 As I said, I was going to call this information sharing is broken, but I figured there'd be about three or four people show up, so I decided to make it sound a little bit more provocative. One of the cardinal rules of public speaking is never apologize. Well, I'm going to break that right now. I had a irrecoverable hardware failure last night, so we have no slides, which means you only have to listen to me. So I'll try to be as entertaining as possible. I'm always a little bit anxious, but I'm also very appreciative when I'm talking with an audience of my peers. Usually many of you, you can put your hand down now, know more about some of the stuff than I do. So feel free to interject as we go along here. I don't think I'm going to break any new ground here today. I'm probably going to pull together a few things that people have thought about independently. And what I really want to do is provoke a conversation. When I spoke here last year, some of you may remember I did a keynote, but I was a Fed at the time, so I was a little bit restricted in what I could say and how I could say it. This year I'm not. And I'm not. I'm also not here to bash the government or poke anyone in the eye. I have a lot of great friends in the government at the US cert, the ICS cert, the N-Kick, and the other federal government agencies. And they work very, very hard, just like most of you do, a lot of time without a lot of the accolades that go along with that. So I'm not going to poke my former colleagues in the eye there. And I'm not going to get close to crossing any lines, because I know there's people out there taking notes to poke me in the eye with my own words if I do cross that line. So I'm going to avoid that. When the title of my presentation was published, a few people called me to ask me if I wanted to talk about this issue now that the Snowden and the prison thing came up. And actually, I was a little surprised about it, because that's not what I'm talking about. In fact, it's the farthest thing from what I'm talking about. What I want to talk about today is a kind of defensive analysis, the countermeasures and signatures that each of you are doing developing within your own companies and sharing with each other every single day without the help of the government assisting you in doing that. I know that that's one of the roles of the government, but that's really the context of what I want to talk about today. And I'll tell you, I don't pretend to have all the answers here either. As I said, I want to provoke a conversation. And as I started putting this thing together, I canvassed a bunch of my colleagues. And the general consensus was that this is, in fact, a conversation that needs to happen. And I know that General Alexander said that very same thing the other day at Black Hat during his keynote. But this is a different issue as far as I'm concerned. So I could ask you for a show of hands to see who in here thinks that classified government information is of any value. And since probably most of you have never had access to or seen classified information, it wouldn't really be, you wouldn't know if it was any of value to you or not. And I talked to a few of my friends, and several people asked me why I thought the government's cybersecurity intelligence was ever of any value to the private sector to begin with. I thought that was kind of an interesting response. In fact, one guy said, from the public sector side, it's probably just as valuable as it ever was. From the private sector side, it's probably just as useless as it ever was. Very interesting. So that's a great point. And after being in DC for the past four years, the last couple of years with a ringside seat in the government, I have a little theory now. And one of the great struggles that I had in being a government, I'm a terrible government employee. I wasn't good at it. There's too many restrictions. There's too much. You just can't. There's too many boundaries about what you can say and do and how you say and do it. So my theory is this. Washington DC occupies a 61-square mile geographical footprint. The entire continental United States, including Hawaii and Alaska, is about 3.514 million square miles. So percentage-wise, DC is geographically negligible. But here's my theory. There's so much power concentrated in Washington DC that many people actually think they know more about you and your business than you do. A lot of people in government talk about the private sector like it's some kind of third cousin from Moldova. Actually, I stole that line from somebody the other day. But it's really true. People in the government in Washington DC talk about the private sector, even though most of them have never worked in the private sector. And they don't really understand the struggles and the challenges that you as cybersecurity professionals face every day in your business where you actually have to meet a payroll and you have different responsibilities than we do in the government. It's a bit of a cliche, but we hear it said a lot that 85% of the critical infrastructure in the nation is owned and operated by the private sector. And I don't know if that's true or not, but I think for discussion purposes, it's probably close enough. But it's simply not logical to think that the government can know more about 85% of the private sector than those of you here in the room today, those of you who are working in these organizations every single day. So as I said, no government bashing. I'm not going to do that. But I do want to give you the bottom line up front or for you acronym, nerds Bluff. Bottom line up front and for those of you that this pops your bubble, I apologize. And you can probably get up and leave and it won't hurt my feelings after that. The government is not going to come in on a big white horse and save you. It's not going to happen. The government doesn't have the resources. There's just no cavalry. By the way, as I looked at the agenda, Nick Percoco and Josh Corman are giving a talk on Sunday morning titled the exact same thing. The cavalry isn't coming. I suspect they're going to talk about some of the same things that I'm talking about today. The government is simply unable, at least today, to provide timely and actionable information when you really need it, because the legal policy and operational restrictions within government are not designed to share with the private sector. I know that we've had this discussion as public-private partnership discussion for years and years and years, but it simply is not working like we'd hoped it would way back when. And after working there now for the last couple of years, I realize that as much as we want it to, it's probably never going to work well enough in the private sector to depend on it consistently, at least in the area of security intelligence sharing. The pace of innovation in the commercial sector is far more rapid than in the government, and primarily because Darwin's theory does apply in the private sector. The strong and the sustainable survive, and the weak don't. And the government, not so much. In fact, there's so much growth in the private sector development of cybersecurity intelligence right now because industry realizes that it can, in fact, move faster in collecting and analyzing specific intelligence that's important to them. Private companies can monitor IRC channels in sites like Payspin, just like the government can. And they can collect and disseminate information as well as the government. And they can lower the signal-to-noise racial and weed out the chaff to meet their own specific intelligence needs. The government is a huge bureaucracy, and that's probably not a surprise to many of you. It was one of those things that when I went into government I thought that I could change it. And some of my friends told me I was foolish. They were right. So there are a lot of reasons, I think, why getting any kind of timely decisions are possible. And lawyers being one of the factors, sorry about that. I just met a lawyer a few minutes ago. Sorry. But the seemingly unavoidable need to get someone's approval before making important decisions I think trumps everything. And that's a fact lost on their leaving. I already bummed them out. It's a fact lost on a bureaucratic organization. But in our business, there simply isn't time to get everyone's approval before making a decision. And this will make some of my attorney friends mad at me. But I find that government lawyers, not always, there are some good attorneys out there, but they are incredibly risk averse. And they don't understand cybersecurity. And that makes it a challenge for us in the operational trenches to do our jobs. I know that they don't understand it because I've seen their look on their face sometimes when I give them my look and I'm like, I can't believe you're making me do this. But anyway, some of you know Sean Henry. Sean, he's out of the government now, too. He spent a career in the FBI. Sean was interviewed a few weeks ago. And he said, as a private citizen and taxpayer, it's frightening. We sit here more than six years later, arguably, in a worse place than we were in before. And we're still talking about voluntary guidelines and studying vulnerabilities. I think the time has passed for that as well. So what is the value of US government classified cybersecurity intelligence? I've been thinking about this for a long time. When I was the chief security officer at NERC, I was briefed a few times on classified threat-related things directed at the electric utility industry. But the people that really needed to know it didn't have a security clearance. So the value of the information was useless to them. And even when they did get briefed on classified information, it was usually information that they said they already knew about. So the value, the timeliness of the government information was always behind the curve. But there continues to be a mystique to classified information. People feel like if they're not getting it, they're missing something. But when they do get it, I think they're usually disappointed. My CEO, he actually had a top secret SCI clearance. And after the second time he got a brief, he's like, why am I doing this? I'm not learning anything new. And this is an absolute waste of time for me to go to these briefs. And I think that's not necessarily unusual for the kind of information that the government does provide to the private sector. When I started at DHS in November of 2011, the first thing, the first document I read, was a report by Carnegie Mellon that documented the results of the defense industrial-based pilot. I think probably some of you have seen that or read it or heard about it. But anyway, the Dibp pilot was a program to like classify countermeasures and signatures to certain defense-related private sector companies. And there were about 20 companies that participated in that pilot program. The report wasn't flattering. And even though there were, I think, some rational explanations for why, it makes my case here today. So I'm going to use some of the numbers a little bit. Of all the incidents during the period of the pilot, about five months, only about 4% of those signatures and countermeasures were unique to the private sector. Let me say it again. 4% included information that the private sector Dibp companies did not already know about. Now, to be fair, I think the expectations weren't established appropriately to begin with. And the program was getting better toward the end. But the bottom line is that the private sector found very little value in the information that the government was providing back to them. Certainly not enough value for them to spend money to continue participating in that. And if you think about some of the other private sector reporting, some of the things, some of the public things that we've seen about over the past couple of years, the tracking GhostNet report, I think that was 2009, the McAfee-Shady Rat report, the Lucky Cat report that Trend Micro put out, and then most recently, Mandiant's APT1 report. There was, I think, DNS Changer and Core Flood, where actually the DNS Changer and Core Flood while the government eventually got involved in it. Most of the initial work done on those was done by the private sector. And then there are the annual ports by Verizon, Symantec, and McAfee that actually are a pretty good accumulation of information that those organizations have seen over the past year. Anyone remember the Configure Working Group? Some of you probably were part of the Configure Working Group. That was coordination and collaboration by the private sector to develop something really important and really useful. And these guys and gals actually spent time and spent money out of their own pockets to help everybody, to help the nation. And despite Herculean efforts to get the government involved, they did that on their own. That was a private sector initiative. And if you haven't read Mark Bowden's book, it's called Worm, titled Worm, it walks through the entire Configure Cabal instance. Pretty interesting book. And this was all done in the private sector. So you can agree or disagree, I think with some of these reports, and there's certainly some of you, I don't agree with everything that's in some of these reports that were put out over the last couple of years, but the bottom line is they were developed without the government involvement. They were developed in the private sector. And I think one interesting thing that came out of that was they had the unintentional consequence of forcing the government to actually acknowledge some of the nation's state actors that were involved in some of these events. That was one of the things, when I was the deputy undersecretary at DHS, as I traveled around the country and met with different companies, the almost continuous theme I got was, why isn't the government doing something about this? And not really part of this discussion today, but I can tell you, one of the biggest discussions we had on a continuing basis at the highest levels of the federal government is, what is the role of the federal government in some of these events and some of these activities, especially where nation states were involved? So I think it's a legitimate question to ask, does the US government have a greater intelligence gathering capacity than the private sector? And I think it depends. It depends on the value of classified cybersecurity information, because it seems to be a increasingly small subset of information potentially available to identify the source and understand attack methodology and adversary capabilities. This brings us to what I think is probably one of the most important problems with government information that's over classification. Anyone in here that has had access to classified information, I think has thought this from time to time, that the information you're seeing that has a classified sticker on it is the same information that you saw in CNN yesterday. And this is really a big problem for a whole lot of reasons. But primarily, information is classified primarily for two reasons. One, to protect the source, where the information came from, to protect the method, how the government obtained that information. Most security professionals, I certainly know when I was the CISO, I didn't care about that. All I cared about was the information of value to me and could have helped me protect my systems and my networks. So I think the government has to get better about taking that kind of truly classified information and declassifying or sanitizing it to the point where it's of value to the private sector. So I'm not saying that there isn't any value in any classified information because there is obviously, and government is rightly responsible for that. It's just that once the information does become classified, it becomes much harder to share and the vast majority of threat intelligence that we need can be found in the open source anyway. I have a CISO friend who isn't a US citizen and his CEO is not a US citizen, but he happens to be the CISO at a very large critical infrastructure company here in the US with a pretty big footprint and actually responsible for a pretty large chunk of something very important to the nation, but he can't get any classified information and his CEO can't get any classified information. You can see how that would be a really big problem. Most people don't know this actually and I didn't know until I worked at NERC, but the US gets a lot of our electricity from Canada. In fact, the lights in here are probably being powered by electricity that was generated in Canada five minutes or five seconds ago. But you can see that there's a problem there as well as while we work with the Canadian utilities on a lot of things, we don't work with them on sharing cybersecurity threat information because they don't have US government security clearances, so we can't share that kind of information. And that's a big problem. Worked with a CISO, another story when I was at NERC, worked with a CISO and we had discovered a pretty big vulnerability in his company and the source of it was classified information. When he briefed his CEO and his CFO on it and he needed some funding, some out of cycle funding to fix the problem, he couldn't tell him what the source of the, why he needed the money because it was classified information. So it's pretty tough to go to your CFO with your handout and hoping that your good looks and smile are gonna get him to write you a check. Some of you are probably aware of the executive order that was signed by the president in February of this year. It has a number of things, but has three primary components related to information sharing. One is a provision for expedited private sector security clearances. Two is an increase in the volume timeliness and quality of the cyber threat information that DHS and the government provides to the private sector. And the third thing is private sector access to the DHS classified enhanced cybersecurity program. The ECS program is an avenue that the government shares classified information with certain critical infrastructure companies. So these are noble goals, I think, as laid out in the executive order, but I don't think there's any way to scale to provide providing more security clearances, you know, you can't, there simply is not enough manpower and not enough money to provide security clearances to all the people in the nation and all the critical infrastructures that need them. And I don't think you can even get close to it. So I, you know, this was something that was in the executive order that I think it's a noble goal but probably not gonna be, not very realistic. And, you know, to bring up the Snowden thing again, you know, in the post Snowden world, getting clearances to non-government employees is going to be a lot more difficult. So the second one, increasing the amount of information provided back to the private sector I think will have limited impact. And getting a handful of companies, again, the scaling of this is critical. Getting a handful of companies access to more of the classified information is not gonna solve the problem. Okay, so that's some of the bad news. I always like to wrap things up, talk about some positive things. And there are some positive things going on. Sometimes, you know, you look at something and it looks bad and the end of result of it is not so bad. For the past year, most of you know, the banking and finance industry has been going through these DDoS events. And they've been very, very challenging for many of the banks and many of the ISPs and they have spent a ton of money combating these and preparing for these. But a couple of good things happened out of it. The first was, I actually saw CSOs from these large banks and large companies sitting together in a room talking about how to address this problem. And I can tell you, two years ago, you couldn't have got all these people in the room talking about issues like this. I talked with one CISO at a very large bank and she said, yeah, this was an absolute nightmare for us but it was good because it does have, we have really opened the lines of communications across this entire sector in ways that never would have happened. And so there's a lot of information sharing happening now on things other than the DDoS related events that's really, I think, helped the banking and finance industry an awful lot. So we need more of that kind of collaboration. There's a old military saying that cohesion is a combat multiplier and we need more cohesion across the board and across all sectors to build a relationship both within and across industry so that when cyber threats do surprise us, we can pull together the right kinds of teams more quickly than the well-meaning but far too complex federal government. Sometimes it actually does take a crisis to get us to work together. I'm sure a few of you are involved with the developing of some of the information exchange frameworks. I want to talk about three of them very, very briefly. The taxi program, Trusted Automated Exchange of Indicator Information, being run out of MITRE but it's really an open source operation. A lot of people are involved with this and taxi is an open source collaborative community development initiative working to define protocols and messages that allow for sharing of actionable cyber threat information. What taxi does is give organizations improved situational awareness about emerging threats and then allows them to share whatever information they choose with the partners they choose to do so. You also have the Mandiant OpenIOC framework in the IETF's Instant Object Description Exchange format or IODEF. The Mandiant OpenIOC framework allows you to document and categorize forensic artifacts of an intrusion using a base of indicators that can be used to track down attackers. And the IETF program defines a data representation that provides a framework for sharing information commonly exchanged by C-Certs about threats. I suspect that there are quite a few of you involved in the development of those different frameworks and I think it's an indication of Darwin's theory again. One of them will end up being a standard at some point and the others will go away. And there's also the information sharing and analysis centers and I know that there's some of you involved with the ISACs. ISACs were actually established back in I think 1998 President Clinton signed PDD 63 that established these ISACs. Unfortunately, there was no funding that went along with that. So they've kind of struggled over the years to mature and gain relevancy. But there are a couple of the different sectors where the ISACs I think are being very valuable and they provide that forum for the exchange of information. Certainly financial services, the information technology ISAC, the defense industrial base ISAC, the electricity sector ISAC, telecommunications. I think those are probably some of the more mature ISACs. Some of the other critical infrastructures, ISACs, probably not so much, they're pretty immature. And that's not a criticism, it's just the fact that they haven't had a lot of resources devoted to them over the years. Next thing I wanna talk about is the invitation only or you're not invited clubs. And I put that in the abstract and some of you have probably participated in these over the years. And they typically spring up in response to a specific threat like Configure. But they're really effective in tackling problems and they're harder to get involved in and I've actually tried to ask to be involved in a couple of them and they typically say no. You're not the right kind of guy that we need. They actually want technical people that can help solve problems. So I bring this up because you may not have been invited to one of these but if you have the right kind of skills and people who know you are involved with these, you'll eventually get asked to participate in them. And they're actually, I'm probably not telling you anything you don't know. They're pretty tough to get into. You usually gotta have two or three people vouch for you to get invited to one of these groups. In fact, DT and Anton Karpov and I were talking about it just a couple of days ago over at Black Hat. The BCP 38 issue is I think something ripe that a year not invited kind of group could get together and start putting some pressure on the vendors to solve this issue. This is not a hard problem but we can't do it. The manufacturers, the router manufacturers really need to pick up the ball and work on this. And it seems to me that it's a really good opportunity for somebody to say, okay, let's start our own group and work on solving this thing. So there's also a couple of things that I think the government can do. They're gonna continue to develop classified information. That's their job. The Department of Defense has the role of looking outside the continental United States, looking outside of our borders of threats against the US. And that's their natural role and they're very, very good at doing that. But I think there's things that they can do that we as private companies can benefit from a bit more. And one of those things is research and development. The government has been over the years been really, really good at doing good research. And that has kind of changed a little bit over the past few years with some of the budget issues going on in the federal government. One of the first things that tends to go away, the first thing that tends to go away is training. The second thing that tends to go away is R&D money. But the government does fund and develop some incredible, I think advanced technology in some of our labs and some of our other facilities around the country. But I think we need more money for that. And we need more money for the kind of creative and competitive startup companies. 90% of who are gonna fail at some point. But you know what? The 10% that do make it, there's value and there's richness in that that the government and the nation can benefit from. One of the other things associated with R&D is technology transfer. There, it'd probably be astonishing to most people in here to know how much great technology is sitting on a shelf because the government hasn't figured out how to take that technology and transfer it to the private sector. It's actually heartbreaking when you think about some of the billions of dollars that have been spent on some of this. And they haven't figured out how to get it back out into the public domain. I think that they could sponsor more training. This is one of the biggest issues I think facing the nation, certainly in the security arena right now is the lack of talented and trained people. Part of my job at DHS was traveling around the country and talking with not only companies, but talking with higher education and even high school. And one of the almost constant mantras that I heard from the private sector was they don't have enough people. They don't have enough qualified people. And I could ask everybody in this room to raise your hand right now if you have all of the qualified people you need in your company. And there wouldn't be very many hands in there. I can tell you that. I don't know if anyone had the chance to walk the floor, the vendor floor over at Black Hat the past couple of days. But something I've never seen before, there were help wanted signs in a lot of the booths over there. This is a big deal. We do not have enough qualified people either in the government or in the private sector. And the government is starting to fill the pain a lot more because of the budget issues, and the sequestration issues and the furlough issues. And I think government employees are waking up on days now and saying, why am I doing this again? Thanks. Why am I busting my ass every day, working 14 hours? And you're gonna furlough me and dock me 20% of my pay when I can go and work in the private sector. So I'm sure it's not lost on this crowd, but if you have any skills at all in this business, you can get a job anywhere. So I really do think that this is something that the government can take a leadership role in and provide more training. And certainly, and not just in Cyberscript, you've been in the intelligence analysis roles. It's a huge, huge gap and we really do need to address that. So I do, one of the other things I think is funding of the ISACs. I think the government should take that. We have 16 defined critical infrastructures now. The government needs to fund these ISACs because it is the source of information sharing amongst these critical infrastructure sectors. And right now they're very haphazardly operated, they're very haphazardly funded and the government could take a role in that. So to wrap up, I'd like to state the obvious again. The government is always gonna have more resources to look outward at the threats, but you can't depend on getting that information to save you. The sharing of cybersecurity threat intelligence and information is up to us. Some forward-leaning organizations, many of you here today, I'm sure, have already begun and there are dozens of startups out there focused on cybersecurity threat analysis. I probably talk to at least one company a week now where they are doing cybersecurity intelligence development and trying to find an avenue to get that back both into the public and the private sector. So remember my bottom line up front. The government is not going to be sliding in a cloud of smoke to save you when you have an event. You have to depend on yourself. The government just simply does not have the resources and is not gonna have the resources to do that. So conversations are occurring about these issues and others, but unless the government figures it out pretty soon, I'm afraid that a lot of companies, including many of those that are already participating in the classified cybersecurity intelligence sharing program will simply decide not to participate at all because it's too hard and that'd be a shame. So thank you very much.