REQUEST FOR INFORMATION – RFI-OPO-12-0002
TITLE: Developing a Capability Framework for a Healthy and Resilient Cyber Ecosystem Using Automated Collective Action
AGENCIES: U.S. Department of Homeland Security, National Protection and Programs Directorate in conjunction with U.S. Department of Commerce, National Institute of Standards and Technology
Issued: September 10, 2012
Recent trends demonstrate the need for improved capabilities for defending against cyber attack. Cyberspace has become the backbone of modern society, commerce, industry, academia, medicine, critical infrastructures, and government. The sheer number of cyber attacks is increasing and the consequences of today’s cyber attacks are severe. This includes financial fraud, loss of sensitive data, identity theft, or related crimes.
Strengthening the cyber ecosystem is one of two focus areas in the DHS Blueprint for a Secure Cyber Future: The Cybersecurity Strategy for the Homeland Security Enterprise [4.0 References, 3]. The DHS National Protection and Programs Directorate (NPPD) cyber ecosystem paper [4.0 References, 1] proposed a concept for creating a healthy, resilient, and more secure cyber ecosystem. In this concept, computer systems, devices, applications, and users will automatically work together in near-real time to anticipate and prevent cyber attacks, automatically respond to attacks while continuing normal operations, evolve to address new threats, limit the spread of attacks across participating devices, minimize the consequences of attacks, enable the sharing of timely and relevant security information, and recover to a trusted state. The concept will allow for robust privacy protections while delivering security protections commensurate with risk. To that objective, it is important to assess where we are now technologically, what additional capabilities are needed, and what current technologies are best available to meet those capabilities at this time.
The U.S. Department of Commerce, through the Internet Policy Task Force, has focused its efforts on developing public policies and private sector norms whose voluntary adoption could improve the overall cybersecurity posture of private sector infrastructure operators, software and service providers, and users outside the critical infrastructure. The NIST, within the Department of Commerce (Commerce), has developed a number of guidelines, recommendations, and technical reports that can support development of automated collective action. These include automation protocols; trust models for security automation data; standard platform identification; configuration, vulnerability, and misuse scoring systems, and an automated enterprise remediation framework.
Recent academic and private sector work [4.0 References, 4, 5, 6, 7, and 8] provides analysis and recommendations for collaborative cybersecurity approaches, and some of these approaches are motivated by natural ecosystems such as the immune system [4.0 References, 9, 10]. Characteristics of natural ecosystems have been analyzed for possible applicability to the cyber ecosystem. For example, it might be possible to engineer systems in the cyber ecosystem to respond to a cyber attack in a manner similar to how the human body reacts to an infection. This example might suggest that the capabilities and security architecture of the cyber ecosystem might benefit from a combination of localized response as well as to global alerting and mobilization so that other ecosystem participants are informed of the attack, preferably before coming under attack, and can help defend against the attack before it spreads.
The previously mentioned DHS NPPD ecosystem paper [4.0 References, 1] expands on a number of these concepts, including the need for distributed command and control, the ability to apply appropriate levels of focus and convergence, and the need for key building blocks including interoperability, automation, and authentication. Implementing automated collective action in defense of the cyber ecosystem will require a partnership and a common collective vision among the private sector, academia, government, and consumers.
There undoubtedly are additional considerations, challenges, and possibilities that were not discussed in the ecosystem paper. This RFI focuses on learning more to help develop a future security architecture that maintains the appropriate level of human intervention and monitoring while enabling automated collective action to strengthen the security of the cyber ecosystem.
. . . . . .
Responses to this RFI shall be sent via one email to BOTH of the following email addresses: 1. DHS: Cyber Ecosystem RFI@hq.dhs.gov 2. NIST: firstname.lastname@example.org
All responses shall be submitted no later than 5:00 pm EDT on October 1, 2012. In the subject line of your final submission email, include the following: “RFI-OPO-12-0002 Cyber Ecosystem Submission”. Questions and requests for clarifications on this RFI must be sent via email to Robert.Degnan@hq.dhs.gov no later than 5:00 pm EDT on September 17, 2012. In the subject line of your email when submitting questions, include the following: “RFI-OPO-12-0002 Questions”.