The Advanced Cyber Security Center is a three year old organization with a bold mission to “bring together industry, university, and government organizations to address the most advanced cyber threats” and drive cybersecurity R&D in the New England region. Network World editor in Chief John Dix attended their most recent meeting in Boston and later tracked down ACSC Executive Director Charlie Benway and ACSC Board Chair William Guenther (CEO and Founder of Mass Insight) for a deep dive on the organization’s goals.
ACSC seems to have hybrid goals, one involving sharing threat intelligence among members, the other being around research and development and making New England a mecca for cyber security. Let’s start by having you expand on that first goal.
BENWAY: Clearly the threat-sharing program is a priority of the organization, building trusted relationships between members and having face-to-face discussions about these threats. What do they look like? What are they targeting? Why? How do you deal with them?
Because it’s a cross-sector organization, some sectors see certain threats before others so some members get advance notice. But it goes beyond just actionable threat information. Members say the organization is also a tremendous benefit in terms of professional staff development because members exchange best practices and can take ideas back and improve the security posture of their own enterprises.
You have 30 members now, including five that joined recently, and I understand you want to grow the organization. How big can it get without jeopardizing the face-to-face part of the mission?
BENWAY: That’s a great question and one we’ve been wrestling with. The original vision was to grow to about 35 members because of what Bill likes to describe as the power of small groups, which involves building trusted relationships and an environment to share actionable information. But we need to find ways to expand beyond the 35. So what we’ve been looking at is setting up multiple sharing groups within the organization as we continue to grow, where secure information is shared between each group through various communications, including summary reports and notifications on our secure portal, which allows for virtual threat sharing among members. Our established threat sharing group leaders would facilitate each session to maintain consistency and to provide the cross-pollination between industry sectors that sets us apart from other threat share initiatives.
Although we’re regionally focused we have some companies headquartered outside the region now joining, like the Facebooks of the world. In fact, we spend time helping organizations around the globe understand who we are, what we do, how we got started and how you build an ACSC. The intent is, if they build a similar capability, we could build out our virtual threat-sharing capabilities with similar regional groups to form a federated threat share initiative. We completed a successful test exchange with an organization called the Western Cyber Exchange in Colorado this summer, which was the first of its kind. So our hope is to expand by having multiple groups share information on a national and possibly even global basis.
How does your group compare with organizations like Infragard, which is another regional group that shares threat intelligence, as I understand it.
BENWAY: Infragard is led by the FBI and my understanding is they’re a bit more strategic. There is some information shared but there is not the same level of open sharing and two-way communication, mostly due to liability concerns.
GUENTHER: If you look at the president’s executive order and the whole thrust from the federal government, there’s a recognition that the best kind of initiative starts in the private sector and then engages the government. When the government creates forums, to Charlie’s point, it sometimes leads to a more restricted conversation. But we need a lot more information sharing of all types, and the ISACs (Information Sharing and Analysis Centers) are playing an important role on a large scale basis, sector by sector.
BENWAY: We’re not trying to compete with ISAC, Infragard or for-profit services. We’re a nonprofit organization. We’re really looking to fill the gaps in the marketplace and we’re looking to complement other capabilities that enterprises have available to them.
You require members to sign a non-disclosure policy, which I presume helps people feel more comfortable about sharing high level threat intelligence.
BENWAY: We have what’s called the Participation Agreement which was negotiated by a council of all the founding members and every member signs this agreement. It does two things. Not only does it do what you just suggested, makes them feel comfortable, but it also gives them the authorization from their inside legal counsel and their management chain to participate and share information.
Is there an example you can give where ACSC threat intelligence helped an organization nip something in the bud?
BENWAY: I could give you several. At one Cyber Tuesday [members meet twice each month on Tuesdays] we had a member bring to the table the issue of vulnerabilities related to international domain-naming services, and the example that was used was www.google.com. The analyst threw up on the screen three versions of that URL, which all looked identical, and asked the security experts around the table which one was not real. It was difficult for anybody to figure out. It turned out to be the one that had a small mark under the g that looked like a piece of dirt on the screen. Everybody took that back and integrated that into their security awareness campaigns and some folks found employees had in fact clicked on a couple of these URLs which had malware behind them.
It’s not just about the technology, after all. There’s a tremendous human factor. We’re all risks. We all create some of the vulnerabilities. On the other hand, that can be flipped on its head -- we can be sensors too.
There are other examples. One time, a university member was targeted for diversion of payroll for the highest paid employees. That threat was shared and the other universities were prepared for the threat and were able to detect it.
Someone mentioned in your recent Boston meeting that some organizations still believe that all you need is a good perimeter defense. How much of a problem is that?
BENWAY: It’s not just that perimeter defense is not enough, it’s also the argument about where you focus investments and activity. Do you focus on prevention or detection? The resiliency crowd says you need to focus on detection because you’re not going to keep all the bad guys out. But a significant amount of the population says that is just waving the white flag, and prevention is where you need to focus.
I’ve heard some folks suggest that 80% of organizations out there today still believe in the perimeter defense approach, and if you have a good firewall and patch it that you’ll be okay. If those numbers are accurate, it’s a pretty significant problem because, as Michael Chertoff [former Secretary of the Department of Homeland Security] says, there are two types of enterprises, those who know they’ve been hacked and those who don’t know they’ve been hacked.
GUENTHER: The big issue is the lack of sophistication of many staffs, and therefore the inability of a company to do what they need to regardless of the mindset. So even if they understand the perimeter is dead, the fact is in many companies it’s the trust issue. If you think about intelligence-driven defense, and many vendors are pitching that as the next generation of security, only about 5% of companies, if that, actually are capable internally of doing that.
BENWAY: Sometimes it’s a combination of lack of sophistication and lack of the necessary resources, particularly in small and medium sized businesses. They don’t have the ability to hire the sophisticated staff and invest in the sophisticated tools. So they have to turn to approaches that folks are just now beginning to consider, like leveraging the cloud more, and recognizing the value of training employees, partners and suppliers. That’s a significant issue.
Turning to the larger goal of making New England a cybersecurity mecca, how do you go about that?
GUENTHER: If you lay down California versus Massachusetts in terms of IT, obviously IT has grown much bigger out there than it has here, although we’ve got a significant play with companies like EMC, RSA, Akamai and others who are members of the ACSC. But the cybersecurity challenge is a multidisciplinary play. The real play is to bring together technology, social sciences, policy, economics and law to figure out how to construct systems that work with human behavior and allow people to actually be more secure, because the architecture is framed around human behavior and provides the right incentives.
That’s a play where this region has unique assets across not only the technology centers -- CSAIL at MIT and UMass, Northeastern, BU, etc. -- but also with the Sloan School and other business schools here, the law schools, the Kennedy School, etc.
But our strength in some ways has been our limitation, in that we have these extraordinary assets but they’re fragmented. That’s why you need centers of excellence that bring together multiple universities and multiple companies around this combination of soft science, business and hard science.
If you think about the research play and you understand that companies are first and foremost looking for talent from universities, and then you embed the talent play inside the research operation, it’s an opportunity to bring graduate students and the best and brightest from the universities together with industry to collaborate on common problems and issues that align with the academic work and the commercial needs. The idea is that then these companies will hire some of these guys. These partnerships, in addition to solving problems, serve as a talent pipeline for companies looking to develop and recruit emerging talent from our universities.
To be frank, that sounds like a monumental challenge.
GUENTHER: What is complex is the multiparty collaboration, getting multiple companies and multiple universities to work together. But we’re not making this up from scratch. It happened in the semiconductor industry on a large scale basis in the ‘80s with something called International Sematech. It’s still around. Major universities collaborated with semiconductor companies who recognized that Japan Inc. represented a threat in semiconductors, and that if they didn’t collaborate around tools, education, resources and standards, they might be put out of business. That’s usually used as the primary large-scale example of a precompetitive collaboration among industry players.
If you get a little bit less ambitious about it you can focus on setting up a regional entity, or center of excellence. The National Science Foundation has funded what are called ERCs, Engineering Research Centers. We’ve got several of them here in Massachusetts and they involve more than one university and more than one industry partner. So again, we’re not making this up. There are actual models out there. We just haven’t done it in cybersecurity.
Is part of the goal to address the widely perceived shortage of security talent?
BENWAY: Everybody knows IT jobs are growing faster than other disciplines, and according to some studies, cybersecurity jobs are growing 12 times faster than IT jobs. One study said we need to produce 130,000 software engineers a year and the universities are only producing 30,000. So that kind of frames the problem today. Moving forward, that’s one of the objectives of the R&D consortium, to help identify talent, develop that talent, and connect that talent with industry.
Is the goal to migrate some people from existing IT jobs into security, or are you talking about introducing people from the university level into security?
BENWAY: I think it’s both. There are some folks out there thinking, “What do I need to do to get into it?” That’s when we talk about professional development opportunities. It’s getting their hands dirty and jumping right in. It’s very difficult to learn cybersecurity from a book. It’s really hands-on. You have to be engaged and you have to understand the threats and understand the intelligence. So I think the hands-on piece is important, in addition to any academic training and education.
If you listened to Andy Ellis from Akamai [Chief Security Officer] at the recent meeting in Boston, his view is the lack of cybersecurity talent is overblown. He says we should just be looking for smart, motivated folks to bring into cybersecurity, whether they’re microbiologists or whatever. That’s one view, but I’ve also heard others say, “I don’t really have time to develop these folks.” So it’s a real Catch 22.
Okay. Anything you want to leave us with?
GUENTHER: I guess just to summarize and reinforce the point that we believe the ACSC is a unique organization nationally, in particular because of the hybrid nature that you described up front, which is this combination of threat-sharing and our commitment to research and development.
What’s interesting from the members’ standpoint is they are the ones who have reinforced the value of having those two things connected, that the research and development needs to understand the operational and the threat-sharing piece, because those are the challenges that you’re trying to solve. If you do the research and development in isolation, you’re less likely to understand the actual challenges.