For the past year, a group of tech and cybersecurity companies has been quietly pooling their intelligence about new software bugs and hacking campaigns.
The goal of the program, organized by the nonprofit Cyber Threat Alliance, is to get fixes to all the companies’ customers before the hackers know they’ve been spotted. It's sort of like everyone in a neighborhood locking their doors at once.
And because the group contains industry giants such as Cisco, Symantec, McAfee and Palo Alto Networks, it's a very big neighborhood — and can give cover to a huge swath of global businesses.
“Our members are big enough that they cover a big chunk of real estate,” Neil Jenkins, a former Department of Homeland Security cybersecurity official who is leading the initiative for CTA, told me. “When we do this at the same time, it makes it much harder for bad actors.”
The effort, which CTA calls “early sharing,” comes as top cybersecurity officials are looking for ways industry and government can cooperate to punish government-linked hacking groups in Russia, China, Iran and North Korea that are behind many of the most damaging campaigns.
By denying those hacking groups as much access as possible, CTA can help government by making it much costlier for the groups to restart operations, its president Michael Daniel told me.
“From my perspective, the U.S. government won’t be able to tackle this without the cybersecurity companies,” said Daniel, who was White House cybersecurity coordinator during the Obama administration. “Together we can raise the cost on the adversary much more … than if the government does something by itself.”
To make this work, these security companies are setting aside business concerns about competition in favor of helping improve the threat landscape. It reflects a general conclusion in recent years that companies are better off sharing big picture information about threat intelligence rather than competing for small advantages.
The program is an offshoot of CTA's main mission to share much more basic digital threat indicators among top cybersecurity companies. The effort also comes amid an industry-wide push to fight back against the ravages of cybercrime, which cost consumers about $600 billion in 2017, according to a report by McAfee.
Although Jenkins was hesitant to quantify how much CTA members’ cooperation had averted in financial damage, he said the group has delivered early warnings to millions of organizations and helped decrease the spread of some major hacking campaigns.
The early sharing program launched last year when Cisco shared information with other members about a powerful strain of malicious software it had discovered called VPNFilter. The company believed Russian hackers might use the malware to shut off the Internet for at least 500,000 people on Ukraine’s Constitution Day.
Cisco was also sharing information about the malware with the FBI, and on May 23 — one year ago today — three things happened simultaneously:
- The FBI seized infected Web domains it suspected the Russian hackers would exploit.
- Cisco published its findings in a blog post
- And all CTA members sent simultaneous urgent notices to their customers describing how to protect against the Russian attack.
Cisco's biggest concern about going public with what it knew was that the Russian hacking group might decide to activate the destructive component of its malware — potentially shutting off vital internet-dependent services for hundreds of thousands of people across the globe, Matt Olney, manager of threat detection and interdiction in Cisco’s Talos threat intelligence division, told me.
“We were able to use CTA as a means to get some of the world’s largest security vendors to come together and have protections in place to minimize the possible negative outcomes,” he said.
The FBI declined an interview request for this story.
Since the VPNFilter alert, CTA has shared advance warnings about approximately a dozen hacking groups linked to nation-states and numerous other criminal hacking campaigns, Jenkins told me.
For example, Symantec shared early information about a China-linked group that allegedly stole and repurposed hacking tools the National Security Agency used against it. The company also shared early data about another group based in Iran that compromised government agencies throughout the Middle East.
The group has also met to strategize about hacking threats exposed by other organizations, Jenkins told me — including a new form of ransomware that locked up networks at the Norwegian aluminum maker Norsk Hydro in March, causing $40 million in damage, and a bug Microsoft revealed last week that could be as destructive as the $4 billion WannaCry attack launched by North Korea.
“It’s good to have a unified place to share this information with trusted parties who are well placed to deliver unified protection very quickly to a large portion of the Internet,” Olney said. “And it’s more consequential for threat actors. It’s more likely their actions will be disrupted.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Huawei’s woes continued Wednesday as Two British telecom companies, Vodafone and a unit of BT Group, “said they would suspend plans to include Huawei telephones in their upcoming high-speed 5G networks,” my colleagues Jeanne Whalen and Griff Witte reported.
The news comes after the U.S. Commerce Department effectively barred U.S. companies from supplying the Chinese telecom giant with software and components.
The U.S. government has also barred Huawei from building its next-generation 5G wireless networks over concerns about Chinese spying and urged European allies to do the same — with mixed success.
Huawei has fiercely denied sharing customer information with the Chinese government.
“We value our close relations with our partners, but recognize the pressure some of them are under, as a result of politically motivated decisions,” the company said in a statement Wednesday. “We are confident this regrettable situation can be resolved and our priority remains to continue to deliver world-class technology and products to our customers around the world.”
PATCHED: Florida Gov. Ron DeSantis (R) is launching a statewide review of election systems’ cybersecurity after learning voter records in two counties were breached by Russian hackers before the 2016 election, the Miami Herald’s Jim Saunders reports. The directive came in a letter to Secretary of State Laurel Lee.
The FBI didn’t inform state-level officials about the breaches when they occurred, so DeSantis — and the rest of the nation — first learned about them from the redacted version of the report from special counsel Robert S. Mueller III. Members of Florida’s congressional delegation, who were incensed by the delay, are considering legislation to require the FBI to notify state officials and members of Congress about election interference.
“The letter Wednesday and a news release quoting DeSantis and Lee do not explain how the security review will be conducted or what it will entail,” Saunders reported. “The release said the state has funneled millions of dollars in recent years into improving election security, including distributing $14.5 million in federal grants to supervisors of elections in 2018.”
PWNED: The credit ratings agency Moody’s slashed its ratings outlook of Equifax’s creditworthiness Wednesday — the first time the company has lowered a ratings outlook because of cybersecurity concerns, CNBC’s Kate Fazzini reported.
"Moody's lowered Equifax's outlook from stable to negative," Fazzini reported, an aftereffect of the credit reporting agency’s 2017 data breach that compromised the personal information of more than 140 million Americans.
In addition to the breach itself, Moody’s cited a $690 million first-quarter charge for the breach — which will be used to settle class-action lawsuits and state and federal fines -- as contributing factors, CNBC reported.
‘The decision is significant because investors increasingly look to ratings firms and insurance companies to adequately predict the longer-term fallout of some of the biggest breaches, a difficult task given the relative lack of historical data on these incidents,” Fazzini reported.
Correction: A previous version of this item misidentified projection Moody's modified.
Cybersecurity news from the public sector:
Cybersecurity news from the private sector: