For years, the federal government has touted greater information sharing between government and industry as a key pillar in the strategy to protect businesses and keep essential services and infrastructure running in the face of an onslaught of new and evolving threats in cyberspace.
But somewhere along the way the term became something of a punchline, an empty phrase that tended to mean more of the same overly broad, ineffective, one-way flow of telemetry or indicators of compromise to companies who often had little idea how to make use of it. More and more, government officials are ditching the phrase in favor of and opting for terms that imply there’s something deeper going on these days in the partnership between industry and government.
"I really hate the word ‘information sharing.’ I’d actually rather use something like 'operational coordination' or 'collaboration,' because 'information sharing,' to me, is very transactional and antiquated,” said Morgan Adamski, director of the National Security Agency’s Cybersecurity Collaboration Center during a virtual event Monday hosted by ICS cybersecurity firm Dragos.
She doesn’t think the phrase adequately captures the positive feedback loop that happens from ongoing conversation between companies and agencies like the NSA.
“To be honest with you, one of the things that we found when we started to engage in this timely, relevant manner with our infrastructure owners is that they had insights that we had never thought about before, and what it started to do was to really actually shift in gear the way that NSA thought about the information that it wanted to share with people,” Adamski said.
Traditionally, information sharing has involved the static flow of telemetry, indicators of compromise and other data points to businesses with little in the way of context, actionable intelligence or consideration for resource constraints. This definition really constitutes the “least mature way that you can coordinate,” said Mark Bristow, branch chief of cyber defense coordination at the Cybersecurity and Infrastructure Security Agency (CISA).
Those kinds of static indicators have become less useful over the years as threat actors have gotten better at covering their tracks and evolved their tactics, techniques and procedures, while the cybersecurity community is increasingly coalescing around the concept of tracking commonalities in the behavior of different hacking groups as a way to spot malicious activity on victim networks.
“We need to mature that paradigm as a community and move away from…what I call the atomic observables space, where IP addresses and domains and…hashes [are emphasized] and really move more into understanding adversarial tactics and kill chains so that we can start to look for what the adversary might do,” Bristow said.
The comments came as Dragos announced that it would be adding the NSA and CISA as “trusted advisers” to the Neighborhood Keeper program, a free, anonymous data sharing network between electric sector entities that relies on high-fidelity network sensors that provide real-time, continuous monitoring of threats around Operational Technology and ICS systems.
“Through this public-private partnership, Dragos’s Neighborhood Keeper will be used by the NSA and CISA under Trusted Advisor roles, enabling their analysts to gain visibility into ICS/OT cyber threats facing the industrial infrastructure community,” the company said in a press release Monday. “As Trusted Advisors, government analysts will have the ability to view anonymized, aggregate information about threat analytics, vulnerabilities, and Indicators of compromise as they are detected. They can then share relevant threat intelligence back to members in Neighborhood Keeper in real time, thus enabling the greater infrastructure community to collectively defend itself against cyber adversaries.”
"Information sharing" a loaded phrase for government and industry
The desire to ditch the phrase "information sharing" is a common sentiment from government and industry. In 2019 former CISA Director Chris Krebs said he was "sick" of the term and the way it has been characterized as a panacea for the country's cyber ills.
"It's not '[and] we have to get beyond information sharing' — we have to work together to understand what our respective advantages are, protect the American people, our networks and counter the adversary. We don't do it by sharing [Indicators of Compromise]."
Apart from the desire for a rebrand, there are indications across the federal government that the shift is more than rhetoric. New cybersecurity "nerve centers" designed to put representatives from government and industry in the same room to work on shared problems have popped up at CISA and the NSA the Department of Energy and other agencies. Agencies like the NSA have also said they've worked over the years to synthesize the signals intelligence they collect around emerging cybersecurity threats or campaigns into insights at the unclassified level, where they can be shared and acted upon by individual organizations.
Kate Marks, deputy assistant secretary at the Department of Energy’s Office of Cybersecurity, Energy and Emergency Response, said the agency is currently working on four lines of effort around the electricity sector that sprang from President Joe Biden’s national security memorandum on boosting industrial control system security last year. The push revolves around encouraging companies to adopt technologies and systems that give utilities “greater visibility into the networks that really control system operations and help to improve” collective detection, mitigation and response capabilities.
CESER is working with companies to encourage adoption and installation of new network sensor technologies and develop financial incentives. It is also looking to establish an energy threat analysis center to share threat information across industry and government. Officials are working on a “common lexicon” for data sharing, a platform that can process data across different sensors and technologies and allow for the develop of behavior analytics. Finally, the agency wants to have programs in place to provide support to smaller or less resourced companies around where and how to place the sensors.
It’s one example of the way federal officials are working to rebrand “information sharing” — a term that has gradually morphed into a punchline as defenders have complained about the lack of timely or actionable intelligence around cybersecurity threats — to something deeper, an “operational collaboration” between the government and private sector.
While success with this model is often described in broad (and sometimes vague) terms, both public and private sector cybersecurity experts have pointed to potential near misses with damaging vulnerabilities.
The muted impact in the wake of the Log4j vulnerabilities — which have been mostly exploited by coinminers thus far — has been partly attributed by CISA to "unprecedented" levels of collaboration and the greater muscle memory that has now developed between the federal interagency and industry, where stakeholders worked together to patch the most critical parts of the nation’s attacks surface target and prioritize essential industries and high-risk organizations for outreach and support. The tail of Log4j and its ultimate impact may yet be long, but officials have made the case that it could have been significantly worse by a more chaotic or disorganized response.
Federal officials are attempting to hammer home the message around government and industry collaboration at the same time that agencies are releasing heightened warnings to the public about the prospects of war between Russia and Ukraine, and potential spillover in the cyber arena.
Last week, in an alert titled “Shields Up,” CISA warned that virtually all organizations across every industry and sector are vulnerable to hacks that can disrupt critical services, highlighting how these kind of attacks have historically been a staple of the Russian government’s foreign policy in times of crisis. CISA Director Jen Easterly reiterated that this remains a credible — but still hypothetical — possibility that IT security teams should keep in mind when updating their threat models.
“While there are no specific credible threats to the US homeland at this time, we are mindful of the potential for Russia to consider escalating its destabilizing actions in ways that may affect our critical infrastructure, to include cascading impacts as we saw [with] NotPetya,” Easterly wrote Feb. 12 on Twitter.
It also comes as the U.S., U.K. and Australian governments combined on a joint advisory last week that ransomware groups with a nebulous relationship to the Russian government have increasingly targeted nearly every major critical infrastructure sector in their countries, from energy and healthcare to local governments, schools technology companies and the food supply.