Can Big Data Stop Cyber Threats?

By Aliya Sternstein

June 3, 2014

The quality of data and automation has not matured to the point where feeding information to machines can prevent cyberattacks, according to one former U.S. intelligence cyber chief.

Right now, there's simply too much information, and it's inefficient to analyze it, said Roger Hockenberry, former chief technology officer for the National Clandestine Service. Hockenberry spoke Tuesday at a discussion about the role of big data in cybersecurity organized by Nextgov.

Still, some current Homeland Security Department officials stressed the need to at least automate data feeds about breaches -- something organizations that are hit by hackers are often reticent about.

"What it really comes down to is your CERT," or computer emergency response team, said Hockenberry, who also served as a CIA chief for cyber solutions. "All the companies that I see have a very nascent ability to automate response to any kind of attack. It’s still a manual process."

Roberta Stempfley, DHS deputy assistant secretary for cybersecurity strategy and emergency communications, who also spoke at the event, said she values the wisdom of crowds in analyzing data, if they are trusted crowds. 

"One of the most important things we can do," she said, "is make sure the knowledge of one becomes the wisdom of others -- and they can take action to protect themselves based on what we know."

She offered the example of specially formatted data about threat "indicators," or hallmarks, that contains context, such as ways to use that data to stop hackers. DHS worked with industry to produce standards called STIX, for Structured Threat Information eXpression, that companies will feel comfortable sharing in a restricted environment. The department already has begun testing this automated, two-way exchange of formatted indicators across the financial sector, Stempfley said.

She estimates the system will be made available to other critical industry organizations within about three months. 

"Groupthink is not always useful," Stempfley said. "A trusted place to collaborate, and getting enough smart people around the problem to actually develop insight, is very useful."

Another DHS project – the Cyber Information Sharing and Collaboration Program -- has quietly gathered 84 organizations representing key sectors to do "deeper geek level analytics” that have proved “really powerful at getting the wisdom of more than a single individual," Stempfley said. 

This is not a comment page for anonymous pundits -- but rather a firewalled, vetted website where unidentified industry members can feel comfortable confessing to breaches. 

"I think that there are people who are much more comfortable in an anonymous manner," Stempfley said in an interview after the event. "When we describe that what we want is indicators and context, people get more comfortable with saying, 'I’m a retail provider,’ or they want to share their name, but most companies are not comfortable putting themselves out there yet."

Editor's Note: The headline and the lead section of this article have been updated to better characterize the remarks of participants at the event.

(Image via Ai825/

By Aliya Sternstein

June 3, 2014