Building on the lessons learned from its response to the global WannaCry ransomware attack carried out by North Korea in May, the Department of Homeland Security (DHS) is examining sustainable ways to enhance how it works with the private sector to prevent, respond to, and recover from cyber security incidents.

The department is looking to potentially create formal mechanisms of collaboration with the private sector that go beyond the real-time sharing of cyber threat indicators, which is being done through the Automated Indicator Sharing (AIS) program, Jeanette Manfra, assistant secretary for Cybersecurity and Communications at DHS, told Defense Daily in a telephone interview on Dec. 21.

As the WannaCry virus was infecting hundreds of thousands of computer systems globally, DHS worked with its international and domestic partners to quickly and successfully minimize the impact of the ransomware attack in the U.S.

DHS Assistant secretary for the Office of Cyber Security and Communications. Photo: Department of Homeland Security.
DHS Assistant secretary for the Office of Cyber Security and Communications. Photo: Department of Homeland Security.

Manfra said that the AIS program is “foundational” and provides for the sharing of “known bad technical information with as many people as possible, and ideally everybody, automating the blocking of that malicious activity.” As AIS grows to include more organizations, “I believe we can really start to have that deterrence by denial affect in creating that better security.”

The models for public-private sector teamwork are meant to take the nation’s cyber security to new levels, and in part, help participants to get as early a read on potential incidents as possible.

“I think what we’re talking about is the space where we don’t know exactly what’s happening yet,” Manfra said. She added that, “So what I’m talking about is, when the government has information or awareness of, or pieces of a puzzle if you will, industry often has other pieces of that puzzle. So how do we bring our analysts together, whether it’s in response to an incident like WannaCry or is just improving our preparedness and understanding and overall risk analysis and kind of coming together and saying, ‘Okay we have some understanding of how this sector operates and we think this critical service or function could be disrupted through these means.’ Working with industry, ‘Is this accurate? Is this really how you all work?’”

DHS has done some of this type of collaboration with the private sector in recent years “but I really want to step it up,” she said.

The DHS response to WannaCry was the first time the “government was sharing malware samples with analysts in industry and we were going back and forth, ‘What are you seeing? What are we seeing?’” Manfra said, adding that this type of collaboration allows the government and private sector to work together to analyze the problem.

Last Tuesday, Manfra and Tom Bossert, President Donald Trump’s senior advisor for homeland security, at a White House media briefing pinned the blame on North Korea for WannaCry, saying that the incident demonstrated the need for greater cooperation with industry to deal with cyber security threats. Bossert said that the government wants industry to do more in terms of sharing information about these threats and to help the government better understand their vulnerabilities (Defense Daily, Dec. 19, 2017).

Manfra, in the interview, said this means she wants a “broader and deeper collaboration” with the private sector “around do we understand risk?” And does the government have the same understanding here as critical infrastructure entities do in terms of “understanding and managing risk?”

To help the government better understand the risks and vulnerabilities in private sector networks, Manfra said she wants to know if companies can share more information about how they work, and “Where they’re dependent upon data systems and how those critical services and functions could be disrupted so that could better inform what the government is looking for.”

Enhanced collaboration is a two-way street, Manfra said.

“Is there information, tactics, techniques and procedures, TTPs, that we can be providing or that will provide more context for how … adversaries might be targeting private sector networks,” she said.

Manfra is considering multiple potential models for sustaining enhanced collaboration with the private sector, noting that the groups or organizations that would come together wouldn’t be the same size as the AIS participants. The AIS program currently has more than 200 participating entities, including the public and private sector, with 275 signed up to participate. DHS wants these numbers to grow.

These cyber security collaborative groups could always exist, they could also be activated as needed, and they can also be ad hoc, Manfra said. Ultimately, the people that participate will have key capabilities within the various critical infrastructures, to include global partners, “where we’re doing this analysis jointly,” she said.

There are also industry specific organizations, including Information Sharing and Analysis Centers (ISACs) for different critical sectors and Information Sharing and Analysis Organizations, which provide groups that don’t fit in into a particular ISAC but have a need for cyber threat information, which can be activated for an incident, Manfra said. During WannaCry, which infected some hospital computer networks around the world, including Britain’s National Health System, DHS worked with the U.S. Department of Health and Human Services to “activate the healthcare public partnerships and start engaging with those entities and start to raise their awareness, which was very much incident specific,” she said.

There will need to be more industry buy-in to get to a higher level of cooperation with the private sector, Manfra said, but she pointed out that the mechanisms for this teamwork have been used before.

“It’s not so much completely new what I’m suggesting, it’s more ramping up the work that has been done,” she said.

The U.S. response during WannaCry was also aided by its international partnerships. Manfra said that going forward the U.S. government will continue to find ways to work more closely with its overseas partners, which includes better understanding the laws and authorities in each country, and multinational companies.