In 2020, U.S. government organizations such as the Cybersecurity & Infrastructure Security Agency (CISA) were focused on preventing a cyber attack that would potentially affect the outcome of the election. CISA worked with state election leaders to ensure success in holding interference-free elections.
However, today’s cyber-threat is morphing into nation-state bad actors and their criminal proxies. Hostile nation-states have traditionally used their intelligence services to surreptitiously steal government information through traditional tradecraft (i.e., human & technical means). Yet in today’s digital world, nation-states are now coupling their intelligence services with a growing offensive cyber-capability not only to target government secrets but corporate America’s intellectual crown jewels. And given the resources and technical sophistication hostile nation-states can employ, it is foolish to believe individual corporations can successfully confront this threat alone.
Looking back, the 2014 North Korean hack of Sony Pictures was the highest-profile cyberattack against an American corporation at the time. Since that hack, there have been some high-profile intrusions against American companies as well as municipalities and educational institutions.
While an attempted cyber-espionage intrusion against U.S. government agencies is expected, a concerted effort by hostile nations against corporate America is still outside of norms, yet it is a growing threat. With the trillions of dollars that pass through Wall Street server farms daily and the Industrial Control Systems (ICS) that command oil refinery operations, the private sector makes up a crucial part of the U.S. critical infrastructure, and the U.S. government recognizes that. According to the Department of Homeland Security, there are “16 critical infrastructure sectors whose assets, systems, and networks are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health, or any combination thereof”.
The stakes for inaction are becoming exceedingly high as demonstrated by the Solar Winds, Microsoft Exchange, and now Colonial Pipeline attacks. As technology leaders, we must be vigilant in aligning our activities with the following:
- Ensuring senior cybersecurity leaders aware of the burgeoning nation-state threat.
- Providing opportunities for sharing and coordinating cyber-threat data.
- Promoting corporate cybersecurity leaders to be change agents within their companies to encourage cooperation with the federal government.
Information Sharing and Transparency
When I was a young Air Force lieutenant in the mid-1990s, I worked as an intelligence analyst for the Air Force’s Air Mobility Command (AMC), headquartered at Scott AFB, IL. There I supported the military’s airlift mission to bring humanitarian relief to war-torn places such as Bosnia, Kosovo, and the Democratic Republic of Congo. AMC sometimes utilized the Civil ReserveAir Fleet (CRAF), made up of commercial carriers, to augment its force. When these commercial carriers were assigned to fly to these dangerous locations, they were allowed to receive “tear-line” intelligence, which was very specific to the crew’s safety and flight. This same type of government information sharing and coordination is available to critical infrastructure companies. As mentioned previously, the U.S. government has identified these 16 critical infrastructure sectors.
Cybersecurity is a Team Sport
The Biden administration appears poised to go on the offensive and craft a national strategy to deter individuals and nation-state actors who conduct cyberattacks. According to Anne Neuberger, the Deputy National Security Adviser for Cyber and Emerging Technology, the administration has created the Cyber Safety Review board to investigate large and sophisticated cyber hacks akin to how the National Transportation Safety Board investigates airline crashes.
However, this new cyber investigative entity will need the support and cooperation of the private sector. According to Neuberger, companies that do business with the federal government will be required to disclose cyber attacks promptly. I believe this level of cooperation is needed if we as a nation want to react in real-time to prevent adversaries from gaining access to critical infrastructure.
Before the 2020 election, CISA developed a playbook to help the private sector and government effectively coordinate on cybersecurity issues. For Fortune 500 companies, a robust level of cooperation and information sharing with the Federal government already exists. The best example of this cooperation is the Domestic Security Alliance Council (DSAC) program. According to A Reference Guide for the Critical Infrastructure Community, the DSAC program “involves the Department of Homeland Security, the Federal Government, and U.S. Fortune 500 companies, and its intent is to strengthen national security and mitigate risk to the private sector. Through its members-only portal, DSAC disseminates timely, relevant, and actionable intelligence that helps protect the Nation’s critical infrastructure.”
CASE STUDY
The following is an excerpt from a CISA case study illustrating the engagement between private cybersecurity firms, industrial control firms, and Federal outreach and engagement stakeholders in response to two cyber threats. The complete case study can be found here.
Background
This cyber use case addresses a pair of malware threats to industrial control systems (ICS) that were first identified in mid-2014 but began in early 2011. The first, called Havex, was brought to the attention of the National Cybersecurity and Communications Integration Center (NCCIC) by private sector cybersecurity firms. The second piece of malware, called BlackEnergy, was discovered by trusted third-party partners. Since both cyber threats had aspects that targeted the ICS systems of U.S. critical infrastructure, the DHS ICS Cyber Emergency Response Team (ICS-CERT), which is part of the NCCIC, took the lead in conducting coordinated outreach,
mitigation, and response on behalf of the Federal Government.
Threat Sharing
The NCCIC and its component, ICS-CERT, worked in concert with the FBI to identify potential threat actors and to perform traditional incident response activities. An in-depth 47-page analytic report on Havex and BlackEnergy was created and distributed via For Official Use Only (FOUO) channels with a two-page summary for executives.
The NCCIC also conducted other threat information-sharing activities:
• Coordinated with affected vendors to identify software vulnerabilities and get them patched
• Developed a custom detection algorithm and distributed it on the public website
• Released a series of Unclassified//For Official Use Only (U//FOUO) level alerts to the critical infrastructure community through the ICS portal, the Homeland Security Information Network (HSIN) portal, while also working with intelligence and law enforcement to limit the amount of information that could be leveraged by adversaries
• Conducted an “Action Campaign” consisting of “Secret” briefings in 13 cities to over 1700 cleared stakeholders and coordinated outreach for the Campaign through Information Sharing and Analysis Centers (ISACs); Sector-Specific Agencies (SSAs); State, local, tribal, and territorial (SLTT)partners; DHS Office of Infrastructure Protection’s (IP) Protective Security Advisors (PSAs); fusion centers; and the FBI
• Conducted “Secret” level Secure Video Teleconference (SVTC) with fusion centers and FBI field offices
• Provided briefings at all normal ICS-CERT outreach activities (weekly, monthly, quarterly, ad-hoc) at “Unclassified” and ”Secret” CRITICAL INFRASTRUCTURE THREAT INFORMATION SHARING FRAMEWORK 47
• Worked with the Intelligence Community (IC) to better understand and describe the threat.
Many Fortune 500 companies have dedicated cybersecurity teams with deep cyber and intelligence experience. Some individuals retain government security clearances, making their contribution valuable to government partners. For non-Fortune 500 companies, there are a number of information-sharing and coordination programs to participate in. I’ll discuss three of them here.
Information Sharing and Analysis Centers (ISACs)
ISACs are National Information Sharing Hubs that are sector-specific, private, and trusted. “ISACs collect, analyze, and disseminate timely and actionable threat information to their members, to other sectors, and to government entities,” according to the Department of Homeland Security.
ISACs save members time and effort by serving as a clearinghouse for government and private information, helping members identify risks, prepare for emergencies, and secure sector-specific critical infrastructure.
Information Sharing and Analysis Organizations (ISAOs)
The Department of Homeland Security defines ISAOs as a “broader category of private information-sharing organizations, which include ISACs. Some organizations do not fit neatly within established sectors or have unique needs. Those organizations that cannot join an ISAC but have a need for threat information could benefit from membership in an ISAO (e.g., places of worship)”. Overall, ISAOs can serve as a clearinghouse for government and private threat information that helps members identify risks, prepare for emergencies, and secure critical infrastructure.
To get your organization involved with the ISAO program visit: www.isao.org or email contact@isao.org
InfraGard
The third entity I want to discuss for sharing and collaboration is InfraGard, a public-private partnership between the FBI and over 40,000 vetted members of the private sector, representing all 16 critical infrastructure sectors. It is an association of members with subject-matter experts who represent businesses, academic institutions, and government at all levels, as well as other participants dedicated to providing multidirectional sharing of information, intelligence, strategy, and expertise to prevent hostile acts against the U.S. There are over 80 InfraGard chapters nationwide. InfraGard members have access to:
- InfraGard’s Secure Web Portal, iGuardian
- The FBI’s cyber incident reporting tool designed specifically for the private sector
- Real-time FBI and DHS threat advisories, intelligence bulletins, and analytical reports
To inquire about InfraGard visit their Secure Web Portal: www.infragard.org.
These three collaborative and information-sharing programs are just a few of the structured sharing programs available to corporate America and other organizations. However, none of these can be effective unless the private sector gets involved and becomes more transparent by sharing cyber intrusion data. In addition, these programs provide a confidential mechanism for sharing sensitive information. With many companies unwilling to share information about breaches, cybersecurity leaders need to use their platform in the C-Suite and board meetings to champion these programs.
In my time as a military intelligence officer, I was a member of several Threat Working Groups which involved multiple disciplines and functions that provided the larger group with diverse perspectives. Our collaborative efforts always produced a more thorough product and a more refined course of action recommendation. This diversity of perspective will only enhance the security of corporate America and in turn, America’s critical infrastructure.
My suggestions are by no means a panacea, but I firmly believe a viable path to securing America’s critical infrastructure begins with increased sharing and coordination.
