The shift to remote work punched holes in government networks. But it also fostered a transformation in public-private cooperation, one NSA official noted at LABScon.
The security headaches created by the COVID pandemic are well known. A massive shift from in-office to remote work in the early months of 2020 resulted in huge dislocations for IT and security groups, extending already porous network “perimeters” to hundreds or thousands of employee home offices and VPN connections.
Sophisticated cyber adversaries piled on, exploiting remote worker connections to gain a foothold inside corporate IT environments and wreak havoc. Case in point: the May, 2021 compromise of Colonial Pipeline, which resulted in the shut down of a pipeline that supplies petroleum to the U.S. East Coast. That attack stemmed from a compromise of a “legacy virtual private network (VPN) profile” that was “not intended to be in use,” and not protected with multi-factor authentication, said Colonial Pipeline’s CEO, who testified to U.S. senators weeks after the attack became public.
Amidst all the chaos and disruption, however, the COVID-19 pandemic may have also been laying the seeds for a blossoming in the long and mostly frustrated effort to foster cooperation between private sector firms, federal agencies and the U.S. intelligence community.
On cooperation: ‘The pandemic helped’
“The pandemic helped,” said Morgan Adamski, the Chief of the Cybersecurity Collaboration Center at the National Security Agency (NSA), told attendees at LABScon, a gathering of security researchers hosted by SentinelOne in Phoenix on Thursday.
As it did in so many other areas of public and private life, COVID swept away long-standing obstacles to change. In this case: the embrace of remote meeting technology that COVID necessitated meant that cooperation and information sharing between federal agencies, intelligence community members and private sector firms “no longer revolved around big (in-person) meetings in SCIFs where nobody could share the data,” said Adamski, referring to the hardened “sensitive compartmented information facilities” that the government uses to discuss sensitive information.
Instead, conversations shifted to virtual meetings with participants connecting from home. To make it work, federal agencies and the intelligence community de-emphasized “crown jewels” to focus on shareable and actionable data that could be used by private sector firms to improve incident response.
“Operational collaboration” had been missing from public-private sector information sharing, Adamski said. With COVID raging, however, the intelligence community “came to the table” with threat intelligence that had both context and actionable and unique information for private sector firms.
Behind a CISA Alert: A Cry For Help
A case in point for the new, improved partnership between private firms and the government was the March, 2020 warning from CISA about “hackers’” efforts to compromise enterprise virtual private network (VPN) services to gain access to sensitive networks. Behind that seemingly innocuous warning was a flurry of communications and coordination between defense firms, the intelligence community, DHS and others over a spike in activity, much of it apparently originating in China, targeting defense industrial base (DIB) firms.
“They came to us and said ‘We’re seeing tons of activity. Help us.”
—Morgan Adamski
That triggered an immediate response: data on the attempted intrusions collected by the defense contractors was correlated against the Department of Defense’s Information Network (DODIN), which was able to correlate the information with activity targeting other parts of the DOD network, yielding yet more attack indicators. CISA found additional activity in a canvas of non-DOD infrastructure. The result was a detailed picture of how the PRC was targeting VPN infrastructure for both private contractors and government agencies.
Adamski said that process has evolved over the past year, leading to an information sharing relationship that is more agile, free-flowing and actionable than what existed pre-Pandemic.
“What doesn’t work is ‘one size fits all,’ Adamski told the attendees at LabsCon — many of them cyber experts at leading private sector firms. “The NSA needs to come to you. We can’t force you into government constructs.”
There's much more work to do
Not that the federal government has solved the puzzle of how to partner with the private sector, Adamski noted that authority and capabilities are spread across the federal government. Bureaucracy is still the norm.
“I know it's frustrating. We’re trying to work through how to make it less burdensome on you.”
—Morgan Adamski
For their part, private sector firms need to be focused in understanding what they want to accomplish via information sharing and collaboration with the government. “If you’re looking to do real time operational sharing, you need to be tapping into real time operational agencies."
The goal, she said, is to improve cooperation to the point that attacks are identified and mitigated before they can cause damage.
Keep learning
- Learn how to do more with your SOAR with our Webinar: Enhance Your SOC With Threat Intelligence Enrichment.
- Get schooled by the lessons of Layer 8: See Dr. Jessica Barker on The Human Elements Driving Cyber Attacks.
- Go deep on e-discovery with our Webinar: Strengthening Malware Defenses in Legal Firms.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.