US government calls for better information sharing in wake of SolarWinds, Exchange attacks

As the federal government grapples with Russia and China’s widespread and damaging hacks, the Biden administration is seeking new methods for better early threat detection of these sophisticated intrusions. Both the SolarWinds espionage hack attributed to Russian operatives and the exploits of the Microsoft Exchange server vulnerabilities attributed to China were uncovered by private firms, cybersecurity giant FireEye and Microsoft.

Both attacks originated on servers within the US, placing them out of reach of the National Security Agency’s (NSA’s) powerful detection capabilities, which US law restricts to international activities. The new cybersecurity leadership in the Biden White House is brainstorming methods to establish new early warning systems that combine traditional intelligence agency methods with private sector expertise. The White House announced on March 17 the formation of a task force it calls the Unified Coordination Group consisting of federal and private sector representatives charged with finding a “whole of government” response to the Microsoft Exchange attack.

Reportedly chief among the new approaches is establishing more profound information-sharing methods with the private sector. The concept is to set up a real-time threat sharing mechanism where data could be sent to a central repository and paired with intelligence gathered by the NSA and other intel agencies to provide organizations with more immediate threat warnings.

The notion of private sector organizations sharing threat and vulnerability information with the federal government has been visited and revisited for at least the past ten years. One bill, the Cybersecurity Information Sharing Act of 2015 (CISA), was passed to make information-sharing easier. Among other things, that law gives companies certain liability protections and privileges as a means of motivating them to share sensitive information with the Department of Homeland Security and the Department of Justice.

During a Senate hearing on both the SolarWinds and Microsoft hacks, witnesses (including the CEOs of Microsoft, FireEye and Crowdstrike) and some senators, called for even greater transparency and information-sharing when it comes to significant cybersecurity threats. However, experts say that information-sharing efforts following the 2015 Act have sputtered and really never caught fire due to at least four main reasons.

Companies fear reputational or financial damage

“I’ve seen the Information Sharing Act and the different ISACs [information sharing and analysis centers] all over the place,” Casey Ellis, founder, chairman, and CTO of vulnerability disclosure company Bugcrowd tells CSO. “They got off to a slow start where the companies being attacked don’t necessarily want to hang their dirty laundry out in front of the competition. The security vendors often treat their information as proprietary. These are two very practical business limitations to how successful [information sharing] can be.”

Ron Bushar, senior vice president and CTO for FireEye’s Government Solutions, agrees with Ellis that corporate fear of damage to their reputations and finances inhibits companies from fully embracing information sharing. “There’s a risk side of this for corporate America, which is liability,” he tells CSO. “There are a lot of organizations, especially outside of the cyber vendor community, who are very averse to sharing any information because if they’ve had a breach or they suspect they’ve had a breach, then it becomes a material issue for the company.”

One factor limiting information-sharing is that so far, it’s been voluntary. “There’s been a lot of information sharing. I’ll call it infrastructure in place for cyber for a number of years through [the Cybersecurity and Infrastructure Security Agency, also known as CISA], ” Bushar says. “The challenge with that information sharing model is it’s voluntary, and it relies on the private sector entities to determine what’s valuable information and what they should share with the government.”

The government doesn’t share information and  process complex data well

Because the federal government rarely shares information back, private sector companies don’t have much of a feedback loop, Bushar says. “A lot of corporate folks tend to say, ‘Well, we share it. We provide a lot of information, but we don’t know what happens to it. We don’t know if it’s good or bad or indifferent or useful or not. And we don’t get anything.'”

Yet another factor that could hamper information sharing is the government’s inability to process the information it receives. The government has to “be able to piece the intelligence together in a way that allows them to make accurate assessments. They have to have context,” Bushar says. “They have to know which sectors are being hit, what the adversary in that particular campaign seems to be interested in, either data collection or destruction. Companies might be willing to share, ‘here’s a piece of malware we found, or here’s an IP address, but we’re not telling you how many accounts were compromised and what data was taken.’ There are blind spots there.”

Ellis agrees that the government might not be able to cope with all the data even if companies gladly send it. “I think it’s becoming more practical, but it’s still difficult. I think the government’s ability to consume what the different industries are up to will be challenged by the fact that the government likes things to be done in certain way.”

Information sharing may not improve the speed of threat response

Even if the government could ingest and properly analyze mounds of complex information, it’s unlikely it could do so fast enough so that organizations can contain threats like SolarWinds or Microsoft’s Exchange vulnerabilities more quickly than they do today. “FireEye released indicators of compromise like TTPs [tactics, techniques and procedures] that were observed. All that information got dropped out onto the internet pretty quickly within a matter of a couple of days,” Ellis says.

FireEye’s Bushar says the “question is not just about what gets shared, but how fast it gets shared. Again, there are a lot of disincentives to rapid sharing because there’s a lot of analysis beforehand. What the impacts might be and the who, what, where, when, and how of it. Once you get legal and financial regulation, regulatory pieces involved, it slows everything down.”

Noted security veteran and former NSA hacker Dave Aitel minces no words when sizing up the need for or effectiveness of information sharing as a means to develop a better early warning system. “No sane legal advisor would allow sharing of the nature that would help the US government find these sorts of hackers better. Network-based surveillance, itself troublesome, would probably not have discovered these two attacks any earlier,” he tells CSO.

Companies fear their data might not be secure

Finally, fears over the lack of data security are also a crucial consideration in the decision to share information with the government. “A good example is the whole thing with the [Microsoft Exchange} ProxyLogon exploits,” Ellis says.

“There’s a lot of conversation going around about the degree to which those exploits have leaked from the different people involved in the security research and the different recipients. It’s not entirely clear what happened yet other than the fact that they were being exploited before they should have been, which suggests people knew about it who shouldn’t have.”