Cybersecurity and defense agencies need to do a better job of coordinating intelligence sharing to avoid the next SolarWinds attack, according to a panel of cyber defense and intelligence experts from the Institute for Security & Technology.
The panel, which met virtually Thursday, raised questions about whether national security and defense agencies have provided enough rapid support to private sector companies to detect and counter sophisticated attacks.
"There was an incredible dependence on private sector capability to obtain visibility across critical infrastructure, across U.S. domestic networks, across a variety of places where we have trusted the private sector to be able to defend itself," JD Work, Bren Chair for Cyber Conflict and Security at the Marine Corp. University.
Some of the nation's top cyber defense experts say U.S. defense and national security agencies need to better support the effort of private sector companies to share information and intelligence. This support is deemed as necessary in order to prevent additional cyberattacks by Russia and other rival nation states, as cyber espionage and other attacks have increased in recent years.
The panelists, who debated whether the SolarWinds attack represented a failure of the U.S. Cyber Command's "Defend Forward" strategy, addressed in part the role of the private sector in intelligence gathering.
Russia-backed threat actors have learned from prior cyber encounters in order to change their hacking techniques that managed to evade existing detection methods, Work said.
The SolarWinds attack allowed hackers to find a vulnerable private sector partner to penetrate thousands of companies and key U.S. agencies without setting off any alarm bells.
The vulnerabilities exposed by SolarWinds raise questions about whether the U.S. needs to rethink the way it engages with the private sector.
"If we're in this situation, for better or worse, do we need to have a system in which the private sector can better inform intelligence priorities?" Susan Hennessey, senior fellow – governance studies at the Brookings Institute and executive editor at Lawfare asks.
"In my view success looks like providing them real-time intelligence and letting them tell us what the requirements look like," Work said.
"If we're in this situation, for better or worse, do we need to have a system in which the private sector can better inform intelligence priorities?"
Part of the debate about private sector intelligence sharing involves just how much of a role the government will have in terms of regulating the amount of oversight it has over what companies can do with critical information.
However, Bryson Bort, founder and CEO of Scythe, says the private sector has done a pretty good job of managing these issues without government oversight and may not fully engage.
"We've seen them do extraordinary things on their own to take down gray infrastructure with absolutely zero involvement and acknowledgement to the U.S. government," he said. "Why? Because they can."
The government needs to define what is important for U.S. national and economic security, said Erica Borghard, senior fellow at the Atlantic Council and senior fellow at the Cyberspace Solarium Commission. Officials should also identify critical nodes in the supply chain as well as how to prioritize risk strategies.
"Otherwise we're going to wind up failing everywhere," Borghard said.
The U.S. needs to take a more offensive approach to the matter and send a signal that U.S. cybersecurity strategy will not be entirely focused on defensive measures, Bort said.
"We need to occasionally break things and we need to let them know that we're breaking things," he said.
Correction: This article has been updated to reflect Bryson Bort, founder and CEO of Scythe, was referring to gray, not great infrastructure.