Presidential Advisers Recommend Countering Cyberattacks, Shootings with Big Data

An adversary has spent months executing a cyberattack on an unnamed part of the nation's critical infrastructure, after years of planning. Now, the disruption to daily American life is reaching its climax. First, there is a distributed denial of service, or DDoS, attack that masks a massive theft of data crucial to plotting the final coordinated strike. No one notices because security personnel are too busy trying to revive systems overwhelmed by a deluge of bogus network traffic.

The adversary clinched passwords and network blueprints during earlier, smaller hacks and now is ready to dive into the key sector's IT environment with prefabricated malware. The sector's activities stop and IT administrators are locked out from their own systems.

If first responders had been using big data analytics, they might have prevented the final step in the assault, according to national security recommendations for President Barack Obama that are up for a vote Wednesday.

This hypothetical cyberattack is one of several scenarios detailed in a National Security Telecommunications Advisory Committee draft report on how munching vast, disparate data sets can generate knowledge to aid during crises.

On May 11, the top cyber leaders in the U.S. government will convene in Silicon Valley at a committee meeting, where they will update the panel on agency projects and hear the advisers debate the recommendations.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Big data analytics "may hold the most promise for cybersecurity in regards to threat intelligence that captures the tools, tactics, techniques and procedures used by attackers," the draft report states.

For starters, companies can collect network flow data and other information sets that provide visibility into changing situations on their systems. Cyber pros, with that intelligence in hand, then can create a baseline that visualizes normal network activity and compares that normal against anomalies on the network to detect a potential attack.

A force multiplier for corporate cyber defense would be data describing malicious behavior that already has struck elsewhere. However, information sharing requires companies to cooperate -- and agree on threat intelligence "ontologies and taxonomies" that everyone can understand.

Big data analytics "can be used to detect threats but a key element ... is the availability and standardization of the data so that a common operating picture can emerge across industry," the report states.

Whether hit by a natural disaster, manmade terrorist attack or hack, a "Good Samaritan" framework for exchanging big data could assist emergency responders, the committee says.

The report recommends Obama direct agencies to develop a framework for the government and consenting companies that would be activated in the event of a crisis.

"The framework should afford standard agreed upon protections to entities sharing data in good faith during" during the event, as well as "clarify rules regarding the protection of privacy, data use, ownership, storage, retention, accidental disclosure, and deletion," according to the report.

Big data analytics, in the cybersecurity example, would have allowed a company to spot a compromised device early in the cyberattack and separate the machine from the network. Or, it may have helped identify malicious "phishing" email trends to warn potential recipients. In addition, IT personnel who reviewed the data would have noticed abnormal traffic patterns inside the network.

Analytics "provide a potential way for security professionals to keep up with cyberthreats by reducing the amount of information that needs to be reviewed manually," but several complications still need to be addressed, according to the report.

Along with challenges settling on a consistent way to trade data, companies and the government will face customer privacy and business confidentiality concerns. There also are costs associated with the technologies used for combining and combing through data.

The report notes that Congress last year passed the Cybersecurity Information Sharing Act to ease sharing within industry, as well as between industry and the government.

"The legislation is a good first step to building a collaborative big data environment," the report states.

And bottom line, "despite the costs involved, the hardware challenges are not as great as the challenges of finding and attracting great talent," the committee says.

The panel will vote on the report in between an update from the top Pentagon military official Adm. Mike Rogers, who heads the National Security Agency and U.S. Cyber Command -- and an update from Homeland Security Department Undersecretary Phyllis Schneck, the lead civilian cybersecurity official.

The study was compiled by committee members representing Harris, Neustar, Apple, FireEye and Palo Alto Networks, among other industry executives as well as a few federal officials.