14 August 2023

The Future of Cybersecurity Depends on Public-Private Partnership – Will We Get it Right?

EMILIO IASIELLO

In 2020, the U.S. Cyber Command (CYBERCOM) established its private sector partnership program dubbed UNDER ADVISEMENT, the purpose of which is to engage industry organizations and share critical cyber threat information and intelligence that supports both CYBERCOM missions and the private sector’s cybersecurity priorities. According to CYBERCOM’s website, formal agreements are made with private sector stakeholders in an effort to establish trust, create dialogue, and perhaps most importantly, establish a two-way information exchange channel. CYBERCOM developed UNDER ADVISEMENT as a means to share cyber threat indicators of compromise (IOC) with the private sector during the 2018 mid-term elections and has since expanded. Since been in effect for the past three years, CYBERCOM cites program successes to include info sharing after incidents like SolarWinds and Colonial Pipeline to illustrate how unified responses across the sectors could greatly reduce the impact of major cyber events..

The program is seen as a mutually-beneficial arrangement wherein CYBERCOM provides actionable threat indicators to partners, while receiving industry data in return that it can use to enrich the command’s visibility – and by extension – its understanding of how threats target specific sectors. UNDER ADVISEMENT is similar to the National Security Agency’s Cybersecurity Collaboration Center and the Department of Homeland Security’s (DHS) Joint Cyber Defense Collaborative. Though specific metrics aren’t available quantifying and qualifying what UNDER ADVISEMENT success looks like, the program is looking to expand the team of military and civilian experts to two dozen, as well as double the number of public-private partnerships it has in 2023. As one U.S. senator acknowledged, UNDER ADVISEMENT, along with hunt-forward operations “augment homeland and network defenses while also exposing adversary tactics.”

When it comes to cybersecurity, advocates have consistently championed public-private partnership as necessary for improving resiliency of the two sectors. In 2013, DHS published a strategy promoting the importance of information sharing to collective cybersecurity. This makes sense given the interconnectivity and integration that exists between the two and the fact that in many cases both are targeted by the same types of threat actors if not the same actors themselves. However, even though on paper such a relationship should reap benefits for all parties involved, this clarion call has been repeated for more than a decade, indicating that historically there has been hesitancy to cooperate. One of the major impediments has been overclassification of threat intelligence collected by the U.S. government, which understandably has to walk a line between addressing the needs of the public to operational considerations that it wishes to protect for continued intelligence value.

Another issue has centered around trust. A partnership based on trust requires confidence in both parties being transparent with one another and providing the types of information that are valid, and therefore, useful in enhancing security procedures. When this does not occur, it immediately casts doubt on an already fragile relationship, calling into question the credibility of information shared. For example, the DHS and the Federal Bureau of Investigation disseminated a 2017 joint advisory that provided IOCs that proved to be faulty, as many of the listed IP addresses listed as malicious in the report turned out to link back to harmless domains.

Another criticism of this relationship is that information tended to go one way without the government reciprocating in kind or providing equal information in exchange. This stigma has been so well entrenched, that “information sharing” has become a throw-away expression, a meaningless phrase meant to be something more than what was actually happening. This term even received criticism for former director of the Cybersecurity and Infrastructure Security Agency who said he was “sick” of the term and its characterization as an end-all, be-all cybersecurity solution. Now it appears that government officials are seeking rebranding the practice as “operational collaboration,” a term that conveys voluntary interaction among equal parties. It also intimates a more active engagement than the passing of technical data back and forth as evidenced by the various hamlets of such exchanges such as InfraGard and Information Sharing and Analysis Centers, to name a couple.

While the government is worried about protecting its sources and methods, the private sector is concerned with protecting the information of its clients and customers. Notable incidents such as social media failing to safeguard customer data or these platforms collaborating with the government places this data at risk, or at least, potentially puts sensitive information in the hands of another party without providing such knowledge to the individuals involved. The U.S. government has not received favorable press recently with respect to its misuses and abuses of private data, a further fear that sharing data might fall victim to witting or unwitting malpractice. This certainly heightens concerns especially when government intelligence agencies are invited to be “trusted advisers.”

A productive and transparent public-private information-sharing collaborative is the backbone of achieving cyber resiliency, the goal for enhanced cybersecurity in today’s global cyber threat landscape. It is also the cornerstone of President Biden’s cybersecurity plans, which informed the United States’ National Cybersecurity Strategy and is being factored into the requirements of other cybersecurity initiatives that bolster critical infrastructure such as supply chain security and incident reporting, among others. Critical industries have the benefit of knowing that they are high-value intelligence targets for foreign actor cyber exploitation. It’s logical to get the government involved, especially those agencies with advanced capabilities to track and neutralize these threats. But such acts cannot come at the expense of taking liberties with cooperation and running the risk of overreaching its authorities. This is an area where the government needs to spend time in assuring private sector partners and may be the biggest challenge in taking the public-private sector relationship to the next level.

Still, challenges only become obstacles when lessons learned are not applied to them. Fortunately, there are signs that the government is making strides to improve this situation. Now advisories provide not only IOCs, but also relevant tactics, techniques, and procedures used by threat actors, as well as guidance to identify the threats and be better positioned to mitigate and respond to them. This is just one victory, but it does show how more information – not less or redacted information – directly impacts the defensive capabilities of industries at siege. The UNDER ADVISEMENT program has a real opportunity to continue to right the information-sharing ship if it is continued to be implemented in a constructive manner. Expansion of the program needs to be done responsibly where confidence is built through engagement with measurable milestones and periodic updates of what data was most helpful and how it was applied accordingly against hostile cyber activity. Because when it comes to information sharing, the government needs every industry and sector to convene around a table of equals, and by doing so, the country and its citizens will be the ones to benefit the most.

No comments: