Sharing Info about Attacks Central to N.J. Cyber Defense Organization’s Success: Weinstein
[This fall was an extraordinarily busy one for the New Jersey tech scene, and NJTechWeekly.com was overwhelmed by the amount of reporting required for all the events that were going on. As the holidays approach and the event season winds down, we’ll be presenting our coverage of some of those happenings. Here is the second of two stories about the third annual symposium on Law Enforcement and Cyber Defense at Fairleigh Dickinson.]
Sharing technical information about detected cyber attacks and system vulnerabilities with trusted partners is one way that the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) helps keep the state safe.
The unit was established to encourage cooperation among all the various cybersecurity bodies in the state, in the interest of promoting statewide awareness and the adoption of best practices in cybersecurity, according to David Weinstein, deputy director and cybersecurity advisor at the New Jersey Office of Homeland Security and Preparedness.
NJCCIC (pronounced NJ Kick) was the first central information sharing and analysis organization in the country established by a state government, said Weinstein. President Obama issued an executive order in February urging the creation of such state organizations, as they could facilitate the sharing of information between the private and public sectors.
Weinstein made his remarks at the third annual Law Enforcement and Cyber Defense symposium at Fairleigh Dickinson University. He described the various entities in New Jersey that work on cyber security issues.
“In New Jersey, cyber security exists across different levels of state government and local government. On the law enforcement side, we have a cybercrimes unit located within the state police. … We also have an IT security shop within New Jersey’s Office of Information Technology.” Weinstein explained that this organization is run by the Trenton-based state cyber security officer, who oversees the policies and operations of the state government networks. New Jersey’s Office of Homeland Security and Preparedness also focuses on cyber security, “particularly in training and awareness, as well as risk assessment.”
The Off ice goes out to critical infrastructure sites to conduct vulnerability assessments, and it works with 750 infrastructure assets to help them assess their cybersecurity posture and identify gaps. “We also have a presence on the civil side as well,” said Weinstein. An example is the use of civil fraud laws to investigate identity theft and help prevent it.
The NJCCIC has a different mission, Weinstein noted, one that focuses on sharing information on cyber attacks and adopting best practices.
“There have been a number of private sector institutions for information sharing,” but the NJCCIC works closely with other states, especially Virginia and New York, to build similar agencies across state boundaries so states can start sharing information with each other when they encounter cyber threats.
The real value of the NJCCIC is that it brings together the technical and nontechnical people working on this issue in New Jersey, Weinstein noted. That’s a key point. Cybersecurity cannot exist in disciplinary silos. You can’t have the IT people working in one space, security people working in another space, and intelligence analysts working in yet another space. The NJCCIC brings all these disciplines together. They sit together physically on an operations floor. Weinstein added that the NJCCIC uses open source information as well as classified information that is passed down from the federal government.
“At the end of the day, we are in the business of making people aware of threats and promoting the adoption of best practices,” he told the group. Weinstein noted that research from Verizon pointed out that cyber attacks move from the first victim to the second victim in 24 hours. Those 24 hours are a window during which information sharing can help thwart the spread of the attack.
“Specifically, we want to get to a place where we can start sharing information in an automated real-time fashion,” he said. The NJCCIC gathers threat data, usually in the form of indicators or technical information that illustrates how the adversaries are attacking a system, and it shares that information with trusted partners. “We do that using … a universal format for consuming cyber threat intelligence,” said Weinstein.
He added that the group had set up its own infrastructure for facilitating information sharing. “We are currently taking all the indicators of compromise that we see at the state government level, as well as the county government level, and we are sharing it with our partners in the private sector, our partners in the nonprofit sector, as well as the federal government” through Homeland Security .
“I want to emphasize that the information we are sharing does not contain proprietary data … doesn’t contain personally identifiable information,” he said. “Just as businesses are reluctant to hand over sensitive information to the government, the government takes on equal, if not more, liability by retaining that information. So we always encourage our partners to degrade the information to a point where it doesn’t include sensitive information.”
Sometimes information sharing actually means identifying known vulnerabilities and making the solutions available to end users. “These known vulnerabilities aren’t really well-known by the majority of end users,” he noted. The NJCCIC is reaching out to the small business community and to local governments that don’t have a lot of resources, so they can ultimately reduce their risk.
Weinstein pointed out that there are a number of bills on Capitol Hill that, if passed, would incentivize private sector cooperation and participation in this space. “I think there are some very legitimate concerns that businesses have from a security and legal perspective involved with sharing information, not just with the government, but with anyone outside” of their companies. He told the group that he was working with his counterparts in Washington to help form policies to address this matter.
New Jersey would like to see this legislation passed, said Weinstein. He added that most of the cybersecurity threats are in the private sector, so the NJCCIC should get more participation from local businesses. “Unless the private sector can see legitimate value from working with the organization, then we will really not be successful.”