If you work in cybersecurity, whether for a large company, a small business, a critical infrastructure provider or a state and local government, chances are you’ve seen at least one joint alert from government agencies lately warning you about the latest campaign or tactic that malicious hackers have been using to great success.
If it feels like you’re seeing more and more of these alerts recently, you’re not imagining things. At the Aspen Cyber Summit in Colorado Wednesday, NSA Cybersecurity Director Rob Joyce said the cadence of such warnings has increased substantially over the past few years, usually in the form of a joint alert from the NSA, FBI and the Cybersecurity and Infrastructure Security Agency.
The latest missive, a detailed, technical information sheet on hardening remote access for VPNs, is just one of a long line of collaborations the agencies have done around high-impact or critical cybersecurity issues that impact a broad swath of industry or technology. Like previous topics, it was an effort to take an uncertain, poorly understood or contentious subject, cut through the noise and present a unified stance on what businesses, consumers and others can do about it.
“We looked at it and said there’s so much online, there’s so much effort to be safe online and what we wanted were the criteria for how you do that,” said Joyce, later adding “We thought between the deep technical expertise and what we saw in foreign space from folks exploiting [VPNs], it was good advice the government could give out there.”
These kinds of focused warnings are usually directed towards specific sectors of industry or critical infrastructure when private sector threat intelligence and non-public or classified government intelligence indicate active and ongoing exploitation from nation-states or ransomware actors. The goal is to be technical, but also concise and useful, avoiding the impulse to boil the ocean.
“We can write 50 pages easily, it’s when you get things down to a consumable, action-oriented outcome — that’s much harder,” he said.
This kind of collaboration has gone hand in hand with growing recognition from many of those agencies over the years that while they often have exquisite insight into the latest threats facing the broader cybersecurity ecosystem, they often have only limited or indirect power to influence that ecosystem. They don’t make or regulate the hardware and software produced by the private sector, and lack any meaningful forcing mechanisms to push the public away from a vulnerable or problematic piece of technology.
Earlier in the day, CISA Director Jen Easterly summed up this reality, paraphrasing a piece of advice given to her by former DHS Deputy Secretary Jane Lute about why agencies like CISA have to rely so much on partnership and persuasion.
“In national security, counterterrorism, intelligence, the federal government has a monopoly. In homeland security and cybersecurity, the federal government is just a co-equal partner with the private sector and with state and local, and so it’s all about collaboration and partnership,” she said.
For years, the Pentagon has touted its strategy of “persistent engagement” as a way to ensure that adversaries like Russia and China face constant friction and pushback against their operations in cyberspace in order to prevent them from taking, as Joyce put it, endless, unchallenged “shots on goal” against U.S. targets. This is usually described in terms of offensive operations against state-backed hacking groups, but Joyce said these joint efforts by CISA, NSA and FBI represent the defensive, flip side of that same coin by shining a spotlight on their most successful tactics and malware, forcing them to burn or switch out command and control infrastructure and reducing the overall attack surface of victims to target.
“Yes, defense is really important. But you also have to work to disrupt … and when [people] hear ‘persistent engagement,’ ‘continuous engagement,’ those kinds of terms, they think offensive cyber,” said Joyce. “But I would say that the releases we’ve done jointly with CISA and FBI about the end-day vulnerabilities that those teams like to use, that knocks them back just as much and is just as important.”