Deep in the Defense Department, a group is partnering with industry to create a window into the cyber vulnerabilities of the defense industrial base. The Defense Industrial Base Collaborative Information Sharing Environment (DCISE) is part of the Defense Cyber Crime Center, and division chief Mike Weiskopff talked about it in more detail on Federal Drive with Tom Temin.
Mike Weiskopff: So, DCISE is the action arm to the DIB CS program. And so the PMO office at DoD CIO, they handle all the policy stuff, and then we actually conduct the action for the defense industrial base. And to do that we do a bunch of different things from developing cyber threat information, all the way up to trying out different pilots and programs to see how well they work with the DIB partnership.
Tom Temin: Got it. And does this have any relation at all to the CMMC program — the Cybersecurity Model Maturity Certification program — or those are kind of parallel?
Mike Weiskopff: So those are kind of two different efforts. Although we have a lot of DIB companies that come to us asking for help with CMMC and how they can kind of achieve those goals. And in which case, we do have one service we offer, what we call the CRA — the Cyber Resilience Analysis — that can help companies kind of figure out where their cyber resilience is at. And that’ll help them when CMMC goes live for them.
Tom Temin: Alright, but getting back to this larger idea of getting kind of a DoD-wide picture of the defense industrial base, what is your strategy for getting that?
Mike Weiskopff: So we have a bunch of different services out there that we’re trying to leverage for them. One of them being Krystal Ball, that allows us to get us that picture on the defense industrial base. So, Krystal Ball, the idea is, is we take open source information, information that anybody can acquire, to include the adversary and be able to pull that in and look at it, and then report back to the DIB partners to let them know where they may have vulnerabilities.
Tom Temin: So this is open source information that is out there on the internet, about threats that are going on that kind of thing?
Mike Weiskopff: Correct. Yup, it lays out the infrastructure of the DIB companies, and then it looks at it, and then identifies different vulnerabilities that are there. And then once we identify that for a partnership, we report back to them, letting them know about the vulnerabilities.
Tom Temin: But do you have a window into what their own network holes might be that they are susceptible to the things you discover out there in the wild?
Mike Weiskopff: Only the stuff that’s publicly accessible. So, within normal infrastructure, you’re going to have kind of internal network, a intranet that they run. We don’t have visibility on that, we only have stuff on the internet that is connected to the public Internet. So we’re able to access that data of the stuff that’s facing out towards the open Internet, that anybody can query.
Tom Temin: Got it. It is possible then for a individual company to know what it is they should be on the alert for and take whatever steps might be necessary?
Mike Weiskopff: Correct. If they have the resources to do that. That’s one of the things that we’ve been discovering with the small and medium sized companies is that they may not have the resources to kind of do that research. It’s man hours intensive. And so it takes a lot of people a lot of time to try to make those discoveries and find that information. The Krystal Ball platform is supposed to do it in an automated fashion and report that back to us so that we can then report that to them — to the DIB partners.
Tom Temin: So there’s some automation into this in terms of what is generated by the Krystal Ball and you get alerts or notices of, hey, we better look into this particular threat?
Mike Weiskopff: Correct. Yep. There’s kind of two ways the platform works. The first one is, is that it provides a threat score on certain companies, then we’re able to, upon request, if they ask for an assessment, we can kind of take a look at that threat score and kind of let them know where the threats are for their company. But then there’s also an active approach where you can actually query it to say, “Okay, give me everything you know about company X.” And then we can take that information that it has within that query, and provide that back to them. For instance, when HAFNIUM happened, we pulled against the system, so it was more of an active search, looking to say, “Okay, how many of the DIB partnerships have the HAFNIUM vulnerability on their network?” And the system came back and said, “Okay, here’s all the DIB partners that we’re tracking, that have HAFNIUM vulnerabilities on their exchange servers, on their network.” And then we quickly turned around and put out tippers, out to those companies, letting them know that that HAFNIUM vulnerability was there.
Tom Temin: Got it. So, there is, in other words, a way of accessing their vulnerabilities in a public way that’s not invading their network or hacking them in any way.
Mike Weiskopff: Correct. So separate from other programs that they’re more of an active approach against the network, everything we do is more passive. There’s no action against their network to collect this information. And in reality, anybody on the open internet has access to this information. An adversary could end up looking up this information as well, from where the Krystal Ball platform gets it from, and able to find the same information we’re able to find.
Tom Temin: We’re speaking with Mike Weiskopff, he’s division chief of expanded offerings and projects for the Defense Industrial Base Collaborative Information Sharing Environment. And when you deal with the smaller companies, clearly, you would expect Lockheed and General Dynamics to understand their networks and they probably have giant network operation centers of their own and security operation centers, but many of the DIB companies are small, medium sized, some of them are very small. What do you find is the common obstacle for smaller companies to be able to manage themselves in a secure way?
Mike Weiskopff: So a lot of it has to do, again, with that resourcing, having the manpower available to pit all the aspects of cybersecurity. Some of them are able to overcome that. And that’s by signing up with an MSSP, or Managed Security Service Provider, and then they’re able to kind of have them manage the cybersecurity for them. Other ways that they achieve it is pushing a lot of the stuff out into the cloud environment, and then allowing the cloud service provider kind of manage the security for that cloud environment. However, not a lot of these are foolproof solutions. And there’s still gaps within that security, within that cyber resilience. And we try to figure out what those gaps are through our CRA’s, our Cyber Resilience Analysis, try to figure out where those gaps are, and then help those smaller companies fill in those gaps. And that’s where things like Krystal Ball comes in.
Tom Temin: Got it. So, it sounds like you’re saying that any company starting up, or any company deciding to upgrade their information technology, would kind of be crazy to try to install and operate all of their own software, that really, they should use software as a service and a good branded cloud. And that takes away, it sounds like, a whole lot of the cyber threat responsibility that they would have otherwise, just going through an ISP on their own and hoping for the best.
Mike Weiskopff: So when you talk about risk, there are different ways to kind of, to handle risk. And that’s really where your question’s directed toward. And when you go with MSSP, or you go with a cloud service provider, what you’re really doing is you’re transferring that risk, you’re not eliminating it completely. And then depending on how your contract is with the MSSP, or the cloud service provider, even though you transferred a lot of infrastructure over to them, or at least the management of it to them, you don’t always transfer all the risk. And so you have to make sure that within your contract with those companies, the MSSP and the cloud service providers, that you meet your intent. If your intent is to transfer that risk, that you make sure that that’s in that contract with that cloud service provider and MSSP. If it’s not in there, then even if they are managing the handling, the security, the cyber security for your company, if it’s not in the contract, that that risk is being transferred, then they still can’t help out of a situation should happen.
Tom Temin: And do you have any good save stories from companies operating with you in the Krystal Ball and avert a disaster?
Mike Weiskopff: Well, I already mentioned one which is HAFNIUM. We were able to get out tippers. Yep. So that was a Microsoft Exchange Server vulnerability. As soon as we knew about it, we’re able to query Krystal Ball to figure out what companies had that, and then reach back out to them, let them know, “Hey, you have this vulnerability.” Pretty much all the DIB companies came back to us and said, “Yep, we’ve identified it. And they are working on a plan to mitigate it.” Whether it was putting out a patch right away, or using their change, mitigating a different way until they get the change management process to apply the patch.
Tom Temin: And in the meantime, backup everything and then unplug that drive.
Mike Weiskopff: Correct. Yes. And again, that’s up to the CEO of that company to make the determination of how much risk they have the appetite for. So if they absolutely, positively need that exchange server, they can keep it running with other mitigations in place to block any kind of connectivity to it that they need to block but still have operate as a mail server. Or if they don’t need that mail server, they can just completely shut it down. And I’ve actually happened with one of the companies where they discovered that this mail server was there that they didn’t realize had been there. And then they’re like, “Okay, we need to tear down that mail server because we’re not using anything right now.” So there are times when we’ve kind of identified stuff to the DIB companies letting them know that it’s out there and they didn’t realize it.
Jared Serbu: Mike Weiskopff is division chief have expanded offerings and projects for the Defense Industrial Base Collaborative Information Sharing Environment.