The new assistant director for cybersecurity within the Department of Homeland Security has outlined his top priorities for making the agency more “effective and efficient.”
Bryan Ware, who replaced Jeanette Manfra as assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said Jan. 14 at FedScoop’s Data Cloud Summit that CISA Director Chris Krebs tasked him with modernizing CISA’s legacy infrastructure and tackling some of the challenges the agency has with the data it collects.
At the heart of that is modernizing artificial intelligence and tools it uses to sift through data. There are big implications in that effort for CISA — charged with protecting critical infrastructure and federal networks from cyberattack — as the agency is already collecting significant net flow records every day: 55 billion, or almost two terabytes of data, Ware said. On top of that, he’s sharing millions of threat indicators weekly with intelligence companies and other industry stakeholders.
But there’s another new problem CISA is facing associated with its data: it’s finding more false positives, or files or activities that’s been incorrectly identified as malicious, in its cybersecurity data.
“As we’ve been able to collect and share indicators, our adversaries have adapted their strategies and tactics,” said Ware. “And so now we have to provide a lot more enrichment to those indicators.”
This presents significant data challenges for CISA, he said, which now has to supplement its data with more context for the indicators in response.
But Ware said CISA needs more data and more visibility into civilian government networks, adding that their visibility is “fairly limited” because CISA’s tools sit on the edge of the agency networks.
“We see trends increasingly where more and more visibility is required sooner," he said, without going into details.
Ware also will focus on improving CISA’s ability to share information. Information sharing is the centerpiece of CISA’s mission, but it is “technically hard,” he said, because the agency has to share across different classification levels and across sectors while accounting for privacy.
For example, CISA has partnerships with critical infrastructure providers that gives them access to a lot of personally identifiable information, Ware said. But when CISA turns around to share information with the intelligence community, it has to remove the PII. Furthermore, the information that CISA gets from the IC has to be declassified to disperse out to threat indicators out to industry.
“So avoiding stovepipes there is really, really hard because there are containers and separations that must exist, but there’s tremendous value when we can see across those things,” Ware said.
Ware’s third priority is “aligning” data use across mission areas. CISA scans millions of IP addresses every day for vulnerabilities, he said, and it needs to use that vulnerability data when starting threat hunts for an organization “so that we don’t start that hunt cold ... but the data is there to inform what we hunt for.”