Operational Collaboration

Last updated

Operational collaboration is a cyber resilience framework that leverages public-private partnerships to reduce the risk of cyber threats and the impact of cyberattacks on United States cyberspace. This operational collaboration framework for cyber is similar to the Federal Emergency Management Agency (FEMA)'s National Preparedness System which is used to coordinate responses to natural disasters, terrorism, chemical and biological events in the physical world. [1]

Contents

Operational collaboration is one of the six pillars of recommendations put forward by the United States Cyberspace Solarium Commission (CSC) for a strategy of layered cyber deterrence. The CSC was established in the John S. McCain National Defense Authorization Act for Fiscal Year 2019 to "develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences." [2] Significant work on the development of an Operational Collaboration Framework has also been done by the Aspen Cybersecurity Group, a cross-sector public-private forum composed of government officials, industry-leading experts, and academic and civil leaders organized by the Aspen Institute. [3]

In the US, cyber defense under President Biden has increasingly taken an operational collaboration approach, following a number of large-scale cyberattacks on US federal agencies and businesses including Solar Winds and the Microsoft Exchange hacks. Homeland Security Secretary Alejandro Mayorkas, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly, National Cyber Director Chris Inglis and other officials met with executives from 13 companies, including Google, networking vendor Juniper Networks and security firm Mandiant. Mayorkas stated at that time: "This is about taking a spirit of partnership and moving into actual operational collaboration." [4]

Recent operational collaboration initiatives under the Biden administration include CISA's new Joint Cyber Defense Collaborative, [5] a forum for cooperative cyber defense planning with companies at the heart of operating and securing the internet's infrastructure. [6]

Also, the National Security Agency's new Cybersecurity Collaboration Center, [7] a new platform stood up in the summer of 2021 for public-private cyber threat intelligence sharing on adversaries targeting the National Security System [8] (NSS), Department of Defense [9] (DoD) and Defense Industrial Base [10] (DIB). [11]

Overview

Security weaknesses in the computer networks that run critical infrastructure sectors—banking, energy, healthcare, telecommunications, shipping, and more—allow sophisticated actors to attack and disrupt essential elements of society. [12] Many of these sectors depend on the others to function. These interdependencies create a systemic cyber risk where a large-scale attack on one sector could trigger a cascading failure in other key sectors, potentially resulting in significant destabilizing effects on public health, public safety, economic security or national security. [13] Because this systemic cyber risk is shared across public and private entities, an operational collaboration framework is needed to coordinate action between government and industry to secure cyberspace. [2]

Operational collaboration builds on past progress with information sharing to plan and execute public-private actions to create a strategic deterrent and defend US cyberspace.

History

The concept of operational collaboration originated in the financial services sector with the establishment of the Financial Systemic Analysis & Resilience Center (FSARC) in 2016. The FSARC is a subsidiary of the Financial Services Information Sharing and Analysis Center (FS-ISAC). [14] It was established to deepen public-private collaboration between U.S. financial institutions and government agencies to improve the resilience of the critical functions that underpin the financial sector. [15] [16]

The FSARC was initiated by eight large U.S. banks – Bank of America, BNY Mellon, Citigroup, Goldman Sachs, JPMorgan Chase, Morgan Stanley, State Street and Wells Fargo. It facilitates operational collaboration between financial institutions and U.S. government partners in the FBI, Department of Homeland Security, and the Department of Treasury. [17] Together, they conduct analysis of critical financial sector systems and jointly monitor and warn against threats to those systems. [18] JPMorgan's Greg Rattray was the main driver of the operational collaboration concept, and he served as the FSARC's Co-President alongside Bank of America's Siobhan MacDermott when the center was first established. [17] [19]

Mission Areas

Operational collaboration should occur in five mission areas: Protect, Mitigate, Prevent, Respond and Recover. This is similar to the National Preparedness System established under Homeland Security Presidential Directive-8 that is used to coordinate responses to natural disasters, terrorism, chemical emergencies in the physical world. [20] As the linkage between the cyber and physical realms increases, using similar organizing constructs for both environments would make coordination between the two realms more seamless.

Protect and Mitigate

Relevant actors collaborate to raise the level of cybersecurity across the digital ecosystem and to mitigate the potential impact of cyber threats. Key activities include risk management to identify critical systems and lower risk appropriately, addressing vulnerabilities, developing and sharing information and intelligence on emerging threats, developing a deep understanding of threats and the ability to warn of attacks, implementing cybersecurity best practices, conducting research on interdependencies, establishing contingency plans, and conducting exercises.

Prevent

Relevant actors synchronize actions to disrupt the activities of malicious cyber actors prior to and outside of a response to a specific incident. Key activities include exposing malicious cyber campaigns publicly, botnet take-downs, law enforcement actions against companies, economic sanctions, and other cyber and non-cyber government counter measures against malicious cyber actors. Private sector actors will only operate on their own networks; government actors may conduct offensive cyber operations on other networks to prevent and deter attacks, when appropriate.

Respond and Recover

The relevant actors are responding to and/or recovering from an incident that is either on-going or has already occurred. Progress has been made in this mission area, including improved information sharing to ensure that adversary tactics, techniques, and procedures (TTPs) have a limited effective lifespan and the development of plans and policies such as the National Cyber Strategy, Presidential Policy Directive 41 and the National Cyber Incident Response Plan. [21] Key activities include rapidly identifying the incident's underlying cause, sharing and implementing effective defensive measures to contain or prevent further damage, and synchronizing specific response actions, such as dropping packets or re-routing traffic.

Examples

Trickbot takedown before the 2020 presidential election.

Response to Solarwinds by FireEye/Mandiant + federal cyber defenders in early 2020

REvil ransomware takedown

Related Research Articles

<span class="mw-page-title-main">Cybercrime</span> Type of crime based in computer networks

Cybercrime encompasses a wide range of criminal activities that are carried out using digital devices and/or networks. These crimes involve the use of technology to commit fraud, identity theft, data breaches, computer viruses, scams, and expanded upon in other malicious acts. Cybercriminals exploit vulnerabilities in computer systems and networks to gain unauthorized access, steal sensitive information, disrupt services, and cause financial or reputational harm to individuals, organizations, and governments.

The United States Computer Emergency Readiness Team (US-CERT) is an organization within the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Specifically, US-CERT is a branch of the Office of Cybersecurity and Communications' (CS&C) National Cybersecurity and Communications Integration Center (NCCIC).

<span class="mw-page-title-main">National Cyber Security Division</span>

The National Cyber Security Division (NCSD) is a division of the Office of Cyber Security & Communications, within the United States Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. Formed from the Critical Infrastructure Assurance Office, the National Infrastructure Protection Center, the Federal Computer Incident Response Center, and the National Communications System, NCSD opened on June 6, 2003. The NCSD mission is to collaborate with the private sector, government, military, and intelligence stakeholders to conduct risk assessments and mitigate vulnerabilities and threats to information technology assets and activities affecting the operation of the civilian government and private sector critical cyber infrastructures. NCSD also provides cyber threat and vulnerability analysis, early warning, and incident response assistance for public and private sector constituents. NCSD carries out the majority of DHS’ responsibilities under the Comprehensive National Cybersecurity Initiative. The FY 2011 budget request for NCSD is $378.744 million and includes 342 federal positions. The current director of the NCSD is John Streufert, former chief information security officer (CISO) for the United States Department of State, who assumed the position in January 2012.

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks. While cybersecurity regulations aim to minimize cyber risks and enhance protection, the uncertainty arising from frequent changes or new regulations can significantly impact organizational response strategies.

The EINSTEIN System is a network intrusion detection and prevention system that monitors the networks of US federal government departments and agencies. The system is developed and managed by the Cybersecurity and Infrastructure Security Agency in the United States Department of Homeland Security (DHS).

The 2011 U.S. Department of Defense Strategy for Operating in Cyberspace is a formal assessment of the challenges and opportunities inherent in increasing reliance on cyberspace for military, intelligence, and business operations. Although the complete document is classified and 40 pages long, this 19 page summary was released in July 2011 and explores the strategic context of cyberspace before describing five “strategic initiatives” to set a strategic approach for DoDʼs cyber mission.

<span class="mw-page-title-main">Paul N. Stockton</span>

Dr. Paul N. Stockton is the President of Paul N Stockton LLC, a strategic advisory firm in Santa Fe, NM. From 2009 to 2013, Dr. Stockton served as Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs, where he helped lead the department's response to Hurricane Sandy. He was responsible for Defense Critical Infrastructure Protection, Western Hemisphere security policy, domestic crisis management, continuity of operations planning, and a range of other responsibilities. While Assistant Secretary, Dr. Stockton also served as executive director of the Council of Governors. After serving as Assistant Secretary, Dr. Stockton was the managing director of Sonecon LLC, an advisory firm in Washington, DC, from 2013 to 2020.

<span class="mw-page-title-main">DHS Cyber Security Division</span>

The Cyber Security Division (CSD) is a division of the Science and Technology Directorate (S&T Directorate) of the United States Department of Homeland Security (DHS). Within the Homeland Security Advanced Research Projects Agency, CSD develops technologies to enhance the security and resilience of the United States' critical information infrastructure from acts of terrorism. S&T supports DHS component operational and critical infrastructure protections, including the finance, energy, and public utility sectors, as well as the first responder community.

<span class="mw-page-title-main">National Cybersecurity and Critical Infrastructure Protection Act of 2013</span>

The National Cybersecurity and Critical Infrastructure Protection Act of 2013 is a bill that would amend the Homeland Security Act of 2002 to require the Secretary of the Department of Homeland Security (DHS) to conduct cybersecurity activities on behalf of the federal government and would codify the role of DHS in preventing and responding to cybersecurity incidents involving the Information Technology (IT) systems of federal civilian agencies and critical infrastructure in the United States.

<span class="mw-page-title-main">Gabi Siboni</span>

Gabriel "Gabi" Siboni is a colonel in the Israel Defense Forces Reserve service, and a senior research fellow and the director of the Military and Strategic Affairs and Cyber Security programs at the Institute for National Security Studies. Additionally, he serves as editor of the tri-yearly published, Military and Strategic Affairs academic journal at INSS. Siboni is a senior expert on national security, military strategy and operations, military technology, cyber warfare, and force buildup. Siboni is an Associate Professor, working specificaly in the management of Cyber Security and a part-time lecturer at the Francisco de Vitoria University in Madrid

An Information Sharing and Analysis Center(ISAC) is a nonprofit organization that provides a central resource for gathering information on cyber and related threats to critical infrastructure and providing two-way sharing of information between the private and public sectors.

Cyber threat intelligence (CTI) is knowledge, skills and experience-based information concerning the occurrence and assessment of both cyber and physical threats and threat actors that is intended to help mitigate potential attacks and harmful events occurring in cyberspace. Cyber threat intelligence sources include open source intelligence, social media intelligence, human Intelligence, technical intelligence, device log files, forensically acquired data or intelligence from the internet traffic and data derived for the deep and dark web.

The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), also known as the New Jersey Office of Homeland Security and Preparedness' (NJOHSP) Division of Cybersecurity, is the first American state-level information sharing and analysis organization in the United States that exchanges cyber threat intelligence and conducts incident response for governments, businesses, and citizens in New Jersey. Located at NJ’s Regional Operations and Intelligence Center (ROIC), and acting in a cyber fusion center capacity the NJCCIC is composed of staff from NJOHSP, the NJ Office of Information Technology, and the NJ State Police. The NJCCIC's nomenclature is derived from its federal counterpart, the National Cybersecurity and Communications Integration Center, which encompasses the U.S. Department of Homeland Security's Computer Emergency Readiness Team (US-CERT).

A threat actor, bad actor or malicious actor is either a person or a group of people that take part in an action that is intended to cause harm to the cyber realm including: computers, devices, systems, or networks. The term is typically used to describe individuals or groups that perform malicious acts against a person or an organization of any type or size. Threat actors engage in cyber related offenses to exploit open vulnerabilities and disrupt operations. Threat actors have different educational backgrounds, skills, and resources. The frequency and classification of cyber attacks changes rapidly. The background of threat actors helps dictate who they target, how they attack, and what information they seek. There are a number of threat actors including: cyber criminals, nation-state actors, ideologues, thrill seekers/trolls, insiders, and competitors. These threat actors all have distinct motivations, techniques, targets, and uses of stolen data. See Advanced persistent threats for a list of identified threat actors.

The Center for Internet Security (CIS) is a US 501(c)(3) nonprofit organization, formed in October 2000. Its mission statement professes that the function of CIS is to " help people, businesses, and governments protect themselves against pervasive cyber threats."

The National Cybersecurity and Communications Integration Center (NCCIC) is part of the Cybersecurity Division of the Cybersecurity and Infrastructure Security Agency, an agency of the U.S. Department of Homeland Security. It acts to coordinate various aspects of the U.S. federal government's cybersecurity and cyberattack mitigation efforts through cooperation with civilian agencies, infrastructure operators, state and local governments, and international partners.

<span class="mw-page-title-main">National Cyber Security Authority (Israel)</span>

The National Cyber Security Authority (NCSA), located within the Prime Minister's office, was an Israeli security entity responsible for protecting the Israeli civilian cyber space from 2016 to 2018. The NCSA provided incident handling services and guidance for all civilian entities as well as all critical infrastructures in the Israeli economy, and works towards increasing the resilience of the civilian cyber space.

<span class="mw-page-title-main">Cybersecurity and Infrastructure Security Agency</span> Agency of the United States Department of Homeland Security

The Cybersecurity and Infrastructure Security Agency (CISA) is a component of the United States Department of Homeland Security (DHS) responsible for cybersecurity and infrastructure protection across all levels of government, coordinating cybersecurity programs with U.S. states, and improving the government's cybersecurity protections against private and nation-state hackers.

The Cyberspace Solarium Commission (CSC) was a United States bipartisan, congressionally mandated intergovernmental body created by the John S. McCain National Defense Authorization Act for Fiscal Year 2019. Its purpose was "to develop a strategic approach to defense against cyber attacks of significant consequences" to the United States. The commission was sunsetted on December 21, 2021, but is continuing its work as a non-profit in 2022, led by Mark Montgomery, the commission's former executive director at the non-profit organization Foundation for the Defense of Democracies (FDD) with a limited staff and the support of a small number of senior advisors. Known as CSC 2.0, this project preserves the legacy and continues the work of the CSC.

The U.S. Ransomware Task Force (RTF), also known as the Joint Ransomware Task Force, is an interagency body that leads the American government's efforts to address the threats of ransomware attacks. It is jointly headed by the Department of Homeland Security’s cyber arm, the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation.

References

[22]

  1. "An Operational Collaboration Framework for Cybersecurity". The Aspen Institute Cybersecurity Group. November 2018.
  2. 1 2 "Cyberspace Solarium Commission Final Report". United States Cyberspace Solarium Commission. March 2020.
  3. "3 Urgent Areas of Action to Address National Cybersecurity Risks". Security Intelligence. January 9, 2019.
  4. "Biden's cyber leaders go to Silicon Valley for more help fighting hackers". POLITICO.
  5. "JCDC | Cisa".
  6. Burgess, Christopher (August 24, 2021). "CISA's Joint Cyber Defense Collaborative: Why it just might work". CSO Online.
  7. "National Security Agency/Central Security Service > About > Cybersecurity Collaboration Center".
  8. "national security system (NSS) - Glossary | CSRC". csrc.nist.gov.
  9. "U.S. Department of Defense". U.S. Department of Defense.
  10. "Defense Industrial Base Sector | CISA". www.cisa.gov.
  11. "National Security Agency/Central Security Service > About > Cybersecurity Collaboration Center". www.nsa.gov.
  12. "Despite Ongoing Warnings, U.S. Critical Infrastructure Remains Vulnerable". Taylor Armerding. Forbes. April 4, 2019.
  13. "Understanding Systemic Cyber Risk" White Paper. The World Economic Forum. October 2016
  14. "Subsidiaries". FS-ISAC.
  15. "The future of financial stability and cyber risk". The Brookings Institution. October 10, 2018.
  16. "Financial Systemic Analysis & Resilience Center". US Treasuries Initiative, Treasury Market Practices Group. October 23, 2018.
  17. 1 2 "New Financial System Analysis & Resilience Center Formed". Dark Reading. October 24, 2016.
  18. "Operational Resilience White Paper". Financial Services Sector Coordinating Council. April 8, 2019.
  19. "FS-ISAC Announces The Formation Of The Financial Systemic Analysis & Resilience Center (FSARC)". PR Newswire. October 24, 2016.
  20. "PPD-8: National Preparedness System Description Announced | Homeland Security". www.dhs.gov.
  21. "The National Cyber Incident Response Plan (NCIRP) | CISA". www.cisa.gov.
  22. "Secretive NSA opens doors to new "collaboration center" as cyberthreats mount". www.cbsnews.com.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.