NEIGHBORHOOD WATCH programs enlist an organized group of vigilant citizens who—by being observant and spreading word of threats—can help reduce the opportunities for criminals to get away with crimes. The U.S. Department of Energy’s (DOE) Argonne National Laboratory has developed a model for cybersecurity that researchers say can serve a similar function. They’ve also devised open source software that groups can use to implement the model.
The model, called a Federated Model for Cyber Security, has been in the works for years, and the latest version recently won the DOE’s 2009 award for innovation and security achievement. It is currently in use by Argonne and Department of Energy entities.
The model calls for there to be a connection between entities such that when one organization is attacked, the others find out about it in real-time and can defend against any similar attacks. The assumption is that similar organizations will likely be targets of similar attacks.
A key factor is the use of technology so that the process of notification can be automated, rather than merely relying on people to spread the word about attacks from one institution to another. Participating organizations implement software that interprets what firewalls and detection systems have found and shares it with other members of the federation.
There are several technical challenges to developing a model like this, but Coleman Wolf, CPP, CISSP, engineer consultant for Environmental Systems Design, says that on the technology side, the way has been paved by a move to open standards and the use of formats such as XML that make data sharing easier among entities. However, he points out that even with open standards, the model participants would have to agree on the types of data to be shared and the sharing formats.
Many cybersecurity experts laud the federated model. “It’s fantastic because it sets up what we call the ‘zero day’ scenario. And that’s basically where I know pretty much in real time that somebody similar to me is under attack. And that way I can take preventative measures,” says Jim Litchko, senior security analyst at Cyber Security Professionals.
Argonne Deputy CIO and Cyber Security Program Manager Michael Skwarek, who helped develop the model, suggests that it has the potential to be used in the private sector as well. For example, he says it might be helpful for companies that have multiple campuses and for universities and hospitals to employ it.
The model would probably not, however, work in the commercial sector among competing entities, say security professionals interviewed for this article. “There are a number of complications in sharing that information between companies not only just for private business competitive reasons, but in a lot of cases, there could be regulatory limitations placed on a company,” says Wolf.
Additionally, adopting a model like this requires economic considerations. It might not be cost-effective in the commercial space to devote resources this way, says Litchko.
Skwarek says the types of information exchanged in the federated model include IP addresses, URLs, domains, and e-mail addresses.
He says that, above all, the model requires trust among the engaged parties. When that trust is established, encryption keys are exchanged, and thus, warnings can be sent from one entity to the other through the software structure.
“It’s a secure communication fabric between trusted parties that will share timely information with others so that they don’t have to feel the same pain. What we’ve created is this infrastructure that allows for individuals to create a federation,” explains Skwarek.