A Whole-Community Cybersecurity Program
by Dr. Gregory B. White, Director of the CIAS-ISAO
Why is a Whole-Community Cybersecurity Program needed? There are several reasons:
- Research has shown that unless the community is sharing information, as many as 45 percent of probes and attacks on organizations within a community may be missed.
- Effective cybersecurity is best accomplished when we act as a team and not a group of individuals.
- In order for the above to occur effectively, there is a needed element of trust which is best accomplished at a local level.
- Should a large cyber event hit the state or the nation, there are not enough state or federal resources to be able to help all communities individually.
- Some pending federal funding requires states and communities to be implementing a cybersecurity program.
Research at The University of Texas at San Antonio was conducted to better understand the attacks that occur on communities and the organizations within the community. A “honey community” was created to conduct this research.
Just like honey pots and honey nets, the honey community was a fake community constructed to observe how attacks were conducted on community organizations. A website was created for the community of Roadrunner Park, from which five different sectors could be accessed. Once the site was constructed it was connected to the Internet for a short period of time and the network activity recorded.
Since there is no real community of Roadrunner Park, any access of the site was potentially a probe or attack. This allowed for a more complete analysis of the data. When analyzed, the data showed that 55 percent of the attacks occurred on one or more sectors.
What surprised the researchers was that 45 percent of the network activity would have most likely gone unnoticed if normal security thresholds were in effect. For example, a single failed login attempt on an organization is generally ignored because having a user mistype a password is not uncommon. If, however, there is a single failed login attempt using a specific user ID/password combination on a system at one organization, followed quickly by the same combination used at another organization, then this would present a completely different situation. Rather than a user mistyping a password it is more likely somebody who is attempting to find a system that might not have a default password disabled.
While this is a simple example, it demonstrates the importance of organizations within a community communicating. In the example. it will more likely need to be an automated information sharing system that would communicate between sectors to catch this activity. Before organizations will be comfortable with automatically sharing information such as this they will need to be comfortable with the other organizations in the community that they will be sharing with and this leads to the other reasons for a community cybersecurity program.
Cybersecurity: A Team Effort
It is very difficult for a single individual to be an expert on all aspects of security. In larger organizations, there may be different individuals employed to address security on different systems or security devices. In situations such as this the employees can work together to address the overall security of the organization. Each one has somebody else to communicate with when questions or issues arise. For smaller organizations, however, there may only be a single individual employed as the security administrator. There may not even be an individual dedicated to security but instead security may be a responsibility of an individual who has other responsibilities as well. In this case it is very hard for the organization to stay on top of all aspects of security that could have a negative impact.
The employee needs to have others who they can communicate with to discuss security issues. It will also become important to have a community organization whose purpose is the sharing of cybersecurity information between all elements of the community. Such an organization provides a ready source of help if a security question or issue arises in an organization. A community Information Sharing and Analysis Organization (ISAO) would be such an organization.
To participate in the type of sharing mentioned so far, an individual and an organization needs to have enough trust in who they are sharing information with to know the information they have shared will not be misused. Trust is not instantaneous; it takes time to establish the relationship between individuals and organizations before the needed level of trust can occur. This was seen in the early days of the Information Sharing and Analysis Centers (ISAC). It took several years before more sensitive information was shared within the ISACs that could then be shared with the other members.
One of the ways to more quickly arrive at the needed level of trust is to participate together in activities. This has been observed in local information sharing organizations where individuals from across the community meet on a regular basis to talk about different and current security issues. After some time the members become much more comfortable with sharing information and working with the other members they have come to know as a result of the regular meetings.
Large Cyber Events
There have been several large security events (the SolarWinds hack, for example) that impacted a large segment of the population. There have also been occurrences where a vulnerability has been disclosed along with a patch only to be quickly followed by an exploit that takes advantage of the vulnerability. If organizations are not right on top of such events they could easily fall prey to the new exploits. Again, for small organizations in particular, staying on top of all security issues is hard unless they have some help to know what the important issues are and what needs to be accomplished. Having a community information sharing organization that can send alerts and recommendations out to all members and that also has a membership that knows and trusts each other can help all members of the community more quickly address security events.
Federal guidance is to report to organizations such as the FBI and Department of Homeland Security (DHS) when you are hit with an attack, such as ransomware or a breach of your security. If you are the only organization that has been hit, or one of only a few, then the FBI and/or DHS might be able to directly help you. They might also be able to provide guidance if the event is hitting a large number of organizations if the event is caused by the same issue.
If you are a small community, however, you will not be able to have direct help as both federal and state resources are limited and the priority is going to be the large communities. Small communities will have to respond on their own with their own resources. A community with an established cybersecurity program and established information sharing processes will be much more likely to be able to effectively respond to cyber events impacting them.
The recent federal Infrastructure Bill that was passed included $1 billion in funding for cybersecurity to be awarded to states and communities over the next few years. While it seems like a large amount of money, when split between 50 states plus territories and the over 30,000 municipalities within the United States, it becomes clear that not everybody is going to be able to obtain the amount of funding that they would like to have. Additionally, there will be a requirement for states and communities to have a planned program where the funding will be expended.
How much better will states and communities, and indeed the nation, be if instead of 50 different state programs and potentially hundreds if not thousands of community programs there was a general consensus on the basic plan/program that each is implementing? Each state and community will have aspects that will be different from others but a basic program that crosses all states and communities will greatly facilitate the team and information sharing aspects described previously.
This article was designed to introduce the topic of whole-community cybersecurity programs. Future articles will break down how this can actually be implemented within communities of all sizes.