Critical national infrastructure (CNI) is at risk in countries across the globe. When attackers target CNI systems—which include power plants, emergency services, hospitals, and transportation—it can cause life-threatening disruptions. We’ve seen this often with AT&T’s outages earlier this year preventing emergency calls, and more recently with the FBI’s LockBit Hack, where the notorious ransomware gang claimed to resume operations by posting stolen data from five companies, despite a recent global law enforcement crackdown. With AI technology advancing rapidly, the threat has only become more serious.
That’s why it’s more important than ever for security leaders and practitioners alike to facilitate better communication and information sharing among cyber security teams. It’s the responsibility of the global technology community to keep these and other security threats at bay. Annual security events like the FIRST Cyber Threat Intelligence Conference and FIRSTCon are perfect incubators for the community to share goals, ideas, and information on how to protect CNI and improve cyber security worldwide.
For example, this year at FIRSTCon we gained deeper insight into how countries can work more closely with one another to establish trust, share information, and collaborate. Below I’ll dive into some of the most urgent actions that both private companies and governments can take right now to secure CNI and defend against global cyber threats.
- Share Knowledge Between Countries
Awareness of cyber security threats should not be siloed between countries. Many online threats are borderless — an attack that impacts citizens of one country could just as easily harm citizens of another. That’s why global security leaders must establish regular meetings to share knowledge of potential threats and their current defense strategies.
The regularity of these meetings is key, as the digital threat landscape is constantly changing, and should happen at least quarterly. One method for collaboration between countries should be joint training exercises and simulations. Security leaders from different governments can share the practices they use to train their security teams to ward off attacks. This will help multiple countries develop coordinated defense strategies for the best possible chance at completely eliminating a known threat.
Holding regular meetings has other benefits – it builds connections between countries such that when a crisis occurs there’s an existing pathway to communicate between people who have already met and developed a level of trust. In the world of cyber incidents, speed of communications is of the essence.
Without this type of globally shared knowledge, cyber threats from other countries are less detectable, which means more risk for everyone online. The international security community must establish trust and share information willingly and often to protect CNI globally.
- Create Pathways Between Public and Private Sectors
Exchanging information and building trust between the private and public sectors is essential for protecting CNI. As we all know, the public sector neither owns, nor operates, nor has the knowledge to be wholly responsible for protecting CNI. Private companies often possess cutting-edge technology, specialized expertise, and new approaches to security that can offer greater protection to CNI than government resources alone. The private sector also tends to have greater financial resources, which means security measures can be implemented more quickly than they can in governmental agencies.
Organizations should establish frameworks for sharing threat intelligence between government agencies and the private sector to ensure this type of information is shared regularly and that the process is as seamless as possible.
- Multi-stakeholder Collaboration in AI Governance is Vital
According to Satoshi Okada and Takuho Mitsunaga of Toyo University in Japan, AI technology has both positive and negative impacts when it comes to cybersecurity. AI can be used to predict attacker behavior, assist in threat modeling, and in methods like the SOAR approach (security orchestration, automation, and response) to alleviate the strain on IT teams by incorporating automated responses to a number of different security events.
However, AI decisions and predictions can exhibit bias due to the datasets and algorithms they are trained on. AI is not always able to make fair and responsible decisions — one example of this is the false arrests caused by AI-based facial recognition technology. This is why we need inclusive and diverse perspectives in AI governance. Multiple stakeholders should be involved in the development and implementation of AI governance to ensure the safety, ethics and societal benefits of the technology.
- Communicate More Effectively with Senior Leadership
In a session led by Merisa Lee of Cisco Meraki, she emphasized the importance of improving communication between IT teams and senior leadership. To have the best chance at protecting your organization from cyber threats, it is vital to get everyone within the company on the same page. This principle applies to protecting CNI as well, where alignment among all members of the governing body is crucial.
Incident Response team managers spend a lot of time working on the technical side, but translating this into something that senior leadership understands can be difficult. Most teams use industry standard metrics such as Time to Detect (TTD), Time to Acknowledge (TTA), Time to Mitigate (TTM), and Time to Resolve (TTR), yet none of these actually tells leaders how your program is doing or how mature your security stance is. Successfully telling a clear and concise story to your leadership with a measurable standard will effectively highlight where your Incident Response program is succeeding and where you need more budget or resourcing to improve your program.
- Embrace Information Sharing in Defense Strategies
Luca Morgese Zangrandi of the non-profit research organization TNO in the Netherlands, and Vasileios Mavroeidis of the University of Oslo, led another session that highlighted the importance of information sharing when it comes to defense plans.
Security and Incident Response teams are increasingly automating their workflows for security management, incident, and threat response. Many are now embracing the concept of playbook-driven workflow orchestration — when fully or partially automated sequences of tasks are carried out in response to a triggering event. Currently, most of these playbooks limit the ability to collaborate and exchange defense plans and techniques across organizational boundaries.
Using the CACAO method (Collaborative Automated Course of Action Operations) could help overcome this. The CACAO method provides a common, repeatable framework that can be shared and executed across technological and organizational boundaries to better facilitate information sharing. This would ensure that every team within an organization has the same threat information and the same defense plan when an attack occurs.
- Create Formalized Information-Sharing Agreements
Importantly, the type of information sharing covered so far may require local legislation to first be updated to allow for this type of transparency between countries, governments, and private companies.
Short of changing information-sharing laws in your country, a more achievable route may be to create formalized information-sharing agreements or memoranda of understanding (MOUs) between the organizations working together. This will establish legal frameworks for information exchange, and address confidentiality and data protection concerns.
By establishing legal pathways for information sharing locally, cyber security innovation can be accomplished globally.
- Establish Clear Rules and Accountability
When governments are collaborating in this way, it’s important to hold organizations accountable for failures in protecting critical infrastructure. There should be established rules for both public and private entities to follow so that when a breach occurs, a formalized review process can happen to determine whether protocol was followed. If negligence has occurred, an agreed upon remediation process can then take place.
Getting and Staying Ahead
With the evolving nature of cyber threats, it can sometimes feel impossible to keep up. But by making threat intelligence more readily available across borders and between sectors, we can get and stay ahead of bad actors. These collaboration strategies are the first and most important actions to take towards protecting critical national infrastructure across the globe.
About the Author
Chris Gibson is the CEO of FIRST. He spent over 12 years working in the Computer Emergency Response Team (CERT) at Citigroup before joining the UK’s Cabinet Office in 2013. There, he built, launched, and led the UK’s first formally chartered national CERT – CERT-UK, as part of the 2011 Cyber Security Strategy created by the UK Government. In 2019, Gibson joined FIRST as its Executive Director, an organization he had been involved with since 2001. FIRST (Forum of Incident Response and Security Teams) is a premier organization and recognized global leader in incident response, fostering cooperation and coordination in incident prevention, stimulating rapid reaction to incidents, and promoting information sharing among members and the community at large. FIRST can be reached online via GitHub, LinkedIn, Mastodon, Meta, X, and YouTube, and at our company website https://www.first.org. You can also listen to the FIRST Impressions podcast for more insights.
