The intelligence community guards some of the nation’s most closely held secrets and helps defend the country from attacks. But who protects the protectors?
Part of that mission falls to the Intelligence Community Security Coordination Center (IC SCC), one of the six federal cybersecurity centers designed to create real-time cybersecurity situational awareness.
IC SCC’s mission is to coordinate the cybersecurity incident response for the intelligence community, the center’s director, Wally Coggins, recently told Federal News Radio. To improve its mission, the center wants to beef up its data-sharing capabilities, coordinate cybersecurity functions and conduct more life-like training, which feds say is often lacking.
The center achieves its mission through continuous two-way communication with the 17 intelligence agencies and their incident response centers, Coggins says. The IC SCC also works closely with other cybersecurity partners, including U.S. Cyber Command within the Defense Department and the National Cybersecurity and Communications Integration Center at the Department of Homeland Security.
“IC SCC facilitates accelerated detection and mitigation of cyberthreats across the IC by providing end-to-end security, situational awareness, and incident case management,” according to a document from the National Counterintelligence and Security Center within the Office of the Director of National Intelligence. “It maintains consolidated insight into IC networks and intelligence information systems and coordinates IC responses to cyberevents, incidents, outages, threats and technical vulnerabilities.”
Coggins notes that the cybersecurity threat environment is dynamic and always changing, “and we’re continuously assessing and evaluating our incident response plan.” He says that the IC SCC is focusing on three main areas this year.
1. Automate Intelligence Community Data Flows
An important point of emphasis for the IC SCC is “automating the data flows between the security coordination center and the agencies across the community to improve the speed at which we’re getting information on vulnerability management, safeguarding posture, endpoint security as well as incidents as they’re occurring,” Coggins says.
The intelligence community is moving toward a model in which data sharing is encouraged, not disfavored. About five years ago, the IC moved away from siloed IT and established the IC Information Technology Enterprise. IC ITE is a platform of nine shared services, including security, networking, email and virtual desktops, all delivered via a private cloud.
“Each part of the IT enterprise is provided by one or two agencies that do the thing they are best at, which they then make available to the rest of the community,” Jennifer Kron, the acting tech chief for the intelligence community, recently told FedTech. “By evolving into this enterprise approach, we make it a lot easier to share information, enhance integration, improve our security and become more efficient.”
2. Coordinate Cybersecurity Personnel
Another main focus for the IC SCC is integrating functional areas that “traditionally have been stovepiped and haven’t worked closely together,” Coggins says.
A good example of that, he says, is bringing counterintelligence individuals and experts in to work with the intelligence community’s cybersecurity personnel in the center’s analytical cell “to work on the nexus of where insiders could potentially be using cyber capabilities to carry out their malicious intent.”
3. Run More Realistic Incident Response Training
The final area of focus for the IC SCC is a continuous exercise program, which Coggins describes as “a series of tabletop exercise war games, live-range exercises, where we’re working with the community to test realistic, complex scenarios.”
Coggins says the goal is to test the intelligence community’s response and “share lessons learned, best practices and build the partnerships for when real incidents occur [so] that we can respond quickly.”
The need for life-like cybersecurity incident response training is common across the government. Earlier this year, during a cybersecurity panel at the GITEC conference, Brian Varine, chief of the Justice Security Operations Center at the Justice Department, said the people agencies wind up hiring for cybersecurity jobs are “kind of green.”
A key reason, he said, is that most cyber defenders “have never actually seen a real cyberattack,” an advanced persistent threat that tears apart a network and forces them to respond.
What should agencies do about this? Varine notes that in the 1950s and 1960s, the armed forces sent out young pilots in multimillion-dollar aircraft, and many of them would get shot down early in their deployments. “Eventually, the Navy figured out, when they invented Top Gun, ‘Hey, most of our guys are getting shot down in their first 10 missions because that’s where they’re making all of their mistakes.’ Once they got past 10, they got pretty good.”
The government needs to give cyber defenders those 10 missions, either with training on government networks or before they set foot inside agencies, Varine said. Entire agencies also need to go through training for real-world cyberattacks, he added.