A Call to Action for Technologists: Policy Makers Need Your Voices Too!
By Dylan Hoffmann and Maretta Morovitz
MITRE recently submitted a response to the DoD Request for Information (RFI) on the Cyber Maturity Model Certification (CMMC) 2.0, a proposed update to the DoD’s information security requirements for DoD partners and contractors. CMMC 2.0 includes 24 security requirements and applicable ODPs selected from NIST SP 800–172 to represent CMMC Level 3 requirements. Among the 800–172 requirements not included in CMMC 2.0 is SC L3–3.13.3.e: Employ techniques to confuse and mislead adversaries.
Based on more than 10 years of research and operational experience, MITRE and MITRE Engage recommends including this requirement. We believe this omission misses out on including effective low-hanging fruit in the security requirements that will be applied to all Defense Industrial Base (DIB) partners. This recommendation is based on our observation that adversary engagement (the combination of cyber denial and deception with strategic planning and analysis) and unpredictability are crucial to addressing advanced threats. Adversary engagement, informed by threat intelligence, enables:
1) More rapid detection of threat activities (and prevention where possible) so that resources can be deployed and safeguards put in place
2) Minimization of the effects of threat activities on critical operations
3) More effective recovery efforts, because they can focus threat targets and on resources adversaries seek to infiltrate or corrupt
4) Evolution of systems and practices to be better aligned to changes in the threat landscape
5) Lowering the value while increasing the costs of malicious operations.
If you’re reading this blog post, you’re likely already aware of, and interested in, cyber deception and adversary engagement, but that puts you in the minority of cyber security experts and practitioners. On the Engage team we believe that the policy space needs the participation of technologists.
Policy guidance and requirement documents such as CMMC and NIST 800–172 are important to encouraging broader adoption of adversary engagement practices, especially among small and medium sized business that deception for detection can most benefit, but that might not otherwise be aware of their options for adversary engagement, if they know it exists at all.
This kind of feedback and engagement with policy creating entities such as the DoD and NIST is important to bring techniques, approaches and technology they might not otherwise consider to the fore.
The below summarizes some of the major areas would love to see our community engaging (yes, lame pun intended!) with the policy makers to help this technology area grow and mature.
Regulatory Compliance: Policy frameworks often dictate the boundaries within which technologies operate. Understanding and adhering to these regulations ensures legal compliance and mitigates risks associated with non-compliance. By involving technologists in developing these frameworks we can ensure that the boundaries effectively mitigate risk without unnecessarily constraining the technology.
Ethical Considerations: Policies provide guidelines for ethical use of technologies. Deception is often mistakenly confused with disinformation. Involving technologists who understand the technology’s true intent ensures that ethical concerns aren’t misattributed.
Risk Management: Policy involvement helps in identifying and mitigating risks associated with deploying less mature technologies. In the case of adversary engagement, this is very important due to the operational nature of this technology. Thinking about operational security (OPSEC), operational risk, etc. is not something we need to consider with most defensive technologies. Therefore, it is essential that organizations understand the risks and set clear gating criteria before integrating this technology into their defensive strategy. Implementing policies that assist organizations in establishing baseline standards for understanding risks and safely using the technology significantly contributes to ensuring operational safety. This approach also alleviates the burden of smaller organizations having to independently develop risk management policies.
Standardization: Involvement in cyber policy discussions facilitates the establishment of industry standards and best practices for adversary engagement. Standardization promotes interoperability, consistency, and overall effectiveness of adversary engagement technologies. At the same time, the community wants to ensure diversity of deployment to avoid creating easily identifiable deceptions. By involving technically minded cyber security professionals in these conversations we can ensure that we carefully walk the line between helping elevate the community without watering down the technology.
Stakeholder Collaboration: Policy discussions often involve various stakeholders, including government agencies, industry experts, and academia. Engaging with these stakeholders fosters collaboration, knowledge sharing, and collective efforts to address challenges associated with less mature technologies.
In essence, being involved in cyber policy ensures that emerging technologies like adversary engagement are deployed responsibly and effectively within the broader cybersecurity ecosystem.
©2024 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited PR_23–02179–7
