Inside Cybersecurity

July 2, 2022

Daily News

Bolstered info-sharing seen as a key to ransomware policy, but roles still to be determined

By Charlie Mitchell / October 19, 2021

The head of the influential Center for Internet Security is urging a central role for “ISACs” in the battle against ransomware, saying bodies like the Multi-State Information Sharing and Analysis Center led by CIS have the technical capability and the “trust factor” needed to create a more robust sharing environment between states and the private sector on one side and the federal government on the other.

“We need to accelerate information sharing, we have the capability within the MS-ISAC and we’re focusing on sharing with other ISACs,” CIS president and CEO John Gilligan said in an expansive interview with Inside Cybersecurity, referring to the type of cross-sector collaboration that cyber leaders in government and industry say is essential. “This is something the federal government doesn’t like to hear but many entities are not quite on board with sharing with the feds.”

Despite extensive efforts by federal officials to assure partners that shared threat intelligence will not be used against them in regulatory or other contexts, there continues to be a “trust factor” that inhibits some entities from sharing with the U.S. government, according to Gilligan. And, he said, recipients tend to trust threat information shared by ISACs more than information from other sources.

The establishment of the Joint Cyber Defense Collaborative at the Cybersecurity and Infrastructure Security Agency and the urgency around creating effective responses to ransomware create “an opportunity to move forward” on improving info-sharing, Gilligan said.

“Do it through the ISACs,” he said. “It would be easier to share between the JCDC and the ISACs.”

Gilligan noted that the MS-ISAC and the elections ISAC receive federal funding and that other ISACs should be similarly supported by the federal government.

Overall, Gilligan said, there is currently a “positive environment between” the federal government and partners in industry and at the state/local level. “We have new and capable leaders in the administration and the president is interested” in the issue, Gilligan said. “But we need to get behind the headlines and look at how we make this work. We are in position to make rapid progress.”

One source from a critical infrastructure sector observed that “ISAC are great but have their limitations.” This source pointed to the presidential National Infrastructure Advisory Council’s call for standing up a “Critical Infrastructure Command Center,” which the source said “aligns” with a Cyberspace Solarium Commission recommendation included in the House version of the fiscal 2022 National Defense Authorization Act.

“Ultimately we need more unity of effort as noted by the NIAC,” the industry source said.

The fiscal 2021 NDAA directed the creation of the JCDC and the current House version of the annual defense policy bill would “add a collaborative environment” that removes barriers to sharing and promotes things like “analyst-to-analyst” engagement, according to Mark Montgomery of the Solarium Commission and the Foundation for Defense of Democracies.

“Efforts within [CISA] to stand up the Joint Cyber Defense Collaborative aim to better coordinate cyber defense planning in advance of and in response to cyberattacks, but the lack of shared knowledge of the threat landscape will hinder its effectiveness. There is pending legislation in the House NDAA that can help solve this,” Montgomery said last week.

At the same time, some policy veterans are raising concern that partnership and collaboration may be taking a backseat to regulation as policymakers move to respond to ransomware.

“At the [White House-led ransomware] summit, there was lots of good talk about partnership but, domestically, policymakers are sounding a lot more punitive and regulatory, which could threaten collaboration by undermining trust and turning companies toward a ‘compliance mindset,’” said Wiley Rein partner Megan Brown.

“As for the NDAA,” Brown said, “I continue to think that cyber policy affecting the private sector (incident reporting requirements, new mandates, ransomware regulation) should not be thrown in the NDAA, but should be subject to better legislative process, hearings, and broader stakeholder input. Some legislation is thoughtful and has been adjusted in response to concerns raised, but many Solarium Commission recommendations need more attention and consideration. They should also consider de-conflicting several workstreams underway in the government, such as on supply chain security and information sharing to the private sector.” -- Charlie Mitchell (cmitchell@iwpnews.com)