Approved for Public Release; Distribution Unlimited. 13-3851 The MITRE Corporation Cyber Partnership Blueprint: An Outline October 26, 2013 Copyright 1997-2013, The MITRE Corporation. All rights reserved.
i Blueprint Outline: Cyber Exchange (Version 0.85) Contents Scope... 1 Blueprint Overview... 1 Lessons Learned & Challenges... 1 Business View... 1 Overview... 1 Understanding the Landscape... 1 Understanding the Potential Players... 1 Determining Industry Mix and Identifying Potential Participants... 1 Identifying Potential Organizing and Operating Entities... 2 Understanding Other Cybersecurity Players... 2 Articulating Differentiators and Value Proposition... 2 Developing an Approach for Reaching Out to Key Players... 2 Developing an Initial Charter for the Cyber Partnership... 2 Conducting the Pilot... 2 Recruiting Charter Members... 2 Developing and Executing Initial Participation Agreement... 2 Establishing Platforms for Sharing... 2 Start Sharing... 3 Transitioning to Operations... 3 Developing a Business Plan... 3 Partnership Overview... 3 Market Analysis... 3 Sharing Activities and Tools... 3 Operations... 3 Organization... 3 Finance... 3 Think Ahead... 3 Establish Timeline and Milestones... 3 List of References... 3 Operational View... 3 Overview... 3
ii Blueprint Outline: Cyber Exchange (Version 0.85) Establishing a Membership Model... 3 Types and Roles... 3 Eligibility... 4 Charter Members... 4 Establishing a Trust Framework... 4 Developing Non-Disclosure Agreement... 4 Finding Trusted Intermediaries... 4 Developing Member Trust... 4 Establishing a Sharing Model... 4 Developing a Sharing Incentive Framework... 4 Developing Rules of Behavior... 4 Defining Organizational Interactions... 4 Face-to-Face... 4 Virtual... 4 Technical Exchanges... 5 Executive Sessions... 5 Developing a Communications and Outreach Plan... 5 Defining Metrics... 5 Establishing a Timeline and Milestones... 5 Thinking Ahead... 5 List of References... 5 Infrastructure View... 5 Overview... 5 Establishing a Model for Sharing Cyber Threat Information... 5 Hub-and-Spoke... 5 Post-to-All... 5 Federated... 5 Hybrid... 5 Defining What You Are Sharing... 5 Developing Requirements for Sharing Tools... 5 Portal... 6 Collaboration... 6
Threat Repository... 6 Establishing Norms for Representing Threat Information... 6 Providing Secure Architecture for Sharing... 6 Thinking Ahead... 6 Establishing a Timeline and Milestones... 6 List of References... 6 iii
Scope The Cyber Partnership Blueprint ( Blueprint ) is a building plan for how an entity (public or private) can establish and operate a consortium (cyber partnership) for sharing unclassified cyber threat information. This outline will guide a series of online posts on Blueprint for Cyber Threat Sharing that will constitute the Blueprint. Brief notes appear under the various sections that describe the content that will be fleshed out in the Blueprint series. Those online posts will be periodically compiled into a single standalone Blueprint document. Blueprint Overview The major elements in the Blueprint are: Lessons Learned & Challenges: Do s and Don ts that make or break a cyber partnership. Business View: The foundation for getting a partnership up and running. Operational View: The foundation for sustaining effective operations. Infrastructure View: Establishing an enabling IT infrastructure. The Blueprint is augmented by examples of typical products (e.g., trust frameworks, non-disclosure agreements) that are needed to help form and sustain a cyber partnership. Lessons Learned & Challenges Lessons learned and challenges represent the Do s and Don ts and potential pitfalls that will help guide a cyber partnership s successful development and operations. These pointers, and the rest of the Blueprint, are shaped by MITRE s experiences over the years as a member of several sharing consortia. The lessons learned and challenges will be articulated in one of the posts in the Blueprint for Cyber Threat Sharing series. Business View Overview The business view explains why a business point of view is necessary; outlines a high-level perspective; and provides options for establishing and operating a cyber partnership. Understanding the Landscape This section outlines how each cyber security partnership should be set up to meet the specific needs of the region(s) or group it serves. Understanding the Potential Players Determining Industry Mix and Identifying Potential Participants 1
Identifying Potential Organizing and Operating Entities Understanding Other Cybersecurity Players Articulating Differentiators and Value Proposition Developing an Approach for Reaching Out to Key Players Developing an Initial Charter for the Cyber Partnership Establish Missions, Goals, and Objectives Define Principles and Values Develop Concept of Operations Blueprint Outline: Cyber Exchange (Version 0.85) Conducting the Pilot A pilot can be used to jump start cyber threat information sharing with a small group (3-7 organizations) of early adopters while more formal plans and operations are being developed. A pilot represents a proof-of-concept that allows participants to see for themselves the value of sharing information. It provides practical experiences that will inform the cyber partnership s full operational capability. The pilot informs, and is conducted in parallel with, Developing a Business Plan. Recruiting Charter Members Initial Contact Recruiting Meetings Developing and Executing Initial Participation Agreement Key Elements of the Participation Agreement Comments of Achieving Agreement Establishing Platforms for Sharing Annual Event Cyber Technical Exchanges Executive Sessions Establish Portal Security Operations Center Incident Response Vulnerability Assessments Training 2
Research and Development Start Sharing Transitioning to Operations This section describes how to transition from the initial operational capability established during the pilot phase to full and sustained operations. Developing a Business Plan The business plan sets the direction for the cyber partnership going forward and also establishes processes and models that ensure that the partnership can exist as an efficient and financially sound entity. The business plan is developed based on what is learned from understanding the landscape and conducting the pilot. The business plan should be a living document that continues to change as the cyber partnership evolves. Partnership Overview Market Analysis Sharing Activities and Tools Operations Organization Finance Think Ahead This describes the elements to consider for long-term strategic operations. Establish Timeline and Milestones This describes a basic timeline and milestones for establishing an initial operational capability. List of References Operational View Overview The operational view builds on the lessons learned and products from the business view to more formally defining the processes needed to sustain the operation and evolution of a consortium for cyber threat information sharing. Establishing a Membership Model This describes the characteristics, advantages, and challenges of different compositions of members in a consortium. Types and Roles 3
Sector Regional Cross-Domain Government Universities Industry Non-Profit Eligibility Entry Vetting Approval Sanctions Charter Members Establishing a Trust Framework This describes the functional requirements of a framework that facilitates developing trust among members so that sharing valued cyber threat information can occur. Developing Non-Disclosure Agreement Finding Trusted Intermediaries Developing Member Trust Establishing a Sharing Model This describes the functional requirements for a model that facilitates the process of sharing cyber threat information. Developing a Sharing Incentive Framework Developing Rules of Behavior Defining Organizational Interactions This describes the functional requirements for several styles of organizational interactions among a sharing consortium s members and leadership. Interactions with external stakeholders are also addressed. Face-to-Face Virtual 4
Technical Exchanges Executive Sessions Developing a Communications and Outreach Plan This describes the functional requirements for a communications plan to internally engage with consortium members and externally engage with stakeholders. Defining Metrics This describes the functional requirements for success measurements. Establishing a Timeline and Milestones This describes a basic timeline and milestones for maintaining operations. Thinking Ahead This describes the elements to consider for long-term strategic operations. List of References Infrastructure View Overview The infrastructure view leverages lessons learned and products from both the business and operational views to mature the technical products and IT infrastructure needed to sustain a sharing consortium s long-term operation and evolution. Establishing a Model for Sharing Cyber Threat Information This describes different types of models for sharing cyber threat information. Hub-and-Spoke Post-to-All Federated Hybrid Defining What You Are Sharing This describes the different types of threat information that is typically shared and how to represent that information in a structured manner suitable for both automated and cyber analyst ingestion. Developing Requirements for Sharing Tools This provides the functional requirements of a core set of software tools and capabilities that facilitate sharing. 5
Portal Collaboration Threat Repository Establishing Norms for Representing Threat Information This describes the role of cyber standards in sharing cyber threat information. Providing Secure Architecture for Sharing This describes the elements and functional requirements for the secure automated exchange of cyber threat information among the consortium members. Thinking Ahead This describes the elements to consider for long-term strategic operations. Establishing a Timeline and Milestones This describes a basic timeline and milestones for long-term strategic operations. List of References 6