Promoting Operational Collaboration

December 2, 2020  • US Cybersecurity Group

The government does not control cyberspace. The road to success runs through the boardroom.

What is operational collaboration?

Operational collaboration is the process by which multiple organizations coordinate planning and synchronize their actions to achieve a shared goal in cyberspace using lawful methods. Typically, that shared goal is proactive: disrupting adversaries or threat actors before they cause unacceptable harm. In some cases, the goal is to respond to a significant cyber event, mitigate the consequences, and facilitate recovery operations. Whether dealing with proactive disruption operations or jointly orchestrated crisis response, operational collaboration combines legal, economic, law enforcement, intelligence, and/or technical measures employed by the private sector and government agencies.

Operational collaboration takes several different forms. It can involve coordination between companies and federal agencies, such as a recent FBI collaboration with private sector companies, or business-to-business coordination to disrupt adversary capabilities or disable adversary infrastructure. It can involve highly-capable security companies, internet service providers, information sharing organizations, and platform providers—all working together to mitigate the effects of an ongoing significant cyber incident. In both cases, success requires a clearly defined objective and mutually agreed outcomes, enabling participants to align interests and focus on the same adversary. It must also clearly provide mutual benefit to all stakeholders involved (e.g., a company protects its customers and law enforcement obtains intelligence or an indictment).

What operational collaboration does not mean: (a) hacking back, (b) mandating industry cooperation with government cybersecurity programs, or (c) responding to routine cyber incidents on a regular basis.

Why is this a priority?

Operational collaboration aims to achieve two fundamental objectives in cybersecurity policy: (a) increase costs for adversaries by disrupting their activities and (b) prepare for and respond to adverse cyber events that harm U.S. or allied interests. Because neither the government nor the private sector acting alone can achieve the scale, scope, speed, and sustainability required to achieve these goals, the only way to reach the desired end-state is to enable more effective operational collaboration across the digital ecosystem.

The increasing costs of malicious cyber activities demonstrates that current processes and structure are insufficient to safeguard national security, economic prosperity, and public health and safety. Numerous adversaries, whether nation-states or cybercriminals, can attack consumers, businesses, and government agencies with relative impunity. For many types of attacks, adversaries’ direct costs also remain relatively low, allowing them to achieve greater scale and damage. Simply sharing information about threats is not enough. We need to increase costs for adversaries. Too often, our efforts to shut down adversary networks only impose minor setbacks that still allow them to pivot and quickly recover operations. Industry and government must work together to turn these into strategic defeats that force adversaries to invest in entirely new attack campaigns.

Notwithstanding proactive efforts to disrupt these malicious activities, sometimes adversaries will succeed in conducting a major attack. As the impact of cybersecurity events increases, we need to respond to significant cybersecurity events (such as the NotPetya outbreak) more effectively when they occur, limiting their spread and mitigating their effects. Because a major cybersecurity crisis will likely spread across multiple businesses, sectors, and regions, the corresponding response will require a high degree of coordination and rapid communication. And unlike proactive disruption planning, when stakeholders can wait until the right moment to strike, actively responding to a significant cybersecurity incident introduces the additional element of extreme time pressure.

  • Reduced impact of routine cybercrime on the digital economy.
  • Higher costs for sophisticated nation-state attackers.
  • Increased number of high-capability companies and nations involved in cybersecurity coalitions.
  • Better measurement of the effectiveness of adversary disruption operations.
What are past obstacles to progress?
  • No defined framework: In many cases, federal agencies and potential partners in the private sector lack the policies, processes, procedures, and organizational structures to prioritize and enable effective operational collaboration, either proactively or reactively. Although the federal government has Presidential Policy Directive-14 for coordinating event response actions between agencies, how those agencies will work with private sector entities is not clear.
  • Lack of intra- and interagency leadership: Individual agencies or offices simultaneously and separately ask to coordinate with private entities, frustrating a holistic government response and the scalability of public-private partnerships and joint actions.
  • Lack of prioritization and focus on impact: Given the sizeable and growing number of highly sophisticated cyber adversaries, defenders lack the resources to capitalize on all opportunities to disrupt attacks. Without prioritization based on potential impact, operational collaboration is often opportunistic, simply gravitating toward threats that are most relevant to an ongoing investigation or customer segment.
  • Classification barriers: Government participants are often unable or unwilling to share information in an unclassified setting and in a manner that allows private entities to act.
  • Agility: Many efforts to improve coordination among the private sector and government mistakenly include too many parties, creating unwieldy processes while saddling coalitions with some partners who lack the technical capabilities to implement necessary activities.
  • Cultural Barriers: Many federal officials are uncomfortable engaging regularly and openly with the private sector, and some agency incentive structures almost exclusively reward law enforcement officers based on criminal justice outcomes, which sets a very high bar, reducing incentives to engage in otherwise effective disruption activities.
  • The “agent” problem: Many companies might want closer collaboration with federal agencies in the name of better cybersecurity for their customers, but they are wary of being seen as agents of the U.S. government.
  • Liability: Particularly when unknown dependencies or connections are involved, entities hesitate to act in concert if the potential second- or third-order consequences might cause unforeseen damage affecting other parties.
  • Antitrust: While Congress has exempted narrow kinds of information sharing from antitrust rules, some coordinated activities could raise similar concerns.
Action Steps
  1. Establish a National Cyber Director to enhance public-private operational collaboration for proactive disruption and cyber event response. The U.S. Cyberspace Solarium Commission has recommended that Congress codify a Senate-confirmed National Cyber Director (NCD) as “the President’s principal advisor for cybersecurity-related issues, as well as lead national-level coordination of cybersecurity strategy and policy, both within government and with the private sector.” To be an effective advocate for and enabler of operational collaboration, the NCD should have both visibility into offensive government operations against adversaries and authority to coordinate public-private response activities to cyber events. The NCD can set common protection or disruption priorities and objectives; identify new ways to act in a unified, holistic manner to achieve those objectives; and help to scale coordination with the private sector by acting as a single point of contact, rather than requiring each agency to maintain their own direct connections to industry teams. The NCD should look to work by the Aspen Cybersecurity Group, Third Way, the World Economic Forum’s Partnership against Cybercrime, and Columbia University’s New York Cyber Task Force to develop the practical policies, processes, and structures to promote operational collaboration, both for proactive disruption and significant incident response.
  2. Update incentives for federal law enforcement employees to reward disruption of adversary operations. The FBI and other law enforcement agencies are important partners for private entities that are interested in taking proactive steps to disrupt adversary networks. However, current cultural barriers and institutional incentive structures, including rewards and opportunities for advancement, reflect a traditional focus on indictment and prosecution as a means of deterrence, limiting disruption frequency and impact. Due to attribution challenges and the fact that many of the responsible individuals live overseas, indictment and prosecution are unusual outcomes. Moreover, attribution is often a lengthy process, during which threat actors can continue harming technology users and the economy. Finally, prevention and deterrence—two of the most important theories of criminal law—can be achieved without indictment or prosecution when operational collaboration produces effective disruption.Changing the incentive structures for federal law enforcement agents will help align the objectives of cybersecurity defenders in the private sector with those of the agency that is authorized to act aggressively against cyber criminals and foreign adversaries. Incentive structures should shift in favor of disrupting adversary infrastructure and operations, recognizing the value that such actions have for minimizing harm and protecting technology users.
  3. Create a personnel exchange program between companies and federal agencies. Better coordination requires strong personal relationships between staff-level operators and senior decisionmakers in companies and agencies. A two-way exchange program will forge long-term networks of trust that laws or regulations cannot. Potential models include the Center for Long-Term Cybersecurity’s Workforce Incubator and the Information Technology Exchange Program. Key federal government departments and agencies, such as DHS, DOD, and the FBI, should strive to conduct joint cyber defense activities, including systemic risk identification and contingency planning should-to-shoulder with corporate cyber teams and operational industry collaboratives of critical infrastructure operators.
  4. Direct and publish a review of legal barriers to deeper intelligence and operational coordination between federal agencies and private companies. Some legal concerns cited as barriers to operational collaboration do not necessarily reflect the reality of statutory or regulatory restrictions. Federal agencies raise concerns about taking coordinated action with a limited number of private sector participants, but experience demonstrates that only a few private sector actors are truly capable of acting and motivated to do so. Progress requires a comprehensive, authoritative opinion on the existing legal barriers to closer coordination among federal agencies and between industry and government. Where barriers are identified, including constitutional protections when “agent of the state” provisions are triggered, safe harbor protections for limited and targeted cybercrime reporting (such as those that exist for reporting related to child protection) should be explored.
  5. Create a framework for measuring the outcomes of disruption and event response activities. While successful examples of operational collaboration have become more common, the absence of a clear methodology for assessing the true impact of disruption operations or investments in event response prevents government, the private sector, and independent researchers from recommending evidence-based improvements to strategy and policy. Building on ongoing research by Columbia University, the Department of Homeland Security should partner with appropriate Federally Funded Research and Development Centers and universities to fund the creation and maintenance of a database of disruption activities and research to uncover the most effective practices. This research should also include reviewing past event response actions to map participants and draw out lessons learned. The NCD should ensure the resulting framework for operational disruption and metrics is included in national plans and policies that inform future efforts to take disruptive action against attackers to deter incidents and to collaborate on event response
Dig Deeper on Operational Collaboration:

Learn More

Legislation, Regulations, Executive Orders, and Guidance