Making WannaCry response a model for the future

The combined government and private-sector response to the WannaCry ransomware outbreak in May is a textbook example of how information sharing should work, said a senior Homeland Security official. But cultural and other barriers remain when it comes to such cooperation.

"WannaCry is a really great example of how the government and the private sector did it right. And we want to keep doing it right," said Department of Homeland Security Assistant Secretary for Cybersecurity Jeanette Manfra at the Sept. 25 TechTrends conference hosted by the Professional Services Council in Arlington, Va.

The WannaCry ransomware attack in May affected more than 200,000 computers in more than 150 countries.

"We were getting information from an open source perspective and from international or computer and security service response teams," which delivered technical data gathered from companies being affected overseas, she said.

"These sorts of incidents are sector agnostic; we're seeing more and more of that. So what we're really looking at -- across the sectors -- is how do we take advantage of the people from the banks, from the electric sector, from the ISPs that are sitting on the floor with us in our operations center in Arlington, [Virginia]," she said.

DHS Secretary John Kelly told Congress in May the agency was able to minimize damage to U.S. agencies following news of the cyberattack.

Kelly and Manfra attributed that to coordination between agencies and tech companies. Manfra said the agency was able to relay that information to U.S.-based companies hours before the ransomware attack spread to domestic entities, she said.  The Department of Health and Human Services was able to immediately connect with the United Kingdom's National Health Service, which was hit hardest by the attack, to discuss how the agency has handled similar intrusions in the United States.

By mid-afternoon on the Friday of the attack, Manfra said, all of the major service providers, most of which have global presences, were on calls with DHS discussing what activity they saw and how they could volunteer their services. Those talks between industry and every corner of the government from the Treasury Department, Energy Department and HHS, extended into the night and through the weekend following the ransomware attack, she said.

Manfra said getting it right had a lot to do with preparation and patching software vulnerabilities as soon as agencies were aware of them. "We had been more postured to deal with ransomware," because of previous collaboration with industry and other agencies, and focused on patching, particularly with Microsoft Windows, she added.

Complicated issues around mistrust have stymied information sharing between agencies, tech companies with resources and hackers with information who are afraid of prosecution.

Manfra didn't address cultural barriers but did point out that information sharing between major companies and federal agencies isn't enough if it doesn't trickle down.

A successful cybersecurity framework means there's an "entire apparatus in place from the global level to the local level," she said. During WannaCry's aftermath, an industry partner pointed out that small businesses were being left out of the conversation. Manfra said DHS was able to coordinate with the Small Business Administration CIO Maria Roat to distribute materials to small businesses within a day of being notified.

But while WannaCry is an example of what information sharing can do, Manfra said there's still more work to do honing of the public-private partnership for cyberattack prevention, recovery and response.

"I really like to think of this as all of the hard work, whether its industry or the government, that we've all been putting in place for the last decade and more is now coming to fruition. And now it's sort of on us to continue to build on that, to continue to keep pace with industry in terms of technology deployment and to continue to scope what our role is versus industry."