The report is from The Institute for Security and Technology, and it takes a look at three existing public-private partnerships designed to fight ransomware: Cybersecurity and Infrastructure Security Agency’s (CISA) Joint Cyber Defense Collaborative, Europol’s European Cybercrime Center, and the institute's own Ransomware Task Force. Authors of the report reviewed research and interviewed the collaborations' participants.
The study focused on entities that chose to join their collaborations, looking at why they chose to take part as well as what helped groups stick together.
“A lot of private-sector actors really want to be collaborating more than they already are,” said report co-author Elizabeth Vish.
Indeed, companies said they joined collaborations out of a desire to boost collective cybersecurity and better understand threats.
Many also appreciated that the partnerships created neutral space for competitive companies to share cybersecurity info. Some companies also said the collaboration helped establish their expertise and raise their brand awareness, enabling them to work with recent cyber victims without triggering suspicion.
Public- and private-sector partners bring different information and insights. Additionally, government can do things companies cannot, like pursuing perpetrators, while private entities can share important details learned from attacks hitting their organizations or clients.
But launching and maintaining partnerships means both assuaging fears and watching out for potential pitfalls.
Private entities are often concerned about sharing info with government and about the risks of regulatory retaliation or reputational damage. Collaborations should create information-sharing agreements and establish expectations around confidentiality. This might mean using the Traffic Light Protocol to govern what info can be shared and how widely, applying the Chatham House Rule to meetings, deploying encrypted communication channels and other methods.
Companies can also become frustrated over whether the information they share is helpful. Lack of regular engagement from public-sector partners may lead them to disengage. For example, some Joint Cyber Defense Collaborative members said they heard little from CISA about the information they shared in the aftermath of Russia’s invasion of Ukraine, and some European Cybercrime Center participants said they were expected to keep sharing information but also wait months or years to learn if any of it was helpful.
Those issues aren’t always easy to resolve, but governments should strive to give feedback to private-sector participants.
“A simple ‘thank you’ — simple acknowledgement of the contribution that participants are making — that makes a really huge difference as well in making sure that all participants are staying engaged in the partnership,” said co-author Gigi Flores Bustamante.
Meanwhile, private organizations must recognize that governments often cannot reveal how, or whether, information helped with ongoing law enforcement work. Setting clear expectations around what can be shared is important.
Governments can also emphasize the collaboration’s value to private entities by sharing their information first during meetings — something CISA often does during the Joint Cyber Defense Collaborative’s ransomware actor-specific action groups, per the report.
Trust within the partnership is essential, too. Regularly meeting in person and keeping the group relatively small can help foster trust. Groups, however, should still be big enough to bring diverse perspectives and expertise. And organizations must plan in a way that one person’s leaving doesn't disrupt the work, potentially by taking time to introduce a replacement.
Convening bodies should consider vetting potential participants before inviting them, making clear what participants will contribute if they join.
And, as for many groups, it’s helpful to establish clear leadership roles and specific goals, along with timelines and ways of assessing success. Groups may also need to evolve. Convening entities should regularly solicit feedback from participants and re-evaluate structure, methods and more.
While there are challenges, however, the benefits are very real.
“We just encourage people to keep working on these partnerships because they really do make a difference,” Flores Bustamante said.