The U.S. government needs the private sector to work with it to blunt cyber attacks, a senior justice department official told infosec pros at RSA Conference 2023.
“We want to work hand in glove with the private sector and give as much information as we can about what we’re seeing to alert folks,” Lisa Monaco, U.S. deputy attorney general and former Homeland Security advisor to President Barak Obama, told the San Francisco conference on its opening day Monday.
That’s what the U.S. did in 2021 when it helped alert Microsoft customers that a China-based group dubbed Halfnium was attacking Exchange servers, she said.
“But then, when entities don’t take as much self-remedial action as maybe they should, we are going to take action … pursuant with court processes.”
For example, she said, in 2022 when the U.S. saw Russia’s GRU military intelligence group taking over a group of zombie routers and firewall devices made by WatchGuard and ASUS in a botnet dubbed Cyclops Blink, it worked with the U.K., other countries, and WatchGuard to fight back. Through newly-granted federal civil powers the U.S. was able not only to access the botnet’s infrastructure but issue commands to delete that malware from customers’ devices.
Another example of the U.S. government working with the private sector, she said, was when Colonial Pipeline asked for help after it suffered a ransomware attack in 2021. The U.S. traced the ransomware payment and was able to return half of the US$4.4 million Colonial paid in bitcoin.
Monaco’s call for U.S. firms to work with the government is not the first call of this kind. But it is one that can be repeated by other nations.
Monaco said she has given orders to U.S. federal prosecutors to think about how they can disrupt threat actors and minimize the harm of cyber attacks. “Doing so will not always get a prosecution,” she said, “but that’s fine. We don’t always measure our success with courtroom victories. This is about preventing and disrupting and putting victims at the centre.”
An example she cited was the January closing of the Hive ransomware gang’s infrastructure. No one was arrested, but a big threat was — at least temporarily — taken off the table.
“We have to be willing to put our tools on the table, to let people into the tent and help them see what we’re seeing, and then work together to take that action,” she said, “not meet with you once or twice a year and promise some more product.”
The U.S. is also watching how nation-states are going after new and disruptive technologies, data sets and algorithms, Monaco said. Her office, the Commerce Department and Homeland Security have created the U.S. Disruptive Technology Strikeforce “to strike back against adversaries trying to siphon our best technology,” she said at the time.
Referring to Colonial Pipeline’s willingness to go to the FBI, she said, “Do that because it’s good for business — and you see that in terms of the ransomware payment — and it’s good for America, because you are helping us to prevent the next attack”
“We are in this together. It should not be an adversarial thing.”