In 2020, the US Cyber Command (CYBERCOM) established its private sector partnership program named UNDER ADVISEMENT (who thought up this name?), the purpose of which is to engage industry organizations and share critical cyber threat information and intelligence that supports both CYBERCOM missions and the private sector’s cybersecurity priorities. According to CYBERCOM’s website https://www.cybercom.mil, formal agreements are made with private sector stakeholders to establish trust, create dialogue and establish a two-way information exchange channel. CYBERCOM developed UNDER ADVISEMENT to share cyber threat Indicators of Compromise (IOC) with the private sector during the 2018 mid-term elections and has since expanded. Since being in effect for the past three years, CYBERCOM cites program successes to include info sharing after incidents like SolarWinds and Colonial Pipeline to illustrate how unified responses across the sectors could greatly reduce the impact of major cyber events.[1]
See: https://redskyalliance.org/redshorts2020/solarwinds-fireeye-u-s-government
See: https://redskyalliance.org/oillandgas/colonial-pipeline-company-hit
The program is seen as a mutually-beneficial arrangement wherein CYBERCOM provides actionable threat indicators to partners while receiving industry data in return that it can use to enrich the command’s visibility and, by extension, its understanding of how threats target specific sectors. UNDER ADVISEMENT is similar to the National Security Agency’s Cybersecurity Collaboration Center and the Department of Homeland Security’s (DHS) Joint Cyber Defense Collaborative. Though specific metrics are not available quantifying and qualifying what UNDER ADVISEMENT success looks like, the program is looking to expand the team of military and civilian experts to two dozen and double the number of public-private partnerships it has in 2023. As one US senator acknowledged, UNDER ADVISEMENT, along with hunt-forward operations, “augment homeland and network defenses while also exposing adversary tactics.”
Regarding cybersecurity, advocates have consistently championed public-private partnerships as necessary for improving the resiliency of the two sectors. In 2013, DHS published a strategy promoting the importance of information sharing to collective cybersecurity. This makes sense given the interconnectivity and integration between the two and the fact that, in many cases, both are targeted by the same types of threat actors, if not the same actors themselves. Even though, on paper, such a relationship should reap benefits for all parties involved; this clarion call has been repeated for more than a decade, indicating that historically there has been hesitancy to cooperate. One of the major impediments has been the over-classification of threat intelligence collected by the US government, which understandably has to walk a line between addressing the needs of the public to operational considerations that it wishes to protect for continued intelligence value.
Another issue has centered on trust. A partnership based on trust requires confidence in both parties being transparent with one another and providing the types of information that are valid and useful in enhancing security procedures. When this does not occur, it immediately casts doubt on an already fragile relationship, calling into question the credibility of the information shared. For example, the DHS and the Federal Bureau of Investigation disseminated a 2017 joint advisory that provided IOCs that proved to be faulty, as many of the listed IP addresses listed as malicious in the report turned out to link back to harmless domains.
It is also difficult to “trust” a government entity when they have the authority to fine and disclose cyber events that could help hackers learn what attacks are the most effective.
See: https://redskyalliance.org/xindustry/4-days-cyber-reporting
Another criticism of this relationship is that information tended to go one way without the government reciprocating or providing equal information. This stigma has been so entrenched that “information sharing” has become a throw-away expression, a meaningless phrase meant to be something more than what was happening. This term even received criticism for the former director of the Cybersecurity and Infrastructure Security Agency (CISA), who said he was “sick” of the term and its characterization as an end-all, be-all cybersecurity solution. Government officials seek to rebrand the practice as “Operational Collaboration,” a term conveying voluntary interaction among equal parties. It also intimates a more active engagement than the passing of technical data back and forth, as evidenced by the various hamlets of such exchanges, such as InfraGard and Information Sharing and Analysis Centers, to name a couple.
While the government is worried about protecting its sources and methods, the private sector is concerned with protecting the information of its clients and customers. Notable incidents such as social media failing to safeguard customer data or these platforms collaborating with the government place this data at risk or at least potentially put sensitive information in the hands of another party without providing such knowledge to the individuals involved. The US government has not received favorable press recently concerning its misuse and abuses of private data, a further fear that sharing data might fall victim to witting or unwitting malpractice. This heightens concerns, especially when government intelligence agencies are invited to be “Trusted Advisers.”
A productive and transparent public-private information-sharing collaborative is the backbone of achieving cyber resiliency, the goal for enhanced cybersecurity in today’s global cyber threat landscape. It is also the cornerstone of President Biden’s cybersecurity plans, which informed the United States National Cybersecurity Strategy and is being factored into the requirements of other cybersecurity initiatives that bolster critical infrastructure, such as supply chain security and incident reporting, among others. Critical industries benefit from knowing they are high-value intelligence targets for foreign actor cyber exploitation. It is logical to get the government involved, especially those agencies with advanced capabilities to track and neutralize these threats. But such acts cannot come at the expense of taking liberties with cooperation and running the risk of overreaching its authorities. This is an area where the government needs to spend time in assuring private sector partners and may be the biggest challenge in taking the public-private sector relationship to the next level.
Challenges only become obstacles when lessons learned are not applied to them. Fortunately, there are signs that the government is making strides to improve this situation. Now advisories provide IOCs and relevant tactics, techniques, and procedures used by threat actors. They also provide guidance to identify the threats and be better positioned to mitigate and respond to them. This is just one victory, but it does show how more information, not less or redacted information, directly impacts the defensive capabilities of industries at the siege. The UNDER ADVISEMENT program has a real opportunity to continue to right the information-sharing ship if it is continued to be implemented constructively. Expansion of the program needs to be done responsibly, where confidence is built through engagement with measurable milestones and periodic updates of what data was most helpful and how it was applied against hostile cyber activity. Because when it comes to information sharing, the government needs every industry and sector to convene around a table of equals, and by doing so, the country and its citizens will be the ones to benefit the most.
What would be better for all parties involved would be to avoid a cyber breach in the first place. Users of Red Sky Alliance’s RedXray targeted cyber threat notification service https://www.redskyalliance.com/redxray can be notified daily of any cyber threats that have not yet breached the target’s network. This threat file will be loaded into the target’s Security Information and Event Management (SIEM) and blocked/blacklisted from future attacks.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
[1] https://www.oodaloop.com/archive/2023/08/10/the-future-of-cybersecurity-depends-on-public-private-partnership-will-we-get-it-right/
Comments