Operational Collaboration

Operational collaboration is a cyber resilience framework that leverages public-private partnerships to reduce the risk of cyber threats and the impact of cyberattacks on United States cyberspace. This operational collaboration framework for cyber is similar to the Federal Emergency Management Agency (FEMA)'s National Preparedness System which is used to coordinate responses to natural disasters, terrorism, chemical and biological events in the physical world.

Operational collaboration is one of the six pillars of recommendations put forward by the United States Cyberspace Solarium Commission (CSC) for a strategy of layered cyber deterrence. The CSC was established in the John S. McCain National Defense Authorization Act for Fiscal Year 2019 to "develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences." Significant work on the development of an Operational Collaboration Framework has also been done by the Aspen Cybersecurity Group, a cross-sector public-private forum composed of government officials, industry-leading experts, and academic and civil leaders organized by the Aspen Institute.

In the US, cyber defense under President Biden has increasingly taken an operational collaboration approach, following a number of large-scale cyberattacks on US federal agencies and businesses including Solar Winds and the Microsoft Exchange hacks. Homeland Security Secretary Alejandro Mayorkas, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly, National Cyber Director Chris Inglis and other officials met with executives from 13 companies, including Google, networking vendor Juniper Networks and security firm Mandiant. Mayorkas stated at that time: "This is about taking a spirit of partnership and moving into actual operational collaboration."

Recent operational collaboration initiatives under the Biden administration include CISA's new Joint Cyber Defense Collaborative, a forum for cooperative cyber defense planning with companies at the heart of operating and securing the internet's infrastructure.

Also, the National Security Agency's new Cybersecurity Collaboration Center, a new platform stood up in the summer of 2021 for public-private cyber threat intelligence sharing on adversaries targeting the National Security System (NSS), Department of Defense (DoD) and Defense Industrial Base (DIB).

Overview
Security weaknesses in the computer networks that run critical infrastructure sectors—banking, energy, healthcare, telecommunications, shipping, and more—allow sophisticated actors to attack and disrupt essential elements of society. Many of these sectors depend on the others to function. These interdependencies create a systemic cyber risk where a large-scale attack on one sector could trigger a cascading failure in other key sectors, potentially resulting in significant destabilizing effects on public health, public safety, economic security or national security. Because this systemic cyber risk is shared across public and private entities, an operational collaboration framework is needed to coordinate action between government and industry to secure cyberspace.

Operational collaboration builds on past progress with information sharing to plan and execute public-private actions to create a strategic deterrent and defend US cyberspace.

History
The concept of operational collaboration originated in the financial services sector with the establishment of the Financial Systemic Analysis & Resilience Center (FSARC) in 2016. The FSARC is a subsidiary of the Financial Services Information Sharing and Analysis Center (FS-ISAC). It was established to deepen public-private collaboration between U.S. financial institutions and government agencies to improve the resilience of the critical functions that underpin the financial sector.

The FSARC was initiated by eight large U.S. banks – Bank of America, BNY Mellon, Citigroup, Goldman Sachs, JPMorgan Chase, Morgan Stanley, State Street and Wells Fargo. It facilitates operational collaboration between financial institutions and U.S. government partners in the FBI, Department of Homeland Security, and the Department of Treasury. Together, they conduct analysis of critical financial sector systems and jointly monitor and warn against threats to those systems. JPMorgan's Greg Rattray was the main driver of the operational collaboration concept, and he served as the FSARC's Co-President alongside Bank of America's Siobhan MacDermott when the center was first established.

Mission Areas
Operational collaboration should occur in five mission areas: Protect, Mitigate, Prevent, Respond and Recover. This is similar to the National Preparedness System established under Homeland Security Presidential Directive-8 that is used to coordinate responses to natural disasters, terrorism, chemical emergencies in the physical world. As the linkage between the cyber and physical realms increases, using similar organizing constructs for both environments would make coordination between the two realms more seamless.
 * Steady state: The Protect, Mitigate, and Prevent missions constitute the collaboration areas in a "steady state" environment or the normal operating state of the world.
 * Incident Response: When a cyber incident occurs that has a broad impact on our digital ecosystem (whether from a national security, economic, or public health and safety point of view), then the action shifts to the Response and Recovery missions.

Protect and Mitigate
Relevant actors collaborate to raise the level of cybersecurity across the digital ecosystem and to mitigate the potential impact of cyber threats. Key activities include risk management to identify critical systems and lower risk appropriately, addressing vulnerabilities, developing and sharing information and intelligence on emerging threats, developing a deep understanding of threats and the ability to warn of attacks, implementing cybersecurity best practices, conducting research on interdependencies, establishing contingency plans, and conducting exercises.

Prevent
Relevant actors synchronize actions to disrupt the activities of malicious cyber actors prior to and outside of a response to a specific incident. Key activities include exposing malicious cyber campaigns publicly, botnet take-downs, law enforcement actions against companies, economic sanctions, and other cyber and non-cyber government counter measures against malicious cyber actors. Private sector actors will only operate on their own networks; government actors may conduct offensive cyber operations on other networks to prevent and deter attacks, when appropriate.

Respond and Recover
The relevant actors are responding to and/or recovering from an incident that is either on-going or has already occurred. Progress has been made in this mission area, including improved information sharing to ensure that adversary tactics, techniques, and procedures (TTPs) have a limited effective lifespan and the development of plans and policies such as the National Cyber Strategy, Presidential Policy Directive 41 and the National Cyber Incident Response Plan. Key activities include rapidly identifying the incident's underlying cause, sharing and implementing effective defensive measures to contain or prevent further damage, and synchronizing specific response actions, such as dropping packets or re-routing traffic.

Examples
Trickbot takedown before the 2020 presidential election.

Response to Solarwinds by FireEye/Mandiant + federal cyber defenders in early 2020

REvil ransomware takedown