The Cybersecurity and Infrastructure Security Agency, the federal government’s cybersecurity threat advisor, and the FBI, its cyber enforcement agency, are improving lines of communication between government and industry and making it harder for hackers to do their jobs.
FBI Director Christopher Wray, speaking Wednesday at CISA’s National Cybersecurity Summit, announced a new bureau strategy for countering cyber threats.
“We’ve been fighting the cyber threat for years now, and it’s all too often been a game of whack-a-mole,” Wray said. “We investigate one major hack only to uncover another one. We disrupt one nation-state adversary targeting our infrastructure and our intellectual property and another one lights up, and some days, it seems like a never-ending battle.”
The FBI’s strategy, Wray said, focused on “making it harder and more painful” for hackers and criminals to operate by building up partnerships across the cybersecurity community both in and out of government.
“Our adversaries rely on gaps in our community. They like it when we’re not sharing information when one player doesn’t trust the other. They long for the days when we had walls between our national security and criminal investigations, and dramatic clashes foreign and domestic authorities,” he said.
The FBI leads the National Cyber Investigative Joint Task Force, which has created hubs for the public and private sectors to build long-term relationships built around cyber threat information sharing. The task force counts more than 30 intelligence and law enforcement agencies as members.
But beyond those members, Wray said the task force has invited senior executives from other agencies to lead new threat-focused mission centers, and that the group coordinates multi-agency campaigns to combat the most significant cyber threats and adversaries.
To build trusted relationships with critical industries, Wray said the bureau has made its operational and analytical capabilities a “core element” of what it offers task force members.
“I’m sure you can appreciate there are times when we can’t share as much as we’d like to, but we’re working to get better and smarter about that, and by we, I mean all of us in the intelligence community. We might not be able to tell you precisely how we knew you were in trouble, but we can usually find a way to tell you what you need to know to prepare for or stop an attack,” Wray said.
Meanwhile, FBI agents working out of field offices have made it a priority to build relationships with companies and universities in their areas before a major cyber incident occurs.
Building these lines of communication, Wray said, allows companies to better understand how the FBI and its partner agencies can help in an emergency, and allows the bureau to share sensitive threat information with businesses.
“We may come to a victim company knowing one IP address used to attack them but not another. If they tell us about the second one, not only can we do more to help them, we may be able to stop the next attack too. And we’re committed to giving you feedback on what you share with us – this is a two-way street,” he said.
The FBI has also partnered with the National Defense Cyber Alliance (NDCA), a non-profit organization where the bureau shares real-time intelligence with vetted defense contractors.
CISA, meanwhile, has built up its partnerships both inside and out of government, giving the agency insight into the security posture of critical services and can identify emerging trends in cyber threats.
CISA reduces ‘low-hanging fruit’ for cyber threats
Boyden Rohner, CISA’s associate director of vulnerability management, said that civilian agencies take an average of 15 days to patch critical vulnerabilities and about 30 days for high-risk threats.
Across the civilian agencies, CISA collects more than 7 terabytes of data a day and monitor 3 million endpoints and 100 malware submissions on a daily basis.
Over the course of the 2020 Census, CISA also stood up a task force that met regularly with Census Bureau officials and enrolled them in the agency’s services, which helped Census prioritize assessments and provided monitoring on high-value assets and systems.
Private-sector owners of critical infrastructure, however, have generally taken longer to patch and mitigate vulnerabilities.
Rohner said a third of critical infrastructure operates in potentially risky service exposed to the internet, and more than half has a vulnerability that has a known exploit available.
During the coronavirus pandemic, CISA has seen the greatest increase new partnerships come from health care and public health sectors. The agency has also designated Operation Warp Speed as a national critical infrastructure, and has played a leading role in securing operations.
CISA has also worked with partners to accelerate the removal of more than 7,000 spoofed domains associated with COVID-19 that were used phishing campaigns.
Through its partnerships with industry, CISA has seen an overall reduction in active exploitable vulnerabilities.
“Since vulnerabilities with active exploits are the low-hanging fruit for the adversary, knocking these ones out first is an important prioritization step,” Rohner said. “These kinds of vulnerabilities are the ones that the least experienced adversaries can use. So reducing those takes an entire category of threat actor off the table.”