The federal government and industry earned positive reviews for their response to recent high-profile cyber attacks. But those incidents, including WannaCry and Petya, also highlighted the need for better coordination and information sharing between the government and the private sector, according to industry sources.
"Everyone is doing their best, but we can benefit from a more formalized, repeatable method of collaborating between government and the critical infrastructure community," said an industry source active in the cyber info-sharing community.
WannaCry and Petya were ransomware attacks that affected healthcare providers, utilities and banks, mostly overseas. Around the same time, news emerged of the CrashOverride malware that is apparently capable of bringing down electrical grids.
Another industry source noted: "The WannaCry, Petya and CrashOverride issues show that there are a number of competent actors in U.S. industry and government dealing with the malware, but we are still working hard — too hard — to bring disparate parties all together. Industry needs quality, contextual information in a timely way."
Congressional homeland security staff say the incidents show that information sharing and other cyber response structures put in place at the Department of Homeland Security and across government are working.
"The recent string of global cyber attacks reinforces the need for a strong cybersecurity posture," a House Homeland Security Committee aide said. "The difference in the domestic and international impact from the WannaCry attack illustrates the importance of coordination efforts between DHS, other federal partners and the private sector. We continue to work with our partners at the department to ensure that DHS is best equipped to respond to these evolving threats."
Part of that work includes legislation by House Homeland Security Chairman Michael McCaul, R-Texas, to elevate DHS' cybersecurity functions into a standalone agency, which could reach the floor in the relatively near future, probably after the first-ever DHS reauthorization legislation clears the chamber.
DHS is often criticized for being too slow and bureaucratic to respond to fast-moving cyber threats.
But a telecom sector source pointed out: "DHS has been effective in communicating information about recent attacks to the broad critical infrastructure community. They have also become more adept at engaging individual companies, like large [internet service providers], in timely discussions about observable activities across their networks and their customer base. The partnership continues to evolve along with the nature of the threats and we are beginning to see real progress in two-way information sharing."
Bill Wright of the security firm Symantec said of the WannaCry response, "Overall, we saw it as one of the best public-private collaborations on this type of event that we have been involved with.
"If there was a silver lining in the WannaCry outbreak, it's that we saw very effective collaboration between the government and private sector."
DHS's National Cybersecurity and Communications Integration Center, or NCCIC, "reacted quickly," Wright said, noting "they had us on the phone just as the outbreak was beginning, trying to get some ground truth in the early hours of the outbreak. The NCCIC set up an appropriate cadence with twice-daily calls to coordinate operational activities. We participated, as did more than a dozen security and IT companies."
This is the way the cyber response process is supposed to perform, Wright says.
"Companies shared 'Indicators of Compromise,' mitigation techniques, and information on threat vectors," he said. "In addition, the NCCIC distributed written analysis on the attack. We connected DHS researchers with our own experts for more in-depth sharing of technical notes."
But other key players in the cybersecurity realm say effective responses in cases such as WannaCry and Petya aren't causes for celebration. Instead, they are warnings that efforts to shore up the nation's cyber defenses must accelerate.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of "Hacked: The Inside Story of America's Struggle to Secure Cyberspace," published by Rowman and Littlefield.