Companies that view cybersecurity as a competitive advantage and fail to exchange threat data make the broader private sector more vulnerable to hacking, a Department of Homeland Security official has warned.
“Cybersecurity, infrastructure security, is not a competitive advantage,” Bradford Willke, a top official in DHS’s Cybersecurity and Infrastructure Security Agency, said Tuesday.
If a good product or company fails because of a breach that could have been thwarted by sharing threat information, “there’s something that we’ve all lost,” Willke said at the Public Sector Innovation Summit. By citing reported communication failures elsewhere, DHS officials hope to spur U.S. companies to work more closely with each other to harden their networks against advanced threats. In doing so, the department is trying to overcome historical reluctance in the private sector — fueled by concerns over revealing sensitive corporate information — to share threat data.
Willke cited a December 2015 blackout in Ukraine caused by suspected Russian government hackers as a cautionary tale in information-hoarding.
Six months before the cyberattack, which left 225,000 people without power, a Ukrainian power company saw warning signs of the threat but failed to share that information with other companies in the sector, Willke said. The company gained no competitive advantage by keeping the information to itself, he said, but nonetheless kept quiet out of a lack of trust, or the absence of a mechanism for sharing that information. Asked by CyberScoop which company he was referring to, Willke declined to name the company, city agency policy.
“There could have been an easy benefit to share that information to help those other three companies [that were targeted in Ukraine] six months down the line,” Willke told the audience of corporate and government executives.
However, Robert M. Lee, an industrial cybersecurity expert who investigated the 2015 cyberattack in Ukraine, said that a phishing campaign that preceded the attack was well publicized and that better information sharing would not have thwarted the attack.
“There were a few different phishing campaigns that led up to the attack in December 2015,” Lee, CEO of cybersecurity company Dragos, told CyberScoop.
“In one of those campaigns, which led to access to the companies that were later attacked, the adversary was in their networks for roughly six months,” Lee added. “This was a public phishing campaign and some companies also saw it firsthand.”
Willke’s speech is the department’s latest appeal to the private sector in a long-running effort to break down barriers to collaborating on cyberdefense. A July summit that DHS hosted in New York City highlighted progress that officials have made in building closer ties with executives of critical infrastructure companies. At the same time, however, the department has struggled to get companies to contribute threat data to an automated channel for sharing information at “machine speed.” Only seven non-federal entities share data with the government through that program, a DHS spokesperson told CyberScoop Wednesday.
Nonetheless, department officials see new initiatives like the National Risk Management Center as prime opportunities to coordinate with the private sector. One goal of the center is to help give critical-infrastructure companies a clear picture of threats to their operating environments – something the Ukrainian power companies lacked in 2015. The center aims to turn greater awareness around cyberthreats in the private sector “into collective action,” as a department flyer puts it.
“We’re trying to position ourselves as your national risk adviser,” Willke said Tuesday, describing the center’s mission.