The Trump administration has a dozen top cybersecurity priorities ranging from a new national cyber strategy to dealing with increasingly bold nation-state adversaries. One priority – that should be near the top of the stack – may not be obvious, but it is critical: a determined study of the responses to past incidents and how to improve upon them.
The first cyber incident response teams were formed almost thirty years ago, after the Morris Worm of 1988, which took down some 10% of the early Internet. Those responding to this malware all had other, full-time jobs, had no relevant response plan. They also relied largely on the Internet itself to coordinate a response. That’s not much use when that network had crashed.
The Computer Emergency Response Team, formed at Carnegie Mellon University with Department of Defense funding, was created to deal directly with these weaknesses and was the most important early innovation in cyber response. As noted by the NY Cyber Task Force, there have been other improvements over the years as well, such as creating the roles of Chief Information Security Officers and Information Sharing and Analysis Centers in the late-to-mid 1990s.
Now where do we go? Further successes can either come from bold new organizations or improving the processes we already have. The Atlantic Council just published a paper (which I helped author) with ideas in both areas; this blog will summarize the first and most critical, which is understanding response in order to improve on it.
Surprisingly, there has not been any disciplined attempt to study the major incident responses of the past: who took what decision? Based on what information? Leading to what action? And with what ultimate result? How can The Department of Homeland Security and other defenders know which information needs to be shared, or where to make the most impactful improvements to incident response if we don’t have a viable database of hits and misses?
Here’s an idea: DHS should fund a project with a think tank or Federally Funded Research and Development Center (FFRDC) to fully map the critical response path for two to four exemplars of each major incident class [such as botnet takedown, counter-APT (advanced persistent threats), massive disrupted denial-of-service (DDoS) attacks, counter-malware, etc.].
The response-path maps for each incident type should be based on the response actions and decisions which led to the successful resolution of the incident. Who made which decisions? Were those decisions made by individuals or collectively and over what medium? On what information did they base their decision, and what actions resulted?
This is different from similar (and also useful) ideas such as a root-cause analysis, after-action reports, or incident repositories, as the map should trace the path of decisions, actions and information from discovery of the problem through resolution.
Once the maps are in hand, defenders can determine not just how did defenders respond, but how should they respond next time? Understanding what resources were available at the time may offer key insights into ways that sharing or declassifying some additional information early on could have stopped incidents earlier. Or imagine if a key response organization lacks sufficient resources, but could dramatically improve its efficiencies with a small grant by DHS or industry. Perhaps concerted action by U.S. Cyber Command’s Cyber National Mission Force might have been able to disrupt the adversaries plans? All things worth considering.
To take the idea even further, each map could be turned into an appendix for DHS or sector cyber-incident response plans, leading to a full set of rigorously researched playbooks for all incident classes.
The good news is that the right people could do a good-enough job with a few days, a sufficient supply of pizza, and a large-enough white board. A more complete version, that covers all response types and includes decision modelers and other experts, would be expensive – perhaps a few million dollars – which is a small investment considering the potential gains.
In determining the return on investment, consider that the findings will highlight the massive private-sector role in response, and that many key responders are global organizations, which can help the U.S. government prioritize its efforts with the most effective partners. Beyond these lessons for collaboration, the maps will also provide the actual information requirements—allowing a determination of who needs what information and when, which information needs to be shared, and which information can just be bought (and from what source).
These response-path maps may also show that dedicated response organizations might help streamline responses, a subject for another blog. It has been nearly three decades since the first major innovation in cyber response. There may not be any more easy wins, like creating the first CERT or CISO, without a disciplined study of past responses.