Attacks Highlight Info-Sharing SuccessIncidents, Real and Threatened, Provide Collaboration Lessons
A result of recent high-profile distributed-denial-of-service attacks targeting American banks and the lackluster OpUSA campaign against the federal government has been improved sharing of threat information in the public and private sectors, says cybersecurity expert Mark Weatherford.
The OperationUSA attack that the hacktivist group Anonymous announced would hit U.S. government and banking institution websites in early May never gained much traction [see OpUSA: A Lackluster DDoS Operation]. Still, the threat of such attacks over the past year has been increased coordination and collaboration across the federal government regarding cyber-attacks, says Weatherford, who stepped down earlier this spring as Department of Homeland Security's deputy undersecretary for cybersecurity.
"The ability of the FBI, DoD and DHS to work together on this ... has been pretty remarkable, how they've been able to come together and learn," he says in an interview with Eric Chabrow [transcript below].
That collaboration also involves the various information sharing and analysis centers, such as the financial services industry's FS-ISAC, and the federal computer emergency response teams.
Weatherford, now a principal with the risk management and security consultancy Chertoff Group, says an important result from recent hacktivist campaigns, including attacks against banks by the group Izz ad-Din al-Qassam Cyber Fighters, has been the collaboration between the FS-ISAC and the Department of Homeland Security.
"There's a very robust exchange of information from the ISAC to DHS and from DHS back into the ISAC," he says. FS-ISAC distributes the information to its financial-services members.
"It's been a pretty good learning experience," Weatherford says. "The banking and the [Internet service providers] have really come together, recognizing that everybody's in this together. Even through there's competition among the different companies, they're sharing information that's helping everybody."
In the interview, conducted days before OpUSA fizzled, Weatherford discusses:
- How government security professionals could learn from the attack to better strengthen IT systems;
- The improved environment of cyber-threat information sharing within government and between the government and industry, despite Congress' failure to enact legislation to encourage more cyber-intelligence sharing; and
- How the government divvies up cybersecurity responsibilities to protect agencies' digital assets.
Weatherford stepped down this spring as the top cybersecurity policymaker within the Department of Homeland Security, serving in that post since November 2011. Before joining DHS, Weatherford was vice president and chief security officer at the North American Electric Reliability Corp., where he directed the cybersecurity and critical infrastructure protection program at the bulk electrical power transmission industry trade group. Weatherford previously served as the chief information security officer for the states of California and Colorado.
Assessing Threats against Government
ERIC CHABROW: How seriously does the U.S. government take threats such as those coming from Anonymous and other so-called hacktivist groups?
MARK WEATHERFORD: The government takes this very seriously. If you look at the resources that the Department of Homeland Security, the Department of Defense, the FBI, as well as the rest of the federal agencies are putting in the cybersecurity arena, it's pretty significant. I think that it's just indicative of how serious the government does in fact take this.
Perceiving DDoS Attacks
CHABROW: Does the government see the DDoS attacks, such as the ones against banks, which they tend to recover from fairly quickly, as more than a nuisance?
WEATHERFORD: I think they are more than a nuisance, and we can't take these things lightly because success breeds confidence, and then the next time they get better and better and better. They can be a distraction from perhaps other things that are happening. We do in fact have to take them pretty seriously.
CHABROW: Who's responsible for defending an agency's website? Would it be the agencies themselves - DHS, National Security Agency, Department of Defense - or a combination of everything?
WEATHERFORD: Ultimately, it's a combination of everything, but every agency is responsible for their own infrastructure and their own presence on the web. That said, everybody working together helps with that. Certainly, the Department of Homeland Security has responsibilities for the broader federal interagency, working closely with the FBI and DoD. Any time we get word, indication, or there's some chatter about these kinds of events, the different organizations get together and figure out how serious it is, what [are] the resources and how we go back and respond to that.
CHABROW: There have been specific sites, such as the White House, Defense Department and others, that have been identified as targets for an attack that's scheduled for May 7 called OpUSA. Would just stopping traffic or slowing it down for a while be considered a failure to defend or is it more complex than that? Is it that basically you expect certain kinds of damage but you can recover quickly? What's the thinking behind that?
WEATHERFORD: It's certainly more than a failure to defend. It's, quite simply, the nature of the Internet. Without getting too technical and too detailed, you're just putting too much information into a pipe, and you overwhelm the pipe. It slows down and creates latency within the ability of the websites and the Internet to be able to respond. You can continue to build capacity, and the capacity costs money, and you build to a certain amount of resilience. Both the formal and the informal intelligence community are monitoring the landscape and hear of these kinds of things. ... This is what DHS, FBI and DoD do. They'll go back to organizations that are suspected of being the next targets and work with them, at least advise them that they need to be upping their game just a little bit to be prepared for that.
CHABROW: When these attacks do occur, there are people obviously that are monitoring it. They can see that all of a sudden traffic is slowing down and they're doing their best to reroute traffic or do other things to help ease the problem. With a battle, you could win, but you're going to take some initial casualties. Is that the thinking behind it?
WEATHERFORD: Yes, it is. There's only so much you can do. If somebody really, in fact, wanted to overwhelm you and focus all of their resources, there's probably not a lot you can do about that. You're going to feel some effects. What most people are doing is now working with some of the vendor community that does traffic management, and you can buy extra capacity, surge capacity, and be prepared to deal with that. We saw in the banking and finance industry when these DDoS attacks began last summer that they spent a lot of money on buying hardware to be able to deal with the traffic as well as bandwidth.
CHABROW: What does the government do in the sense of trying to assess the situation we're in to provide better defenses?
WEATHERFORD: Both the good guys and the bad guys learn from these attacks. The bad guys learn where the vulnerabilities are and how to exploit things that they may not have seen before. But the good guys also see where the attacks are coming from the compromised sites. They see what kinds of techniques and tactics the attackers are using. The good guys can learn a lot from these as well.
CHABROW: The architecture to learn from that, the cooperation, that's already intact within the government?
WEATHERFORD: Absolutely. If something good can have come out of this, it's that over the past nine to 12 months, the coordination and collaboration across the federal interagency has been just absolutely profound. The ability of the FBI, DoD and DHS to work together on these things, along with the information sharing and analysis centers and the computer emergency response teams in the different countries around the world, has been pretty remarkable about how they've been able to come together and learn from these things.
CHABROW: Obviously, in Congress there's a big debate about information sharing, cyberthreats and legal protections that need to be there. ... How would you characterize cyberthreat information sharing, say, with the financial sector today and the government from, say, a year or two ago? Even without laws, are we seeing more of that happening?
WEATHERFORD: Yes, we are. The big success there has been with the Financial Services ISAC. They actually have someone sitting on the National Cybersecurity and Communications Integration Center watch floor at DHS. There's a very robust exchange of information both from the ISAC to DHS and from DHS back into the ISAC. They distribute that to all of their financial services members. It's been a pretty good learning experience and pretty open information sharing. The banking and the ISPs have really come together, recognizing that everybody's in this together. Even though there's competition among the different companies, they're sharing information that's helping everybody.
CHABROW: Is sharing information between the government and the financial services industry through FS-ISAC, or are there also individual banks and institutions that are having direct contact with the government?
WEATHERFORD: There's a lot of direct contact. ... From this OpUSA event, I can almost guarantee you that the government, probably DHS, has gone out and contacted each one of these financial institutions just to make sure that they are aware of this event.