Ransomware attacks and cloud security are two of the most persistent cyber defense issues today, and much has been said about the need for expanded public-private partnerships to curb devastating attacks on the scale of the Kaseya, Microsoft Exchange and Colonial Pipeline incidents. The Cybersecurity and Infrastructure Security Agency (CISA) is taking a major step in that direction with a new initiative that calls for a direct partnership between related federal agencies and some of the biggest names in Silicon Valley.
Called the “Joint Cyber Defense Collaborative,” the initiative seeks to bring big-name tech service providers and government cyber defense agencies together on response and remediation plans for serious incidents. While the effort is initially focusing on ransomware attacks and cloud security, there are plans to expand it to a broader national cyber defense strategy that incorporates these providers.
Silicon Valley recruited for an active cyber defense role
The initiative was announced in a pre-recorded keynote speech broadcast at the Black Hat USA conference held in Las Vegas last week. CISA and the Department of Homeland Security (DHS), among other agencies, are looking to actively partner with companies such as Google, Microsoft and Amazon Web Services on cyber defense measures. CISA director Jen Easterly described it as “bring(ing) people together in peacetime” to prepare for wartime. While those are the names most directly relevant to cloud security and with direct ability to curtail ransomware attacks, the list of partners that the agency has signed up is long: Verizon, AT&T, Palo Alto Networks, FireEye, Crowdstrike and Lumen among them.
The agency has yet to release much in the way of specific details about what the Joint Cyber Defense Collaborative will be doing, but did say that an initial project would be creating a framework for response to incidents that involve the major cloud services providers. Easterly said that the work the partnership would be engaging in is “reactive” but that there is an overall aim to create a more “proactive and coordinated” cyber defense strategy that incorporates key service providers.
The new initiative stems from research and brainstorming conducted by the Cyberspace Solarium Commission, a bipartisan federal body formed in 2019 to research defense against cyber attacks that could cause serious impact to the United States. The Commission issued a final report in March 2020 based on a series of 300 interviews and a set of “war games” exercises that included stress tests of government systems and a competitive high-level security event. The report made 80 recommendations, including reform of the overall government approach to cyber defense and collaboration with the private sector.
Representatives from about half a dozen federal agencies that play cyber defense roles will form the JCDC’s office, which will consult not only with tech firms but with state and local governments as well as information sharing and analysis organizations and centers.
While any pairing of government agencies with private businesses that handle user personal information create a natural element of concern, Kev Breen (Director of Cyber Threat Research, Immersive Labs) sees this effort as a major benefit: “Reports on APT and ransomware activity were once coveted pieces of information sold through expensive threat intel platforms. But this is changing: over the past year, large tech companies like Microsoft have been moving towards the high impact and timely release of free information … Tech giants sharing more information with one another is a very welcome approach. With the kind of data and insight these companies have at their fingertips, they can make a huge impact on the overall security of the organizations they protect … Playing devil’s advocate, there is a danger that the partnership could slow the public release of reports, depending on how many layers of approval or peer review they have to go through. However, I firmly believe that any information sharing that helps organizations to better mitigate, prevent, and respond to cyber attacks is certainly a positive step forward.”
Bassam Al-Khalidi, CEO of Axiad, agrees that this is likely a net benefit in terms of keeping personal information out of the hands of hackers: “A joint initiative to improve cloud security has never been more important … If a hacker gains access to your broader system through host jumping, it’s game over. As new initiatives like the Joint Cyber Defense Collaborative are introduced it’s important to look at dedicated virtual private cloud options to defend against this threat. Virtual private clouds offer the option to utilize the agility and usability of the cloud and store key material in approved FIPS140-2 Level 2 hardware security module. For government and defense organizations, this could be an essential step in improving their cloud security.”
Chris Hauk, consumer privacy champion for Pixel Privacy, addressed the other side of this argument: “I applaud the effort to improve our nation’s defense against cyberattacks by the bad actors of the world, be they independent or government-supported. However, I am wary of any alliance between the government and private tech companies. There will need to be strict information sharing rules put into place to guarantee that there will be no sharing of private data about US citizens between the tech firms and the government.”
Ransomware attacks, cloud security at forefront after recent incidents
During the keynote remarks, Easterly provided several real world examples of recent public-private cooperation to stop large-scale ransomware attacks. One was the participation of cloud security specialist firm Trimarc in mapping out unfamiliar identity management systems that were a core piece of the SolarWinds attack. Another was analysis provided to the federal government by Carnegie Mellon’s CERT Coordination Center that was essential in patching out the recent PrintNightmare vulnerability that struck the Windows Print Spooler packed in with all Windows installations.
Ransomware attacks have been at the forefront of the news as of late, as cyber criminals have crossed into a new frontier of causing real world damage to supply chains and even critical infrastructure (illustrated by the attacks on Colonial Pipeline and meatpacker JBS). While these disruptions were relatively minor in the grand scheme of things, they spurred a flurry of government action to shore up a national cyber defense network that depends to a great degree on private companies that service and maintain infrastructure.
Malware and ransomware attacks, usually delivered via a successful phishing email or instant message, remain the world’s leading cybersecurity issues and also grew tremendously during the pandemic period. But cloud security misconfigurations are also a common problem and are also on the rise, driven in no small part by rapid transitions to work-at-home models that rely on organizations rapidly adopting new cloud services. Cloud misconfigurations are often induced accidentally, as a patch or update creates an issue that the IT team is not aware of and data is left exposed to the world. This type of vulnerability has been estimated to cost organizations as much as $5 trillion annually in recent years.