

Until Thursday, Apple was one of the last, remaining major commercial technology brands to have never experimented with a bug bounty program.

To begin, the newly announced vulnerability disclosure project will be focus on just five distinct categories of bugs, including secure boot firmware components and unauthorized access to iCloud account data on Apple servers.

The prizes for disclosed, never before discovered vulnerabilities range from $25,000 to $200,000.

The post Apple launches bug bounty program appeared first on FedScoop.

HHS’ Office of the National Coordinator for Health Information Technology and Office of the Assistant Secretary for Preparedness and Response are offering a combined $400,000 to a private sector entity to send and receive critical cyberthreat information, connecting the department, the greater health care sector, and other federal partners, such as the FBI and Department of Homeland Security. ONC issued a grant worth $250,000, and ASPR issued one worth $150,000 for the ISAO, both of which are renewable for up to five years.

“Recent high profile cybersecurity incidents have demonstrated the need for improved [cyberthreat information, or CTI] sharing among organizations in the [health care and public health sector] sector,” ONC’s funding announcement says. “These organizations require access to timely and accurate CTI in order to manage resources and establish protective measures to effectively counter this threat. A number of Executive Branch policies have placed a responsibility on HHS to take on a lead role in CTI sharing with health care organizations.”

HHS is charged by the Cybersecurity Information Sharing Act of 2015 as a sector-specific agency to share cyberthreat information with private sector organizations through an ISAO.

[Read more: Senate passes CISA, rejecting privacy fears, amendments]

“Establishing robust threat information sharing infrastructure and capability within the Healthcare and Public Health Sector is crucial to the privacy and security of health information, which is foundational to the digital health system,” said Karen DeSalvo, the national coordinator for health IT, in a release. “This coordinated resource will focus on sharing the most up-to-date threat information across the health and public health sectors and will better equip health systems to identify potential threats and further protect electronic health information.”

The eventual awardee, according to a release from ONC, should “Provide cybersecurity information and education on cyber threats affecting the Healthcare and Public Health sector, expand outreach and education activities to assure that information about cybersecurity awareness is available to the entire Healthcare and Public Health sector, equip stakeholders to take action in response to cyber threat information, and facilitate information sharing widely within the Healthcare and Public Health Sector, regardless of the size of the organization.”

Prior to developing these grants, HHS awarded a planning grant to Harris Health System to audit the health sector for any gaps in the sharing of cyberthreat information. Though Harris is still developing its final report, it offered preliminary findings revealing that health care leaders feel threat information sharing is “too slow in the sector” and that a centralized source for sharing is needed, as well as automated sharing and a “common technical language and platform” to facilitate it.

“Keeping health IT up and running is critical to health system preparedness. Not only do we need to worry about natural disasters, but also increasingly we must combat—and prevent—cyber threats. Many parts of the healthcare system don’t have access to the information they need to protect themselves from these threats,” said Dr. Nicole Lurie, assistant secretary for preparedness and response, in the release. “Using an ISAO to exchange cyber threat information with these healthcare organizations, bi-directionally between HHS and the Healthcare and Public Health sector, we hope to build the capacity to better prevent, detect and respond to cyber attacks.”

HHS is opening the grant to “Local, Public nonprofit institution/organizations, Private nonprofit institution/organizations, private and for profit organizations that are already providing outreach and technical assistance to participating organizations on cybersecurity threats,” according to the award announcement. Additionally, organizations may team up to apply for the award “because [cyberthreat information] sharing is a collaborative exercise that needs everyone’s participation, such collaboration is encouraged.”

The project is divided into three phases: The first, which will be two years long, involves preparing and building out the infrastructure of the ISAO. Phase two — during the third and fourth years — involves the initial stages of serving as an ISAO. Finally, in the fifth year, the third phase aims to make the ISAO fully operational and sustainable. Years two through five of the program are subject to funding availability.

HHS will accept applications until Aug. 19, requiring a notice of intent from organizations by Aug. 1. Awards should be made by Sept. 16, and the project will launch Sept. 26.

The post HHS offering $400,000 to jumpstart health care info sharing appeared first on FedScoop.

Halvorsen believes that within the next three to five years the U.S. and many of its allies — particularly those in Europe and in the “Five Eyes,” a signals intelligence alliance comprised of Australia, Canada, New Zealand, the United Kingdom and the United States — will reach those IT commonalities “across the board, for everything from cloud to office systems to data center structure.”

“If we can get there, that gives us an unbelievable warfare advantage,” Halvorsen said at AFCEA’s Defensive Cyber Operations Symposium. “It also gives us an unbelievable business opportunity to better embrace commercial, bring the advantages that commercial can to the war business, bring what we do well in the war business to the commercial sector, and everybody wins.” 

The UK’s Ministry of Defence announced last year its plans to move to Microsoft’s Azure cloud, and the DOD CIO hinted Thursday at doing the same. “I think that’s the right way for us to go,” said Halvorsen, who’s been a very strong proponent of Microsoft products, particularly Windows 10, which he has ordered all DOD agencies and services to move to by Jan. 31, 2017. 

In a recent call with reporters, Halvorsen said he’s been pressing allied forces to follow suit in developing a common Windows 10 baseline. “We have an opportunity…to improve the way we can all communicate because we’ll all be on a standard baseline,” he said then.

Halvorsen’s speech came just days after he traveled to an event in Germany with “lots of our allied European countries there,” he said, adding that there was plenty of evidence that “we’re all at least at the DOD-equivalent-level looking at similar solutions.”

“If we get that right, it gives us the ability to share, on a routine basis, data that we need to between the allies, but maybe most importantly when I need to quickly stand up networks and exchange data instantaneously at tremendously low cost,” he said.

Indeed, it goes well beyond better communication between allies. “We need to be able to move data with them, we need to be able to hook ISR [intelligence, surveillance and reconnaissance] up to them, and we need to do that in such a way that everybody’s data that needs to be separate and protected is protected, but all the people who need to see it instantaneously can see it when they need to,” Halvorsen said.

“That is a major, major problem,” he said. “It is the panacea of what we want in the end.”

While the DOD continually makes efforts to embrace Silicon Valley innovation, Halvorsen pointed to the move to allied common systems as another opportunity to invest in innovation outside of California’s Bay Area. Yes, Silicon Valley is a geographic region with a lot of capital investment to back it, Halvorsen said, but he thinks of it more as a state of mind that can happen anywhere with the right backing.

With that in mind, Halvorsen said the DOD invested alongside the UK MOD in London-based software startup Improbable, a modeling and simulation company that uses big data to build simulated worlds, and he thinks it could be applicable to the battlefield and defense.

“I think it will be a major game changer in how we look at modeling and sim and the results that we produce,” he said.

The post Pentagon, allies working toward common IT systems appeared first on FedScoop.

Prior presidential transition teams relied on more paper-based and less computerized methods of communicating and coordinating a change in office, which often left a president’s first 100 days ineffective and inefficient, and in some cases put the nation at risk, panelists at a Partnership for Public Service discussion on the upcoming transition said.

PPS CEO Max Stier noted that, during 2008, in the scrambling lead up to the presidential election, hackers thought to be working for China had broken into the computer networks of both campaigns, giving them access to the Obama team’s transition files and early administration plans “outside the confines of a government facility.”

“It is super important, not only that these campaigns are starting to work earlier on this stuff, but that they’re doing it in an environment in which you can have a better guarantee of the security of information,” Stier said Wednesday at the event, organized around the partnership’s launch of its Center for Presidential Transition, created as a single digital resource for guidance and documentation on past transitions so new administrations won’t have to start over from scratch.

There’s also the inherent fear within candidates’ campaign teams that information sharing could fall into the wrong political hands, particularly those of an opposing party, and lead to the sabotaging of the tail-end of their run for presidency.

Josh Bolton, who served as former President George W. Bush’s chief of staff, said his team tried to help expedite the clearance process for top-level appointees who’d eventually enter the White House under President Barack Obama in 2009, but there was an obvious insecurity in the process.

“We were willing to help them get people cleared early, but they didn’t want to have us with all the names of the people whom they were trying to clear for national security positions,” Bolton said. “We certainly wouldn’t have intended to do anything like that, but I think it’s a legitimate fear that a campaign faces.”

There are also concerns with “the translation of your technology platforms from transition activity to actually governing,” Stier said. “That’s another place where you have potential for a lot of misstep.”

With the creation of the Presidential Transitions Improvements Act of 2015, however, experts believe there will be more outside help in facilitating an orderly exchange of power. Under that law and its precedents, the General Services Administration is tasked with helping ensure that smooth transition. The agency launched its own website last November as a resource for candidates in the 2016 election to get a head start in their planning.

Likewise, Stier believes the legislation will give candidates some cover to start “measuring the drapes” earlier and help some of the information security concerns among parties, providing “secure environments for a lot of this work to be taking place.”

During past transitions, there really was no repository or body of help like the partnership and GSA have created to guide new administration staff, who in some cases may have never stepped foot in the White house before.

“There was no playbook … and undoubtedly we made mistakes,” said Thomas McLarty, former chief of staff to President Bill Clinton. “That’s what we were missing in 1992.”

“There was no way to go to a central place, no one stop, there wasn’t anything close to that,” he added. “It was very, very chaotic.”

The United States, though, is a vastly different place since each of the last transitions, with major events like the economic crisis in the late aughts and the 9/11 terrorist attacks changing the level of seriousness the converging administrations must take during the 2017 transition. Bolton recalled the Obama administration’s receiving credible intelligence on a treat of national security during its first few hours. His team had to stay on after if was technically no longer in office to sit “side-by-side” with Obama’s team to ensure it was equipped to handle the threat.

“The threat turned out not to be real, but the intelligence was pretty serious,” he said. “The point is there was no template for this. We were making it up as we went along, and at that point we were just lucky we put in place a couple of those elements.”

The technological advance of the country is another factor that should play into the upcoming transition.

“Technology, the world, information flow has dramatically changed,” McLarty said. “There’s this plethora of information.”

And leveraging that wealth of information is to the transitions teams’ advantage, he said. “Technology is our friend here. I think we can just do things much more efficiently.”

Contact the reporter on this story via email Billy.Mitchell@FedScoop.com, or follow him on Twitter @BillyMitchell89. For stories like this in your inbox every morning subscribe to the Daily Scoop here: fdscp.com/sign-me-on.

The post IT crucial to smooth 2017 presidential transition appeared first on FedScoop.

ODNI’s Standards Coordinating Council for information sharing this month quietly released the “beta test version 2” of its Information Sharing and Safeguarding Environment Playbook. Developed by nonprofit law enforcement information sharing corporation the IJIS Institute, the playbook is based on the U.S. Digital Services Playbook, ISE Program Manager Kshemendra Paul said Thursday.

The tool is rooted around four different concepts: security and privacy controls, a maturity model, reuse of frameworks and tools, and communities of interest, Paul said, emphasizing that final concept.

“In the government, any big problem requires a community of interest,” he told the audience at an Intelligence and National Security Alliance breakfast event in Tysons Corner, Virginia. “Nobody solves big problems all by themselves.”

In its current state, the IS&S Playbook stands at 15 plays, starting from understanding what users need all the way through defining capabilities, implementing a plan and finally scaling it. But Paul also highlighted that the playbook can be used by organizations of varying maturities. That is, agencies don’t necessarily have to start at the first play and follow through in order.

“The Playbook is intended to allow users at any point in a process to pick up the document, identify where they are in the process, and then move forward,” the playbook’s appendix says.

Like the USDS Playbook, the ISE tool is rooted in user-centered design principles. “Taking the if-you-build-it-they-will-come approach often does not work – it can be a costly failure and it can result in irreversible damage to trust in the project goals,” the playbook reads. “The continuous engagement of the end user throughout the entire process will increase the probability of IS&S Environment success.”

Tools like the playbook and others, Paul said, are meant to help “agencies scale trust.”

“When you go between communities or between agencies or levels of government, you don’t have trust, because it’s not a traditional sharing relationship,” he said, noting that the process is heavily rooted in policies and standards. “When you want to scale trust, you have to accept that you’re going to…share with people you don’t necessarily know, but there are frameworks in place that you can trust.”

ODNI and the ISE program management team are currently piloting the playbook with many of their partners across the federal, state and local levels, Paul said. The offices are open to any comments or feedback on the playbook to help shape future versions of it.

Contact the reporter who wrote this story at Billy.Mitchell@FedScoop.com, or follow him on Twitter at @BillyMitchell89.

The post U.S. quietly piloting info-sharing playbook for cops, spies appeared first on FedScoop.

The benefits of the information-sharing apparatus have been seen in investigations into “human trafficking, drug trafficking … those areas at the nexus of national security and public safety,” ISE Program Manager Kshemendra Paul told FedScoop.

He spoke to FedScoop as his office’s annual report to Congress was circulating on Capitol Hill, highlighting the ISE’s success in several of its key “lines of effort,” including the development of common standards for incident reporting and record-keeping that allow the nation’s nearly 18,000 police agencies to submit reports to regional fusion centers or other multi-agency organizations in a uniform format.

“Law enforcement in the U.S. is a very fragmented enterprise,” Paul noted, “And that’s a feature not a bug. It was designed that way.”

Those national standards and the universal reporting formats they fuel — most famously the Suspicious Activity Report — are “mission agnostic,” Paul points out. As useful in hunting down pimps or drug-traffickers as they are for catching terrorists. “There is a lot of overlap with criminal intelligence,” he said.

Indeed, many of the purposes for which the standards are being used are aimed at what Paul calls “aligning field-based [criminal] intelligence efforts” — de-conflicting intelligence-led operations like undercover probes or serving high-risk warrants with other police agencies.

And that’s led some critics to see mission creep at the ISE.

After all, when Congress and the George W. Bush administration set up the ISE in 2005, they were responding to a terrible truth that had dawned on 9/11 investigators as they sifted through both the rubble and the digital trail the 19 hijackers had left: Many of the suicide attackers had fractious interactions with local police; some had aroused suspicion as they entered the country, or afterwards. Famously, a would-be 20th hijacker was detained after telling an aviation school he wanted to learn how to fly a plane, but not how to take off or land.

These “dots” of information, it was said, had never been joined. ISE was supposed to fix that problem for counter-terrorism.

But doing so, Paul said, necessitated providing a service to the agencies collecting those dots – the nearly 18,000 state and local police and public safety agencies on the front lines of law enforcement around the country.

Those frontline agencies, he said, had “neither the money nor the interest” to participate in a solely counter-terrorist program, and ISE has no power to compel them. “We have moral authority … that’s it,” he said. ISE has to offer something that’s useful to them.

He said the common standards ISE promoted let law enforcement agencies participate in information sharing to the degree they felt comfortable with it. “None of this is mandatory for any of our state and local partners,” he said.

Indeed, Paul says ISE has created a new model for governmentwide initiatives. “We’ve taken a non-traditional approach” to promoting the goal of information-sharing, working with nonprofits and membership associations, like the International Association of Chiefs of Police, to shape standards that will be useful to, and usable by, their members.

“It’s not managing, it’s collaborating,” he said, adding later that it is “coordinating, not mandating.”

The post Info-sharing spreads work from terror to crime appeared first on FedScoop.

Last week, two of the nation’s top military officials gave a full-throated defense of the government’s data collection programs and the importance of robust cyberdefense capabilities.

In separate speeches, National Security Agency Director Keith Alexander and Joint Chiefs of Staff Chairman Martin Dempsey argued controversial phone and Internet-monitoring programs were part of a necessary expansive plan to defend the country from the new cyberlandscape.

“One thing is clear: Cyber has escalated from an issue of moderate concern to one of the most serious threats to our national security,” Dempsey said Wednesday during a speech at a Brookings Institution forum.

The next day, Alexander echoed Dempsey. “If you look at the statistics and what’s going on, we’re seeing an increase in the disruptive and destructive attacks,” he said at the Armed Forces Communications and Electronics Association International Cyber Symposium in Baltimore. “And I am concerned that those will continue. As a nation, we must be ready.”

Alexander — whose agency has been under scrutiny in the weeks since Edward Snowden released information about secret data collection and surveillance programs — said the public outing of NSA’s clandestine programs has damaged their effectiveness. Using two separate programs, NSA has been collecting telephone metadata — anonymous records of phone logs — and Internet activity — emails, browsing history, etc. — for several years.

“The damage is real,” he said. “I believe the irresponsible release of classified information about these programs will have a long-term detrimental impact on the intelligence community’s ability to detect future attacks. These leaks have inflamed and sensationalized for ignoble purposes the work that the intelligence community does lawfully under strict oversight and compliance.”

Alexander provided Congress with 54 examples of terrorist plots foiled using information from these programs. If these potential assailants had known of the government’s communications monitoring programs, Alexander said, these might not be foiled plots.

“Those who wish us harm now know how we counter their actions,” he said. “These leaks have caused significant and irreversible damage to our nation’s security.

Which is why the U.S. must invest in cyberdefense across all federal agencies, Alexander said. Dempsey, in his speech, detailed what this investment will look like. In four years, he said, the government will pour $23 billion into U.S. Cyber Command. That’s 4,000 additional cyberoperators and three 24-hour teams: a national mission team to counter cyberattacks on the U.S., a global team supporting combatant commanders and a network defense team to protect the networks supporting military operations worldwide.

And then there’s the NSA’s mysterious $1.5 billion NSA data storage facility being built in Utah. According to the Denver Post on Monday, recent leaks showed the facility will house “among the most sophisticated supercomputers and largest reserves of data storage on the planet,” with the capability to process roughly one thousand trillion calculations per second. It will make the data collection programs even more powerful.

“We’re being attacked,” Alexander said. “And we’ve got to figure out how to fix that.”

The post Defending secrecy, building the nation’s cyberdefense appeared first on FedScoop.

The Obama administration announced June 24 more than 20 new commitments supporting the Materials Genome Initiative. The MGI is a public-private initiative, which seeks to quicken the pace at which high-tech materials are developed and deployed in the U.S.

What began as a $63 million project has since evolved into an endeavor exceeding hundreds of millions of dollars, and involvement by multiple federal agencies, technology industries, universities, professional societies, and engineers and scientists from all over the country.

Many federal players have taken stake in the MGI. The National Institute of Standards and Technology is planning to launch a competition to form a $25 million Center of Excellence on Advanced Materials.

NIST is also partnering up with the Energy Department, and will soon announce its $3 million in new awards for its recent solicitation on advanced lightweight metals. Energy is also using its Argonne National Laboratory to lead the Joint Center for Energy Storage Research project.

The Defense Department has also partnered with different agencies to get onboard with the MGI. The Defense Advanced Research Projects Agency has collaborated with the U.S. Army and NASA to make data gathered by DARPA’s Open Manufacturing Program widely available.

The MGI is working toward a variety of goals, ranging from creating more safe and fuel-efficient cars, to developing metals used in spacecraft that can better stand extreme temperatures. Using partnerships between the private sector and academic researchers, the MGI seeks to unlock the potential of shared data in speeding up the innovation process.

“Building on two years of progress for the MGI and the exciting new commitments announced today, we’re on our way to cutting in half the time it takes to develop new materials that can fuel advanced manufacturing for a 21^st-century American economy,” the White House’s Office of Science and Technology said in a June 24 statement.

The post In third year, Materials Genome Initiative pushes forward appeared first on FedScoop.