The US intelligence community holds unique information about foreign nation cyberattackers, which is not available to private companies trying to defend themselves. We propose adopting recent secure enclave technology to apply classified intelligence in non-classified settings, while maintaining intelligence secrecy. We suggest the development of a classified threat sensor that US companies can run in enclaves without leaking classified intelligence or private security data.
We call this design CANAREE for Classified Analysis of Network Attacks in a Restricted Execution Environment.
Foreign nation-state cyberattacks against US-based companies create a national security risk and result in the loss of competitive intellectual property. The US intelligence community holds classified information that could help detect nation state attacks. However, that intelligence cannot be shared without risking sources and methods. Private security data held by industry, which might not be accessible due to regulatory or public perception issues, could in turn aid intelligence agencies in identifying broader attack campaigns.
Today, the time to declassify information and share it through existing channels may reduce intelligence's relevance by the time a company can act on it. Recent developments in secure enclave technology may empower companies and governments to rapidly act on classified intelligence, without requiring declassification.
Secure enclaves are an off-the-shelf technology that provides a safe space to run audited software and process secret data on someone else's computer. We propose using secure enclaves to operate classified threat sensors that run on a private company's servers. These threat sensors would be able to scan a company's local security data for signs of cyberattack or classified vulnerabilities without revealing the indicators for which the sensor was searching.
Classified threat sensors solve the information sharing challenge without declassifying intelligence or exposing private data to governments. They may be built from off-the-shelf technology using existing open source tools. These sensors could speed detection and attribution of cyberattacks by foreign powers. Sensors can also act as an early-warning system to discover broader campaigns, without exposing private company data to the government.
We suggest a phased trial between the National Security Agency (NSA), Department of Homeland Security (DHS), and private industry partners. Secure enclave data sharing technology is already funded through the DHS's IMPACT program's Galois FIDES Project. The NSA also proposed a very similar design in a paper, "Using Classified Intelligence to Defend Unclassified Networks" This technology can be migrated to an open source project, then run in parallel trial deployments for both industry-to-industry and government-to-government sharing between the NSA and DHS. After proven in trials, a government-to-industry sharing program could be deployed between DHS and industry partners. See the CANAREE Operational Plan for more details.
The first phase of the rollout plan to build an open source prototype could be developed by student researchers using existing open source projects, such as the Intel's Linux SGX SDK, Intel's remote attestation examples, Baidu's Rust SGX SDK, Microsoft OpenEnclave, RedHat Enarx, or TaLoS TLS termination. Both Microsoft EnclaveDB and Haven may provide design insight.
This work could be conducted by 2 graduate or undergraduate students for 1 semester and overseen by a 1/4 time Principal Investigator (PI). We estimate that $150K would cover the student costs, PI, equipment, conference travel, and indirect university overhead. See the CANAREE Open Source Grant Proposal for more details.