What can Australia learn about cyber defence from Homeland Security?

Australia has a refreshed approach to dealing with the burgeoning threat of cyber assailants through its new national cyber security strategy, but there is still much those charged with defending our electronic perimeter can learn from their bigger and better-equipped peers.

Brigadier Gregory Touhill

Brigadier Gregory Touhill from the US Department of Homeland Security last week offered the Technology in Government conference insights into his experiences trying to protect the world’s biggest cyber security target - the US federal government.

Touhill, who is second in charge of the department’s cyber security and communications office, said he was working to achieve infosec best practice in more than 125 federal departments and agencies, plus another 300,000 government entities at the state, county, and municipality level in the US.

Addressing the workforce shortage

The US government, just like its Australian peers, says it can’t find enough suitable skilled infosec workers to fill its ranks.

It’s an issue even President Barack Obama has weighed in on, this year issuing a federal workforce strategy that included a scheme of scholarships and subsidies for information security courses at American colleges, where tuition fees can be substantial.

Touhill said the strategy also includes a system of official campus certifications intended to raise the standard of infosec education.

“We have almost 200 universities around the country that have gone through this certification process to improve how they teach security principles in all of their coursework, in business schools and law schools as well as computer science,” he said.

Targeted information sharing

The Australian government’s freshly revised cyber security strategy is based around the establishment of joint public/private threat centres in capital cities as a foundation for a collaborative response to cyber attacks.

These are likely to take cues for the United State’s network of information sharing and analysis centres (ISACs) set up by the private sector and NGOs, and aligned to specifically nominated “critical infrastructure” industries like energy grids, banking, and maybe soon systems that underpin elections.

“We can provide quick and timely methodologies and information that provides them with context about cyber threats and what we are seeing in the cyber landscape,” Touhill said.

“We like to equate it to a cyber neighbourhood watch."

Automated threat indicator sharing

On a machine-to-machine level, Homeland Security has set up a system of standards and protocols to distribute automated numerical information that can help identify the source of a cyber attack.

“Cyber indicators can be things like IP addresses that are known to be associated with bad actors, hashes, all sorts of different forms of numeric data,” Touhill said.

A number of global cyber response bodies - including the Australian CERT - are now hooked up to STIX (the structured threat indicator expression, the standard for sharing information about a threat), and TAXII (trusted automated exchange of indicator information), which is the protocol for transmitting data from machine to machine.  

This network of information sharing can deliver essential contextual information about a threat “at machine speed”, Touhill said.

Declassification regime

The Homeland Security boss said one of the most important policies his office is pushing is a cultural and training exercise to encourage law enforcement and intelligence officers to take a second look at how they classify information about cyber attacks.

“Information that is not available is not useful,” he warned.

“And many of the critical infrastructure partners do not have access to classified information."

His department is pushing a declassification scheme where secret data can be processed to a point where it will be safely declassified within 24 hours, for timely distribution to the private sector when needed.

Touhill acknowledged the intelligence community was committed to protecting its sources and data collection methods, but argued there was no reason this cannot be done in a way that allows useful information to be shared with businesses working a long way from the centre of government.

His project aims to figure out ways secret information from law enforcement and intelligence agencies can be reworked to remove anything that might reveal the sources or methods critical to its collection, within 24 hours.

“Rapid declassification of information is critically important so people have the right amount of time to prepare and to posture themselves to better manage the risk," Touhill said.

“We’re finding that by training our intelligence officers to think about what needs to be classified and what can we tell, sharing the information widely as default and protecting a very small amount, is much more valuable that classifying everything by default.”