Frenemies With Benefits

A

You're listening to the Cyberwire Network, powered by N2K. Cybersecurity is not impossible. The truth is that you can actually materially reduce your cybersecurity risk. And there are things that we could do at the systemic level to reduce our cybersecurity risk. As a society, we are not helpless. And in the face of this threat, there are a lot of opportunities out there for us to do that. There are things like CTA that help with that. There are policy changes we could make. There are things that companies can do. We are not defenseless or helpless in the face of this malicious activity.

B

Welcome to Threat Vector, the Palo Alto Networks podcast, where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. Today, I'm speaking with Michael Daniel, President and CEO of the Cyber Threat alliance and former White House Cybersecurity Coordinator. Today we're going to talk about the strange but vital world of cybersecurity collaboration in an episode we're calling Frenemies with Benefits, which I think is really fun. Michael brings more than two decades of public sector experience, including leadership at the Office of Management and Budget and as the top cyber advisor to the president. Since 2017, he's been building bridges between cybersecurity competitors and government agencies through the Cyber Threat alliance, an organization that promotes real time threat intel sharing among security vendors. I'm also a member of the board of the Cyber Threat alliance, so I actually get to see Michael and really work a lot with him on this topic of collaboration. And this episode's all about trust, or the lack of it in cybersecurity. Is collaboration across companies and countries actually working? Or is it more just something we're doing to be polite? In a world of competing incentives, intellectual property battles, revenue goals, quarter to quarter life of public companies, and Michael's uniquely positioned to answer these questions since he's had to navigate that this for quite some time. So, Michael, welcome.

A

No, thank you for having me.

B

Yeah. We're here in the New York City office, Palo Alto Networks, looking at the great view. A little bit of a gray day, but we see the clock tower out the window. Before we dive into the hard questions. You've been leading the CTA Cyber Threat alliance for over eight years now. Looking back, what, what moment stands out to you as the first time you felt, okay, this is working?

A

Yeah. When I think about that, to me, one of the early signs of that was during the WannaCry incident that we were able to get a lot of different member companies on a call simultaneously and have them talk about what they were seeing and what they were not seeing. And at the beginning of WannaCry, everybody thought that that was being spread by an email vector. And when we assembled the different CTA members on the call and everybody started seeing what they were seeing and nobody was finding an email vector for WannaCry. And it was one of those things that you could almost feel it around the room of like, wait a minute, if nobody among this set of people is seeing an email vector, maybe there's not an email vector. And so it really prompted everyone to go look in a different direction. And that was one of the first times that I realized that this model could actually work.

B

Yeah, sort of like coming together amongst minds of something that's really breaking and hitting the world hard. Like WannaCry. I mean, that was spreading wildfire throughout networks. Right. I mean, the way it was spreading with the worm aspect of it was pretty interesting. But also to see a ransomware attack spread like that, we. I don't think we've seen one like that recently. We haven't seen. I want to start with like a basic premise is like, why is the collaboration so hard? Is it cultural, is it technical? Like, what do you see on that front?

A

Some of it is technical, but not very much. In order to actually do sharing and to do it more than kind of one off. I mean, it's fairly easy to one time have an analyst at the Acme company send a spreadsheet of stuff over to his buddy at the XYZ company. But if you want to do it with regularity, if you want to do it at scale, if you want to keep it going over an extended period of time, then you've got to build some technical infrastructure to do that. And you need some, for example, you need some technical standards, things like the structured threat intelligence exchange, right? A way to standardize the sharing of information. But that's really only one small part of it. A lot of the barriers are more cultural, they're more legal, they're both real and perceived barriers. There's, you know, concerns about like, well, is this where my. I'm actually making my money? Right? Is this, Are there liability concerns that we might, might we have some downsides to share?

B

Customer exposure.

A

Customer exposure, right. And again, these things are not always, you know, myths are fake. I mean, some of them are legitimate concerns. And so you've got to build the right guardrails into the sharing in order to get everybody comfortable. So there's a lot of friction and then I would say the other thing is that sharing is very rarely anybody's main job. Right. It's usually their fifth or sixth priority in their job jar. And that makes it hard for people to prioritize it and to get to it. And so when you see it work, it's usually because somebody has made it a priority, an executive somewhere has made it a priority for it to happen. Otherwise, too many other things just get in the way.

B

I also was thinking of, like, how does the Cyber Threat alliance and what we're doing, and specifically our collective defense model, how does that relate to some of these other sharing models that we've seen out there, the ISACs, JCDC, for which we're a member, you know, with Homeland Security, obviously, like, how does their model different differ from ours? And, you know, you know, how does that look? And then also, what is one misconception people have about the Cyber Threat Alliance's mission as it pertains to those.

A

Yeah, a lot of times I would say, well, cta, if you think of us as an ISAC for the cybersecurity industry, that would not be too far off. I always say that the Cyber Threat alliance is aimed at entities that are providing cybersecurity services to others. So cybersecurity companies like Palo Alto Networks, but also the cybersecurity arms of telecommunication companies or platform providers, those sorts of things. And really the reason for that is because that's a set of entities that really do need to be sharing lots of technical data with each other at very large volumes. And that's really some of CTA stock in trade. Right. Is focusing on that. We are not focused on a particular industry vertical, which a lot of ISACs. Well, we are. It's just the cybersecurity industry, as opposed to, like a critical infrastructure sector vertical, like, you know, financial services or energy. So really, that's kind of our space in the. In the. In the ecosystem as we try to occupy that. That space, which really nobody, no other entity was really occupying before cta, before CTA came along. So that's really how I see, you know, what CTA is and what we, you know, and what we do, we also try to work with. How do you actually get that collaboration built with the government? One of the things that we made a decision very early on for CTA was that we wanted it to be focused on the private sector for what the private sector could do, and that governments can't be direct members of cta. And that was deliberately designed to give some space in there to make it. So that it wasn't. So that it didn't seem like governments had captured CTA and that CTA was doing a government's bidding. Right. But obviously we have a lot of partnerships and work with responsible governments around the world. And so that I think is an important part of the, you know, important part of the equation.

B

Yeah, no, I think it's one of those things where, yeah, that's how I describe it too, is like we're sort of an ISAC focused with the cybersecurity companies. One thing I also think about with the ISACs is, yes, they are industry vertical aligned, but now that I've been doing much more involved with collaboration since I've been in unit 42 those last few years, I do start to realize that there's a lot of overlap between industries. Especially if you take out like, okay, you're doing an OT environment or you have a point of sale system. These things that are very unique to different industries. If you take that out of the equation, a lot of the attacks are somewhat similar because you look at these ransomware gangs. They're looking to encrypt everyone, they're looking to harass everyone, they're looking to extort anyone they can for money. It's not necessarily like, oh, well, I'm going to extort the retail industry different than I'm going to extort the manufacturing industry.

A

Right?

B

Yeah. And again, once you, once you account for the different, different differing technologies. When I want to change topics a little bit to the, you know, talking about incentives, you know, one thing that everybody always asks me when I talk about the CTA is like your competitors, you know, as the leader of the cta, how do you convince, you know, new members to come on board and share that intel, you know, where they do have to be, making sure there's no business risk, there's no liability and things like that. But also the fact that we're just naturally competitors and we have that in our nature.

A

Sure. So there's a few answers to that. One is that virtually no one really makes their money off of providing threat indicators. Right. Like, you don't go to customers and like, say, here's a bunch of indicators for you. Good luck with that. Right. Look like that's not really anybody's business model.

B

The, there might be a few out there may be a few, but certainly nobody at the size of the members of the ctj.

A

Right. And so instead what you're really competing on is what you do with the threat intelligence. Right. You are competing on the Basis of my technology is better, my customer service is better, my understanding of your industry is better. Right. And so when you look at it that way, if you have access to more knowledge, right, and you're using that knowledge to fuel your protections, to fuel your customer service, to fuel your knowledge of an industry, having more of that knowledge makes you more competitive. Yes. At the same time, it also helps the ecosystem and your competitor. But at one level, what I say is we're actually raising the competition up off of what we know, which is kind of the base level, up higher in the value chain. So that's actually better off for companies because you're more competitive. It's better off for the ecosystem because that competition is happening at a higher level. And, oh, by the way, more of that protection is being spread, so everybody's protections are better off. So my argument is that actually the sharing, in fact, makes the entire ecosystem better off and more competitive at the same time. It's a little bit of a counterintuitive idea until you really understand how cybersecurity companies work and how they use information to do what it is that they do. And the other thing is that we built some very strong protections into cta. So, for example, we have a antitrust compliance statement that we say at the beginning of every meeting, Right. That, you know, one of the things we talk about is threats and what the bad guys are doing. One of the things that we do not talk about are products, prices and anything related to a future roadmap for our members. Right. So there's a whole set of things that are off limit to CTA members to talk about. If you're inside the bubble of what you can talk about that, that's great. You've got all sorts of protections around that. And by the way, members really like that because it helps make it clear what's allowable and what's not. If it's outside of that, we don't talk about it. And that also gives our member companies a lot of comfort because the rules are very clear about what's in scope and what's out of scope.

B

One thing we've introduced, I'd say more on the recent side, obviously, we've been sharing indicators and signatures and all these kinds of things that we can do and then collaborate on big events. Like you mentioned, WannaCry, we've also been doing early sharing of our publishing. I particularly have found that very useful of getting access to know when my competitors are gonna publish something in a few days. So we in the cta, for Those that aren't familiar is that we share. Hey, we're gonna be publishing this to the, to the world, sometimes with more notice, sometimes with less notice, depending on the sensitivity of, of the research. This could be a threat research article, a paper, a blog, whatever, a tweet. Could be anything. And one thing we, we take a look at is it lets us get prepared. Yeah, I mean, one of the things that I often get bombarded with is, hey, you know, Fortinet or Checkpoint or whoever it is just published this research. What is unit 42 know about it?

A

Right.

B

Do we have protections for our customers? And that's like the first question I get when somebody publishes research very often, but by being in the cta, I'm able to get advanced notice of that, get my protections in place, and have an answer for that question when it comes. It's not, wait, what did they publish? I didn't even. I read. I read it after my, you know, my leadership. No, instead. Oh, we already know about it. We've already accounted for it, and we're right there in place. So I found that to be, you know, one of the big value adds that we've had in the last. I don't know, when did we roll that out? Like and a half ago?

A

No, two years. Been going on three years ago. Yeah, four years.

B

Four years. So it's been even predating me on the edge, definitely.

A

But it's gotten, you know, maybe it's ratcheted up as far as the amount is, the volume. And we've been steadily trying to increase it over the last few years because our members find it valuable in exactly the way that you just described. And again, it doesn't actually detract from, you know, part of it is, you know, we were talking about what makes CTA work. And some of that, and some of it is that we've built this trust space. Right. And that we have been very, you know, from the CTA staff side, we're very ruthless in our sort of approach to being fair among our members. Right. That we treat all of our members equally. But we are also, you know, people respect the embargo. Right. That comes with those early shares. And everybody knows that, like, if you violate that embargo, like, that's toast. And everybody finds that, that having that access that early heads up the ability to prepare very valuable. It again, it doesn't detract from anybody's ability to get press, to get coverage, but it enables the whole ecosystem to prepare better, which again, is only makes everybody better off.

B

Right. And what do we see attackers do? Right. Yes. There's the nation state threats, who often have the zero days early, who often have the hour early and all that. But then once either the POC comes out or a publishing comes out and it gets all attention on it, then we see everybody else latch on to that style of attack very quickly, too. We often talk about it. It's within hours. When we talk about it, we say 48 to 72 hours is what we say in unit 42 when something's published before other attackers start jumping on the bandwagon. So getting early access is almost needed to have those defenses in place in time, which I think is really cool. And I think we've also gamified the situation. A lot of people say, how do you make sure people are sharing? Well, we gamified it to say you get points for doing certain things and then you get to stay in the club, essentially, is the way I look at it, by sharing more and more. One thing I wanted to mention and talk about is sort of this concept of the CTA is like a family in a way. I mean, sounds a little cheesy to say that, but I do feel that way in that we do look out for each other. We do want things to be done in a right way. And when I say that, I mean from an ethical standpoint. I think people, you know, can weaponize things that are happening at different vendors in a way that is not appropriate. And, you know, we have a way of. Of. Of sort of looking out for each other. I found that, you know, when I've seen something in somebody's research and I. And I don't, you know, see something that maybe doesn't look right, everybody in the CTA seems very welcome to, like, feedback and then quickly changing things. I don't know. One thing we've recently formed is sort of. I don't know, what were we calling it? Was it like an ethical pact of some sort where we've all sort of agreed to be a part of thinking about things in this way? Do you want to just describe that briefly? Because I really was a fan of it.

A

Sure. So, you know, there's a long standing sort of tradition and methodology for disclosing vulnerabilities has emerged. Right. So there's the responsible vulnerability disclosure process that most places have. So, you know, if you're a researcher and you find a vulnerability, there's a process that you're supposed to go through before you just flop that vulnerability out there for everybody to see. Right. Because the Bad guys take it and use it. Right. You're supposed to, you know, the ethical way to do it is you contact the vendor and you give them some time to fix it and other things. Now, if they totally blow you off, then eventually you, you know, you're within your rights to go publish. Right. But there's this whole body of sort of ethical behavior that's built up around the disclosure of.

B

Which not everybody follows.

A

Which not everybody follows. But it has become widely accepted across the industry. Right. So what we did within CTA was we said, okay, once that's out there, though, we also need to have a responsible way of talking about those vulnerabilities. Because the truth is that every piece of software out there has vulnerabilities. Every cybersecurity company product has vulnerabilities that have been discovered at one time or another. And so that we should, as an industry, we should not try to immediately use the fact that one vendor has had a vulnerability disclosed about their product to point fingers and say, ha, ha, they had a vulnerability and now you should come get our stuff because we're better. Right? Well, because the truth is, the next day it'll be your turn.

B

That's right.

A

And so what we did within the CTA was we said, okay, we're going to have a policy that our members are going to sign up to that says this is how you talk about vulnerabilities in a competitor's product in a responsible manner. And notice, it doesn't mean that you don't talk about it because it is entirely legitimate for a researcher to say, hey, I have seen the adversaries use the vulnerability in the ACME firewall in this way. Right. But there's a way to do that kind of research and publish that research in a responsible way where a. You give ACME company heads up that you're going to, you know, you tell them that you're doing this, they don't get a veto over it, but you just tell them that you're doing this. And there's a way to talk about it in a manner that's not sensationalist, that focuses on how the adversaries are actually using the vulnerability. And so what we've tried to do is say, we're going to have a process, we're going to have a policy for how you talk about these disclosed vulnerabilities in a responsible way that again, improves the security of the overall ecosystem. Because we need the research on those vulnerabilities. We need companies to fix them. We need to know how the bad guys are using them, but we need to not, like, catch each other and, you know, the friendly crossfire, like, keep the. Keep the. Keep the. Keep the weapons pointed at the bad guys.

B

Wanted to kind of pivot a little bit. We've been talking about the CTA and sharing and what we do there. Kind of want to talk about some of your experience as well. So when we talk about public private collaboration, going back to your White House days and beyond is like, you know, I feel, and I'd love to hear your opinion, is that the government has gotten better at trusting the industry, at trusting the private. Do you agree with that thought?

A

Yeah, no, I think the. I think very much so. The government, the US Government in particular, has matured a lot over the last 15 to 20 years. I think some of that is because the private sector has also matured, that there's been growth on both sides. And my own view is that some of what we've been seeing is the development of an understanding of where does the private sector bring comparative advantage versus where does the federal government bring comparative advantage? And they're in different places. And that's what opens up the opportunity, I think, in particular, for public private collaboration is because different elements bring different things to the table. Now, there are also some cultural issues that make it often challenging to execute on these kinds of collaborations, but I think there's a greater capacity on both sides to do that.

B

What do you think is the thing. I don't want to say that's broken, or I would say more like, what do you see as the best way we could improve the US Government's approach to cyber partnerships? What is the thing? If you had a magic wand and you were in charge of all partnerships, from the government to private, across the US Government, what would be like, either one or two things that you would quickly think about either changing or enacting?

A

Yeah, I mean, I think one of the things that I would say is one of the struggles that the federal government has is that we have worked very hard over decades to make sure that there are a lot of rules inside the federal government for how it treats the private sector and to treat the private sector equitably. And what this has translated to is that if you are working with one entity in the private sector, you've got to work with all of them equally. And the truth is that in cybersecurity, not all companies are created equal, and some entities in the ecosystem are more important in certain situations than others.

B

And so, yeah, based on the technology they have Deployed worldwide based on their visibility, based on their expertise.

A

Absolutely, yes. These are based on very, what I would almost say are objective factors. Right. This is not about preference, you know, based on who's friends with who, but it's based on the technology, the infrastructure, the capabilities. Right. And the federal government needs to be able to have a better ability to say, look, I'm going to collaborate with this set of entities in this case for this reason. And no, we're not going to have to let everybody and their cousin into this collaboration because they don't bring enough to the table. Right. And that's really hard on the federal government side right now because it can

B

feel like you're picking favorites. Is that why?

A

That's right. And it's seen as picking favorites. And it's like, no, we're not picking favorites. We're picking the entities that can actually do something to make a meaningful difference. And if you've ever been in any sort of collaborative exercise, then you know that as you get bigger, it gets harder and harder to do the collaboration and you reach a certain point and it becomes almost impossible. And so that, to me is really one of the, you know, key sort of factors that we have to take into account and that the government needs to have a better ability to process. I think on the private sector side, there needs to be a better understanding of the fact that the government operates under certain constraints that a private sector company will never operate under, and that not all of this is just about bureaucracy. That it's about very real reasons for why we want the government to not be picking favorites in most situations. Right, right. And that we want the government to operate in certain ways. And so that imposes some constraints on how the government operates that private sector companies don't have to follow. And it means that it's not because the government is stupid or because they're incompetent or lazy. It's because they operate under a different set of rules. And so we need to bring a lot more of that understanding to the collaborations and have respect for the constraints. And again, and that also works. The government also needs to understand that in many of these cases, when a private sector company is collaborating and working with them, every minute that they're spending working on this thing with the government, they're not making money.

B

I want to flip the question a little bit on collaboration and think about, you know, when does collaboration not make sense? When you're right. Are there situations where the risk of sharing outweighs the benefits that you see as being correct?

A

I think there's more situations where collaboration, where really is very rare that collaboration can't come along at some point in the process. Right. There are definitely times when there is a need for secrecy. Right. There are certain operations that the government, on the government side, for example, if they're going to ultimately, at the end of the day, for example, if the government is going to execute a operation against a foreign country or law enforcement is going to execute an operation, then at a certain point there's limited collaboration that can occur because there's just some constraints, there's a need for secrecy, there's other things like that. Similarly, there are times when companies need to protect their intellectual property. They need to protect customer data. Right. It's inappropriate to ask a company to share something. For example, where to share it would inevitably reveal the customer. Right. Unless the customer is comfortable with that. So there are definitely constraints on it in that sense.

B

I wanted to ask you one of the things that happened back at rsa. There was a talk given US Government side about there would be, I think a lot of people were wondering how the sharing and public private would be going under the new administration. I think there was an announcement. You could correct me if I'm wrong about the fact that the liabilities and protections for companies for the sharing is still in place into the future. Is that a true statement?

A

So, yes. However, the legislative authority that underpins that is called the Cybersecurity Information sharing Act of 2015, and it is up for renewal this year. It needs to be reauthorized. And so one of the big pushes that we're working on is to get Congress to reauthorize that statute. It expires on September 30th of 2025, and we need Congress to reauthorize that statute. Yes, there are probably some improvements that could be made to it, but right now we just need them to reauthorize that statute so that we don't go back to a pre2015 sharing world. Right.

B

Because then companies won't have the protections in place that if they were to share, and particularly I think some of the real value we've had is people talking about the attacks that they're dealing with. I think there's been tremendous value that I think saying that you're dealing with an incident response in your environment is something Nobody talked about 20 years ago, ever. You swept it under the rug. You talk to your, maybe your lawyer, if you go talk to your lawyer to be like, can we sweep this under the rug versus now you might even have an obligation to report to the market and publish something. I think want to get your take on, on the SEC policy. You know, I've been doing incident response for upwards of 20 years now. I personally think it's very hard to get a handle on what you're dealing with quickly. Sometimes I think the SEC is. How many days is it?

A

96 hours? It's four days.

B

Four days you have, if you have a quote, material cyber. Right. So I think personally I feel that that's a great policy at heart. And the reason I say at heart, I mean, people are going to talk about the attacks they dealt with, which means people are probably dealing with similar attacks, which means they could better prepare themselves. And also it makes it not such a. Everyone gets hacked, period. That is what I've seen time and again doing incident response for 20 years. And many people get hacked many more than one time. So we're all dealing with it. So let's like not make it such a negative thing. Instead, let's bring it to light. So I love that that's at the heart of the policy. The part where I have a little bit of an issue with it is the time. And the time is very quick because in four days you need to not only know what you're dealing with, but you need a story for the market to say, we're dealing with it, we've triaged it, we've hired someone to come in and help us, so on and so forth. What are your feelings about that policy? Do you see it the same way I do? Do you think there's ways to make that policy even better?

A

So, I mean, I definitely think that for publicly traded companies, they should have an obligation to report if they have had material cyber incidents on their regular disclosures. Right. So if you look at a lot of, prior to some of the SEC actions, you know, you would get the, you know, the 10k or whatever would say, like in a footnote someplace, we had a separate incident or we have cyber protections in place. Okay. Probably not enough disclosure for investors to actually make a informed choice. I feel like the public, the requirement to report publicly within such a short period of time is actually counterproductive because it makes companies overly lawyered, overly cautious.

B

There's probably a lot of lawyers who got jobs just to define what a material cyber event is.

A

Right. And instead what we really want is, and you don't know enough within four days, and particularly if it's actually material, you don't actually know enough in four days to actually say what the real impact is. And so to my mind, it was the. It was an idea that I agree that, like, the intent of it is right. And so I think actually having regular disclosure requirements, that's totally appropriate. I just feel like the timeline is way too short, and it should be much more tied to, like, the quarterly and annual reporting that publicly traded companies have to do. And that's entirely appropriate to say, if you've had a material cyber incident, then you should really be telling your investors and the public that you've had that incident and this is how you've addressed it, and this is how our cyber defenses are laid out. If you're a publicly traded company, that's part of your responsibility. But I do think, again, we were talking about responsible vulnerability communication. There's responsible incident communication as well, because there's no point in panicking people if you don't actually know what's really happening. And my own experience with incident management is like, I remember working incidents in the government where it'd be like, well, this agency has been affected. Well, actually, this agency. No, not that one. This one over. No, actually, you know, in two weeks into it, we're still trying to figure out, like, so was it 40,000 people? 50,000. You know, 100? We don't know. You know, and it's. It took like, a month or two to, like, get to where we actually had a handle on what was happening. So I have a lot of sympathy for entities that are going through an incident.

B

I will also say I'm filling in for the regular host, David Moulton of Threat Vector, and he's a huge fan of cybersecurity dad jokes. Do you have a favorite cybersecurity dad joke that you could share? Oh, gosh.

A

Well, I guess there's one that's at least vaguely cybersecurity related. So why did the farmer take his router to the barn?

B

Why?

A

Because he wanted to get stable WI fi.

B

David's going to love that one. That's it for today. If you like what you heard, please subscribe wherever you listen and leave us a review on Apple Podcasts or Spotify. Your reviews and feedback help us understand what you want to hear about. I want to thank our executive producer, Michael Heller. Our content and production teams, which include Kenny Miller, Joe Benecourt, and Virginia Tran. Elliot Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now.