CYBEX - The Cybersecurity Information Exchange Framework

1. 2.1 CYBEX - The Cybersecurity Information Exchange Framework Tony Rutkowski, tony@yaanatech.com Rapporteur, ITU-T Cybersecurity Rapporteur Group EVP, Yaana Technologies Senior Fellow, Georgia Tech, Sam Nunn School, Center for International Strategy, Technology, and Policy (CISTP)

2. What is the Cybersecurity Information Exchange Framework (CYBEX) ? • A global initiative to • identify a set of platform specifications to facilitate the trusted exchange of information among responsible parties worldwide supporting cybersecurity for • Infrastructure protection • Incident analysis and response • Law enforcement and judicial forensics • Enhance the availability, interoperability, and usefulness of these platforms • Extensible use of best-of-breed open cyber security information exchange platforms • Facilitated by the Cybersecurity Rapporteur Group of ITU-T (Q.4/17) • ITU-T Recommendations during 2010-2011, with continuing evolution to current user community versions and needs

3. What is cybersecurity? Contractual service agreements and federations Intergovernmental agreements and cooperation Encryption/ VPNs esp. for signalling 1. Measures for protection Legal remedies may also institute protective measures 4. Legal Remedies Tort & indemnification 2. Measures for threat detection Resilient infrastructure Real-time data availability Regulatory/ administrative law Criminal law Data retention and auditing Forensics & heuristics analysis Provide data for analysis Identity Management Routing & resource constraints Provide basis for actions Blacklists & whitelists Deny resources Investigation & measure initiation Reputation sanctions Vulnerability notices Patch development Network/ application state & integrity Provide awareness of vulnerabilities and remedies 3. Measures for thwarting and other remedies = information exchange for analysis = information exchange for actions

4. The CYBEX Initiative:basic model for information exchange CYBEX Focus Cybersecurity Organization Cybersecurity Organization CybersecurityInformationacquisition(out of scope) CybersecurityInformationuse(out of scope) • Structure information • Identify & discover cyber security information and organizations • requesting & responding with cybersecurityinformation • Trusted exchange of cyber security information

5. Structured Information Event/Incident/Heuristics Exchange Cluster Vulnerability/State Exchange Cluster CCECommon Configuration Enumeration SCAP SP800-126 Security Content Automation Protocol Specific Events CEE Common Event Expression ARF Assessment Results Format CEE Common Event Expression MAECMalware Attribution Enumerationand Characterization X.gridf SmartGrid Incident Exchange Format CEE Common Event Expression CPECommon Platform Enumeration XCCDF eXtensibleConfiguration Checklist Description Format CEE Common Event Expression OVALOpen Vulnerability and Assessment Language CWSSCommon Weakness Scoring System PFOCPhishing, Fraud, and Other Non-Network Layer Reports CVECommon Vulnerabilities and Exposures Black/WhitelistExchangeFormat IODEF RFC5070Incident Object Description Exchange Format CAPEC Common Attack Pattern Enumeration and Classification CVSS Common Vulnerability Scoring System CWECommon Weakness Enumeration Exchange Terms and Conditions LEA/Evidence Exchange Cluster = imported RFC3924 Architecture for Lawful Intercept in IP Networks TS102232 Handover Interface and Service-Specific Details (SSD) for IP delivery X.dexfDigital Evidence Exchange File Format X.cybex-tc Cyber information terms and condition exchange format = new ERDMElectronic Discovery Reference Model TS102657 Handover interface for the request and delivery of retained data TS23.271 Handover for Location Services = referenced

6. Discovery and Trusted Exchange Discovery Cluster X. cybex.2 XML namespace in the Exchange of Cybersecurity Information X. cybex-discOID-based discovery mechanisms in the exchange of cybersecurity information X.cybex.1An OID arc for cybersecurity information exchange X. chirp Cybersecurity Heuristics and Information Request Protocol Identity Trust Cluster Exchange Cluster LEA/Evidence Exchange X.cybex-tpTransport protocols supporting cybersecurity information exchange X.cybex-beep BEEP Profile for Cybersecurity Information Exchange Framework X.evcert Extended Validation Certificate X.eaa Entity authentication assurance TS102042 V.2.0 Policy requirements for certification authorities issuing public key certificates = imported TS102232-1 Handover Interface and Service-Specific Details (SSD) for IP delivery = new = referenced

7. A Cybersecurity Namespace • Trusted global cybersecurity information exchange requires identifiers for • The parties and other objects involved in the exchanges • The information exchanged • The terms and conditions associated with the exchanged information • A global cyber security namespace is part of CYBEX and described in draft Rec. ITU-T X.cybex.1 • The OID namespace 2.48 has been reserved for this purpose by joint ISO|IEC JTC1 SC6 and ITU SG17 action • OID namespaces • Are hierarchical and enable autonomous distributed management • Were developed for and have been used for these kinds of purposes for the past 30 years • Can also be used to meet new ETSI TC LI Dynamic Triggering requirement for a global identifier for warrants and related needs

8. A Global Cybersecurity Namespace Joint ITU-T & ISO 0 1 2 [jointly allocated by ITU-T SG17 and ISO|IEC JTC1 SC6] ITU-T|ITU-R ISO [Allocated by ITU-T SG17] [Allocated by ISO|IEC JTC1 SC6] 3 1 48 = cybersecurity . . . 4 0 2 48 Architecture TBD Every country has a numeric identifier automatically reserved in the OID 2.48 cybersecurity namespace . . . . . . . . . 4 250 756 840 . . . nnn Suisse USA France Afghanistan FIRST 1 [each country , organization, subdivision allocates namespaces and levels as desired] Non-country organizations can also be allocated identifiers

9. Use of the OID cybersecurity namespace: an example Ensures coherent ability to know who is involved, specific identification of the information, and expected treatment policies Cybersecurity Organization Cybersecurity Organization 2.48.1.756.3 [hypothetical Swiss agency] 2.48.1.250.2 [hypothetical French agency] • Incident 2.48.1.756.3.1.[local identifier] • Terms & conditions 2.48.1.756.3.2.[local identifier] Local agency and community identifiers can continue to be used The namespace identifiers need not be publicly exposed – only unique and consistent within the namespace

10. The cybersecurity problems are about to get much worse • Cloud Services and SmartGrids create potential significant new cybersecurity threats with far reaching consequences • Public services are being pushed into the marketplace with • No regulation • No standards • Availability of massive network data center resources • With little understanding of the cybersecurity dimensions, much less effective solutions • No international agreements

11. Will history repeat itself? • Similar kinds of cyber security challenges were faced a hundred years ago • Fast-paced new network technology emerged • Networks became global in scope • Harmful incidents were rapidly scaling • Governments did not intervene to avoid harm to innovation • Sinking of the Titanic in 1912 finally motivated global action • Every new network technology has faced similar challenges • The 1980s OSI Internet had public infrastructure security solutions, but lacked innovation • The 1990s TCP/IP academic Internet had no public infrastructure security solutions, but was great for innovation • Criminals , hackers, terrorists, miscreants are also innovative and have many incentives • CYBEX assembles open, extensible, technology-neutral capabilities essential for public network infrastructure/service cybersecurity in different forms over the past hundred years

12. It usually takes a major disaster SS Cyber Infrastructure How many cyber icebergs do you need before substantial global action occurs?