Enterprises ask Washington to step up cyber collaboration
During CISA's National Cybersecurity Summit, critical infrastructure companies said they need better information on cyberthreats from the federal government.
As the U.S. government continues its push for collaboration between the public and private sectors on cyberthreats, it's clear there's more work to be done.
The White House Wednesday announced additional efforts to counter ransomware, which included a continued call on the private sector to modernize cyberdefenses, as well as a new initiative to extend collaboration outside the U.S. The National Security Council promoted an international counter-ransomware event with more than 30 partners to "accelerate cooperation on improving network resilience," according to a White House statement.
With the size and scope of growing threats, particularly ransomware, Ted Wagner, chief information security officer at SAP NS2, said an international gathering is imperative. That size and scope, he said, is not fully visible to most Americans and extends beyond the reach of U.S. law enforcement agencies. "International cooperation is critical to reducing this threat," Wagner told SearchSecurity.
The topic of collaboration was discussed further on Wednesday during the National Cybersecurity Summit hosted by the Cybersecurity and Infrastructure Security Agency (CISA).
An "Insights on Energy" panel highlighted the joint effort required to combat attacks against critical infrastructures, such as the U.S. Colonial Pipeline earlier this year. Speakers included Bill Fehrman, president and CEO of Berkshire Hathaway Energy; Tom Fanning, CEO of Southern Company; and Puesh Kumar, acting principal deputy assistant secretary at the U.S. Department of Energy (DOE).
During the panel, Fanning described the millions of attempted attacks that companies like his and Berkshire Hathaway experience daily. Fehrman quoted the number of attempted attacks even higher, at hundreds of millions of times a day.
To make matters worse, Fanning said, the attack vector changes each day, and even every hour. His solution was to reimagine the relationship between the private sector and the government to get "real-time illumination of the cyberbattlefield." As CEO of one of the U.S.'s largest utility companies, he also pointed out that more than 85% of critical infrastructure in America is owned by the private sector, which he said is especially true in the electricity sector.
"We've had a great relationship with the DOE over the past, but I think for the future that alone is insufficient. We must join the intelligence community, our sector-specific agencies and the folks that will hold the bad guys accountable, be it the FBI, Secret Service, U.S. Cyber Command, you name it," Fanning said during the panel. "Together we must collaborate, not cooperate."
Fehrman cited adversary growth as the reason private sectors need to collaborate with government partners in threat analysis. Specifically, he mentioned the growing threat of supply chain attacks that "expand the attack space for the adversaries.
"We have to better understand the context," he said. "I would say that government and industry can provide [that] to each other through collaboration and really leverage that to address supply chain issues and manufacturing challenges."
Kumar agreed that securing the supply chain and improving collaboration are priorities. "It's collaborating with the sector on a regular basis. It isn't just one-way information sharing -- it's bidirectional, regular collaboration."
According to Fehrman, the Department of Homeland Security's new Joint Cyber Defense Collaborative (JCDC) is just the beginning of that process. CISA, which introduced JCDC during Black Hat 2021 in August, said the aim of the organization is to foster better collaboration between businesses and the government to develop cyberdefense plans.
Fehrman said there is a tendency for the government to keep using the same approach, but with new initiatives like the JCDC, there is an opportunity to forge a new path.
Another issue for private and public sector collaboration is vulnerability disclosures. Lindsey Cerkovnik, industrial control systems (ICS) vulnerability disclosure lead at CISA, addressed concerns during the "BadAlloc: A Case Study in Pre-Disclosure Collaboration" session Wednesday. BadAlloc is what Microsoft dubbed its discovery of 25 memory allocation vulnerabilities that affected a wide range of technology, including consumer devices, medical IoT, industrial IoT, operational technology and ICSes.
In April, the White House launched the ICS initiative to bolster resilience against ransomware. The initiative is a voluntary, collaborative effort between the federal government and critical infrastructure community.
Cerkovnik said she worked with several different agencies and organizations during the vulnerability disclosure process and recognized they all shared different levels of experience. As the number of multiparty disclosures increased rapidly over the years, she said, the government has learned to deal with them more efficiently.
"When you start getting into these really large coordinated efforts, it gets more complicated just naturally. That's kind of human nature; but in this sense, we're talking about a lot of different equities and authorities," Cerkovnik said during the session.
"The concept of coordinated vulnerability disclosure has been around for a really long time," she said. "CISA has been doing it for a lot of years, but that doesn't mean that it should be done the same way forever."
To improve CISA's approach, she suggested a way to prepare the organizations prior to delivering the information, which would make the partnership "more efficient." Having a prerequisite vulnerability disclosure process knowledge was one example.
As collaboration efforts move forward and threats increase, both sectors are adapting. One successful action included in the White House's ransomware efforts was sanctions against virtual currency exchange Suex, which was accused of money laundering for cybercriminals such as ransomware operators. The private sector did its part as well; the investigation into Suex was aided by private companies such as Chainalysis, a blockchain analysis vendor.
Wagner said it's important for both sides to work together to sustain these efforts.
"Both public and private sectors have incentives to work together to bring about a meaningful response to this threat. It requires leaders to organize, coordinate, and commit to taking action," Wagner wrote in an email to SearchSecurity. "But without resolve and imperative, these kinds of responses will not be fully implemented, and the threat will remain."