When a U.S. drone strike killed Iranian Gen. Qasem Soleimani in early January, the United States opened the door for retaliation from a nation with well-known cyber capabilities. While military officials had to be ready for a kinetic response from Iran, civilian government leaders also had to ensure that their networks were ready to withstand any attack from Iran’s cyber actors.
But, behind closed doors, how do government leaders prepare for such an event?
A half-dozen former federal chief information officers, department CIOs and CISOs described to Fifth Domain how a military strike on an advanced cyber actor, such as Iran, would change their day-to-day routines as the top cybersecurity and IT officials in government. Several of those interviewed coordinated the response to the breach of the Office of Personnel Management, disclosed in 2015, which ultimately resulted in more than 21 million stolen records.
These officials described several ways government officials prepared: increasing information sharing, more frequently communicating with the Department of Homeland Security and the intelligence community, stepping up communication within agencies’ cybersecurity components and reviewing disaster response and business continuity plans.
“You are on a sense of heightened alert,” said former acting Federal CIO Lisa Schlosser, who was detailed to OPM in the aftermath of its data breach. She also served as CIO at the Department of Housing and Urban Development and CISO of the Department of Transportation before becoming federal deputy CIO.
The Cybersecurity and Infrastructure Security Agency, a DHS entity charged with protecting federal networks and critical infrastructure from cyberattacks, was on elevated alert in response to the strike. And that level upped again after the NSA outed a significant vulnerability in Microsoft Windows 10 this week, a CISA official told Fifth Domain.
“In response to some of the Iran activity, we did a lot of messaging out to our partners — sharing indicators of compromise, particularly some vulnerability information, and then we talked about it on our weekly [security operations center] call,” said a CISA official, who requested anonymity to discuss communications between the agency and its partners. “Around some of the other vulnerability information that’s been going on, we sent out some personalized messages checking in to see what mitigation measures agencies have been put in place.”
CISA, which holds weekly calls with agencies’ security operations centers and monthly calls with agency leaders across government, held calls with all of the organization’s partners and managed “more frequent” email traffic, including conversations about website defacements that showed pro-Iranian messages, the official said.
“We, organizationally, had some calls where we addressed all of our partners,” the CISA official said. “So we had multiple ones of [those] to keep our partners apprised of what we were monitoring, what we were seeing, what our thoughts were about the situation.”
The official added, “a lot of it was email coordination, exchange over our secure portal, and sharing some of that cybersecurity activity."
The strike on Iran prompted CISA Director Chris Krebs to tweet that organizations should “brush up” on Iranian tactics, techniques and procedures. DHS later released a bulletin noting that there is “no specific, credible threat.” CISA then followed up again with a document instructing organizations to up defensive measures through system backup, incident response plan reviews and reporting plans.
Inside heightened information sharing
Several former department cybersecurity officials said that increased risk means more communication between department CISOs and CIOs.
“There would be over-reporting; there will be more frequent communication because everything is in such a fluid state, things are so dynamic, just to make sure that we’re on the same page … I [as CISO] would definitely be reporting up more frequently,” said Steve Grewal, who served separately as CISO and CIO at the Department of Education between 2012 and 2016. “As the CIO … I would want reporting coming into me maybe every couple hours, or maybe every hour, depending on what we’re seeing.”
Heightened information sharing would also include communicating with departments that have connected programs. For example, Grewal said, if an Education Department system links to a high-value asset at the IRS or Department of Treasury, leaders at those agencies need to talk more.
In that situation, personal relationships can be a critical avenue to information sharing. CISOs and CIOs who have built a personal rapport will ask each other what sort of threats or information they are seeing at their agency.
“I certainly adopted that as a practice to have a handful of relationships where I informally compared notes and also wanted to make that if there was spillage or there was transfer of risk as a result of those technical relationships and we have that communication line open outside of what DHS or OMB would be coordinating,” said Grewal, who now serves as Cohesity’s CTO of federal business.
Given Iran’s ability to disrupt oil and gas and target of industrial control systems, the Department of Energy would need to increase communication industry stakeholders, like organizations dedicated to protecting the power grid, former federal CISO Greg Touhill said.
“If I’m the CISO at Energy, I’m going to get in contact with the ISACs [Information Sharing and Analysis Center] of the different energy sectors … if I’m a sector specific agency, I’m going to share the same message [with] the sector that I’m telling my folks,” said Touhill, now president of Cyxtera Federal.
Tony Scott, a former federal CIO and Touhill’s former boss, said he would expect more daily briefings with the federal CISO. He also said that the federal CISO would be the busiest person in the Office of Management and Budget because the officeholder has to “make sense of all the information that’s coming in [and] sort out what’s real and what’s not real.”
Simon Szykman, who served as the Department of Commerce’s CIO from 2010 to 2014, told Fifth Domain that he would have to share his department’s cybersecurity posture up to the deputy secretary and secretary level because those officials want to “understand the risks that they may be operating under that they may not be aware of.”
How agencies should respond
Touhill said the drone strike would’ve triggered him to call a CISO meeting the following morning, adding that he would direct federal agencies to scan their external and internal systems for vulnerabilities and take corrective action where necessary. Departments, he said, scan their networks on set cycles — though they may not do it consistently enough — and adversaries will track those cycles.
“In times of heightened alerts, [that’s] a good time to go scan out of cycle,” said Touhill.
Several former department CIOs said they would also review business continuity plans and ensure the security of high-value assets, the most critical data that often includes personally identifiable information or classified data. Because retaliation might not be immediate, agency leaders will need to be alert for an extended period.
“Absent a known threat, typically it really becomes an issue of preparation and heightened vigilance,” said Szykman, now managing director and chief technology officer of Attain’s federal services division.
In such moments, Szykman said that the first thing he would do when he arrived in the office the day following a strike would be to check in with the department’s security operations center (SOC) to see if anything occurred over night. Then he would check in with the department’s help desk to see if any incidents were reported, a necessary step because many end users don’t know how to send incident information to the SOC.
“On a normal day, you just assume everything is fine unless you hear otherwise,” Szykman said.
Next, he would check the threat-reporting information coming from the DHS and other agencies, as well as looking for network scanning or unusual activity that could indicate a cyberattack may be coming.
The relationship between agencies
DHS offers several feeds to civilian agencies that contain threat information from commercial threat intelligence companies, ISACs, the intelligence community and other industry partners.
DHS, of course, isn’t solely responsible for collecting information. That department relies on partners in the intelligence community to send threat information for wider distribution to the federal government.
When he was the federal CISO, Touhill said he would regularly communicate with the intelligence community, asking various agencies for information the IC is learning through different collection methods such as human, signals and open source intelligence.
One group, the NSA’s Cybersecurity Threat Operations Center, plays an integral role in federal cybersecurity by monitoring worldwide networks to gather threat information and distributing subsequent reports to DHS, FBI and other government. The reports can be classified or unclassified to be available outside U.S. government.
“They do a really good job putting together recommended mitigations,” said former NSA CISO Chris Kubic, now CISO of Fidelis Cybersecurity. “There’s certainly guidance out there to the federal CISOs to be able to understand what they should be prioritizing.”
In addition, NSA has employees detailed to civilian agencies to further its reach and create more channels to gather threat information.
“You cannot over-communicate in a situation like this,” said Schlosser.