HomeBlogsdgabbard's blog

Cyber Response Assumptions Part V - Importance of Data Sharing

Mon, 09/28/2009 - 10:39 — dgabbard

If the H1N1 outbreaks and the recently foiled airport bombing plans tell us anything, it's that information and information sharing are at the center of response for any significant security event. A significant cyber security event is certainly not going to be any different. Naturally, this type of data sharing should be bi-directional.

Remember the fourth assumption - Data about the event(s) needs to be able to flow both up to decision makers and down to responding organizations.

Decision makers at the federal levels need visibility and insight into the events which are occurring as a result of the security incident so they can answer important national questions:
- Which of the Critical Infrastructure sectors are impacted?
- How extensive is the damage?
- What are the best steps to recovery?
- How can our incident responders be of assistance to the impacted areas?

Incident responders at the local levels are going to be doing everything they can to respond to the event - but certainly need insight into the widespread nature of the event itself. They will be interested in answering the following questions:
- Who can I call for help?
- What is the best way I can deal with this event? Unplug, patch, re-provision, or some other means?
- When is this event likely to be over?

As mentioned in an earlier post, this tasking already exists inside the Department of Homeland Security - for the US Computer Emergency Response Team (US-CERT). This capability exists to give all the players in this space one location to call for coordination, questions, support, etc. From their mission statement:

"US-CERT is charged with providing response support and defense against cyber attacks for the Federal Civil Executive Branch (.gov) and information sharing and collaboration with state and local government, industry and international partners.

"US-CERT also provides a way for citizens, businesses, and other institutions to communicate and coordinate directly with the United States government about cyber security."

Of course, this may prove to be a very difficult thing to do in the midst of a serious crisis. It has been exercised at some levels (see Cyber Storm and Cyber Storm II), but the ability to push and pull information about the event, in near-real time, from a broad set of organizations across a geographically diverse area has not really been put to the test. Data sharing, information flow, processing, and dissemination may prove to be untenable in the future without some supporting technology providing a Common Operational Picture for Cyberspace.