The NJCCIC: Building a One-Stop Cyber Intelligence Shop
A new cybersecurity support system is being developed in the New Jersey Office of Homeland Security and Preparedness.
Finding information on cybersecurity threats that is actually useful to the enterprise, either in timeliness, relevance or coherence, can be a challenge, especially in a threat landscape where a new cyber threat or attack seems to emerge every day. This gap in intelligible information-sharing helped to create the basis for the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC).
Housed within the New Jersey Office of Homeland Security and Preparedness (OHSP, ranked #2 in the 2015 Security 500 Rankings) and the state’s Division of Cybersecurity, the NJCCIC was called for in Governor Chris Christie’s May 20, 2015 executive order, and it serves as a one-stop shop for cyber information sharing.
The trick to success in this area, says David Weinstein, Director of Cybersecurity for the NJOHSP and CISO for New Jersey, is ensuring that the intelligence delivered to customers is actionable. “We have a pretty robust collection platform; in other words, the NJCCIC is monitoring adversarial traffic across all 15 departments of the state government, distilling that information, applying analytical tradecraft to it and then sharing it with trusted partners in a manner that is both timely and actionable,” he says. “And that latter piece is critical, as a lot of what’s taking place in the cyber intelligence space is prohibiting the actioning of intelligence because either the information is too complicated, there’s too much information, or there’s nobody on the receiving end who’s equipped to make sense of it or actually use it to support their risk mitigation efforts.
“There’s a lot of technology behind that, but there’s also a human component,” he continues. “We have four full-time cyber threat intelligence analysts who are constantly combing through reams of data to translate the ones and zeroes of cyber space into nouns, adjectives and verbs that our customers can make sense of.”
Phrasing cyber threats in a manner that’s comprehendible for the NJCCIC’s nearly 1,400 customers is imperative, as many of these customers are small or mid-sized businesses, which often do not have the in-house resources or personnel to accurately track and monitor cyber threats and jargon.
Weinstein adds that what is critical for a cybersecurity leader is “having the skills necessary to translate cyber risk management into the business requirements of each particular agency.” And in the absence of a CISO inside the enterprise, the NJCCIC is filling that intelligence gap.
This is also a challenge that the U.S. federal government is facing, as in February 2016 President Obama called for the creation of a national Chief Information Security Officer role to manage national cybersecurity policy and response for the government. According to Weinstein, having a centralized authority for cybersecurity can help to create a less federated cybersecurity governance program, leading enterprises to realize better economies of scale through pooling cybersecurity resources and a more efficient, coordinated cybersecurity incident response.
According to Chris Rodriguez, Director of the New Jersey Office of Homeland Security and Preparedness, “One of the things that we’re doing that’s unique in New Jersey is centralizing cybersecurity policy and operations under a single entity, which is Dave Weinstein’s Cybersecurity Division. We see cybersecurity as not only a technological issue and problem but also a homeland security issue, which requires a lot of strategic planning and positioning of our limited resources to tackle a lot of these threats.”
Establishing MOUs with Information Sharing and Analysis Centers (ISACs) for specific industries critical to New Jersey (healthcare and financial services, currently) helped to multiply the data and resources available for the NJCCIC, says Rodriguez, and the team at the OHSP are utilizing these partnerships and their in-house expertise to fill gaps in cybersecurity services at the state and local level.
“We took a look at some of the best practices and lessons learned since the U.S. Department of Homeland Security set up the NCCIC (the National Cybersecurity and Communications Integration Cell) several years ago, and we looked for voids that existed at the state level,” Weinstein says. “And what we learned is that the federal government is really good at sharing information with major critical infrastructure owners and operators and with federal agencies, especially within the intelligence community, but there were major intelligence divides at the state and local level as well as among small and mid-sized businesses. So we’ve designed the NJCCIC to fill those information divides with a keen focus on local governments and SMBs.
“In order to do that, we needed to design our capabilities differently than the federal government has, because many of our constituents, whether they be a local government with an IT shop of two folks or a small business with no IT shop whatsoever, are not as sophisticated technically or resourced as well as the federal government’s customers in this space. So we’ve had to adapt in the way that we share information with these customers, and make sure that we understand their requirements and their capabilities so that we’re actually able to establish two-way information-sharing channels with these parties,” he says.
One of Weinstein’s goals for the NJCCIC is to help build a “fire department for cybersecurity.” Currently, he says, the federal government has limited capacity to provide incident response assistance at the state and local level, so New Jersey is working to develop a response program to assist its constituents.
“This is a model that exists in the private sector and in the federal government, but it requires having trained and equipped incident responders either on a volunteer basis or a permanent basis at the state level,” Weinstein says. “And it also requires an EMS-like dispatch apparatus to obviously report the incident and deploy assets to mitigate it and help the victim recover.”
However, despite this formal capacity still being in development, the NJCCIC is still of service to enterprises and its members during an incident. Take for example Rutgers University, which has fallen victim to a number of cyber attacks in the past year. The NJCCIC provided assistance by monitoring the threat landscape for follow-on attacks, providing analysis to support potential motives behind the attacks to better inform Rutgers leadership, and bridging the information gap between the university and federal assets, which helped the university immunize itself against the same types of attacks to prevent sustained network disruptions.
The NJCCIC also reports on its findings to its members, sharing “indicators of compromise” (attributes of the attackers, their methodology, threat indicators, etc) so they could take steps to protect their enterprises from similar attacks.
“At the end of the day, that is our most valuable source of intelligence, that being these types of incidents, because it’s real time, it’s very actionable for other parties, and it reflects the latest and greatest picture of New Jersey’s threat landscape in cyberspace,” says Weinstein.
“What we’ve built at the NJCCIC will help us bolster our operations and make sure that our policies are informed not just by static standards or regulatory frameworks, but by actual threats that are impacting the state of New Jersey,” he adds.
A large component of that threat landscape is terrorism, and as part of the OHSP, the NJCCIC is in a unique position to help address that threat, Rodriguez says. Cybersecurity analysts in both the NJCCIC and the OHSP can coordinate to monitor social media feeds and activity on the Dark Web to gather intelligence about potential attacks in New Jersey.
“There are two issues here that we think about: One is terrorists’ use of the Internet – we think about ISIS’s use of the Internet and particularly taking advantage of ubiquitous encryption technology to advance their operational plans and proliferate their message – but then there’s also the notion of cyber terrorism, and terrorists actually weaponizing code to advance a political agenda,” says Weinstein. “These are two issues that, because of how the OHSP is organized and the expertise that we have on the intelligence side and the technical side, we’re pretty well postured to tackle and confront.”
He adds that: “I think going forward as we look at the evolution of the threat, I’m increasingly concerned about the degree to which terrorist actors will develop higher levels of sophisticated capabilities and begin to threaten critical infrastructure assets across the state of New Jersey. Right now, and this is true in New Jersey, nationally and globally, most terrorist organizations possess the intent to conduct destructive cyber attacks, but they lack the capability. I think over the next five years, given the fairly low barriers for entry in this space, that paradigm will begin to shift. So we’re taking proactive steps to make sure that we’re aware when that paradigm starts to shift, and that we’re postured from a technical standpoint and a policy standpoint to address any threats that come down the line.”
The NJCCIC also has an advanced training capability, says Rodriguez. Analysts can be sent out to small businesses or other arms of local government to train employees.
“What we’re finding is the vast majority of cyber attacks and breaches could have been prevented simply by updating anti-virus software on computers, and that a lot of the breaches are able to enter systems by people opening up suspicious links in their emails,” Rodriguez says. “Increasing public awareness, and state government awareness as well, in terms of what’s to be opened and what shouldn’t be, is a critical part of this. What we’re finding is that it’s not just having the proper technical capacities in place; sometimes people are the weakest link in the cybersecurity chain, and we do have and we are developing robust training capabilities for employees at all levels of government and in the private sector as well.”
The information-sharing benefits of the NJCCIC are not solely limited to enterprises in New Jersey, however. The program provides intelligence to members in 19 different states, and includes 34 federal agencies. If you are interested in becoming a member, please visit cyber.nj.gov for more information.
For Rodriguez notes: “As we share more information and intelligence, we become more cyber resilient across the board.”