In April of this year three researchers at the University of Tulsa - Mason Rice, Robert Miller1 and Sujeet Shenoi- published a paper in the International Journal of Critical Infrastructure Protection entitled: "May the US government monitor private critical infrastructure assets to combat foreign cyberspace threats?"
The paper was brought up yesterday on the SCADASEC mailing list and some intelligent commentary has ensued. While the paper is primarily a treatise on the legal aspects of the title topic, it intrinsically and often explicitly touches on several foundational issues associated with the "how?" of securing critical infrastructure on a national scale.
All-in-all the paper seems to hang together well. It starts with effectively the usual sort of framing of the predicament, followed by a pretty thorough walk-through of the legal history to the present, and then provides three example scenarios where the legal thought exercise is trotted around the ring.
The three scenarios exercise the legal issues of government access to information of increasing depth. The first two particularly speak to capabilities that should and will be further developed in coming years -honeynets and continuous monitoring - while the third scenario in part touches on workforce development.
- Government-Operated Honeynets
Whether government-run or not, honeynets around sensitive sites are something I preach regularly.This intent has already displayed itself in a regulatory context in the US Chemical Facility Anti-Terrorism Standard (CFATS), § 27.230 Risk-based performance standards, (a) 4:
4. Deter, Detect, and Delay. Deter, detect, and delay an attack, creating sufficient time between detection of an attack and the point at which the attack becomes successful, including measures to:
iii Detect attacks at early stages, through counter surveillance, frustration of opportunity to observe potential targets, surveillance and sensing systems, and barriers and barricades;
Well designed and maintained Honeynets "around" the real or perceived egress points between critical systems and public networks are a good way to forward the goal expressed in CFATS. Attackers are not the only ones who can fool their adversaries by showing them what they expect to see. Honeynets can also be a good way to learn about the state of aggregate and specific threats, which certainly raises the issue to the National Security level and therefore the legal issues the paper discusses.
Certainly there is value in feeding up this experience to broader groups, whether industry, state or federal. There might be some argument to have them/some run by a dedicated team of some description, honeynets not tended well are useless.
- Government Sensor Deployment
The point of the paper is to discuss the legality of these scenarios, and I leave that to argue with lawyers and legislators. Assuming this sort of raw and direct connection is ever truly warranted and permitted by all parties, it could be done and it would add value ([caveat]done correctly[/caveat]). In reality it is unliukely that the norm would be for the government to get that hands-on.
As a strawman, though, it is close enough to show that the author is paying attention to the technical possibilities:
"The sensor deployment scenario is more intrusive than the honeynet deployment scenario because the sensors are planted in the backbone as well as in critical infrastructure assets. Also, data pertaining to network and system operations is collected and correlated for defensive purposes."
Much of achieving this amount of national visibility does not have to be about installing a lot of new gear, but more often about using existing installed gear correctly. Gathering and doing something with that telemetry (and maybe adding a bit more) does not have to be overly complicated in order to raise the bathtub-ring up a long way at most facilities.
All the strawman in the paper really describes is an MSSP model for utilities. It may turn out that private parties can aggregate, correlate and anonymize enough to serve both the public and private purpose.
Efforts down these lines are already developing, with organizations such as Energysec announcing aggregation projects:
9/1/2011 - EnergySec in its capacity as the National Electric Sector Cybersecurity Organization is excited to unveil the EnergySec Tactical Analysis Center (ETAC), an industry-driven situational awareness program.
Whatever the legal boundaries, the push towards privacy will likely limit the data exchange and handling as much as the national interest can stand. This right here is where a majority of the privacy issues will be fought out.
- Embedded Government Employees
Again, the legalities are well presented in the paper. At least to the point it seems clear that two lawyers could argue it for hours and either might win on a technicality. That really is the only point to be made on this scenario, unless anyone wants to argue that it is likely or desirable to have a large number of federal folks embedded everywhere.
I'm guessing the federal government will do the one-offs of such embedded folks regardless as is deemed Necessary. In certain scenarios I might agree with the reasoning, but fortunately I studiously avoid having to know such things.
An interesting paper and timely discussion, certainly. The scenarios touch on three issues (honeynets, active monitoring and onsite expertise) that should be among the top of everyone's lists.
If this paper in fact roughly defines the perimeter of the legal envelope, then it is yet another reason to believe that The Great Group Ponder on "How much less than that is enough?" will make great war stories to bore future generations into submission with.
Chris Blask authored the first book on SIEM, "Security Information and Event Management Implementation", published by McGraw Hill. Today he is Vice President of Industrial Control Systems Group at AlienVault, the producer of the world's most popular SIEM technology, and is on faculty at the Institute for Applied Network Security (IANS).