Collaboration between CISA, Cyber Command thwarted dangerous cyberattacks, officials said

During the 2023 RSA Conference, top officials provided rare insight into sharing information to protect U.S. networks from malicious hackers.
The Moscone Center where RSA Conference is being held. (RSA Conference)

SAN FRANCISCO — Information sharing between U.S. Cyber Command and the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security stopped several potentially disastrous cyberattacks, including a suspected Iranian attack against American elections.

Leaders from the Pentagon’s offensive cyber and the top civilian federal cybersecurity agency said the relationship between the two organizations has been indispensable when it comes to defending the country against foreign hackers.

“There’s always been a bit of a cliché that government was stove-piped. That companies didn’t know who to call. That there was concern that nugget of information coming into a government ecosystem would fall into a black box, never to be seen again,” said Eric Goldstein, executive assistant director at CISA. “And we are working with extraordinary urgency to break that model, such that truly a call to one is a call to all.”

The private sector has long complained that sharing information with the government lead to little information in return. For instance, during initial comments for CISA’s request for information on the Cyber Incident Reporting for Critical Infrastructure Act, multiple comments highlighted the need for information to be send back to the private sector.


But while sharing between government and the private sector may need improvement, it seems like exchanging information between CISA and Cyber National Mission Forces at Cyber Command is bearing fruit.

“What information does the DHS CISA have relevant to the [Defense] department’s mission that might allow us to execute an operation to disrupt an ongoing or prevent a future attack in the United States,” Maj. Gen. William Hartman, commander of the CNMF, told an audience at the annual RSA Conference happening this week in San Francisco where he and Goldstein provided a rare look in inside how the two organizations communicate.

A prime example related to a CNMF cyber intelligence, surveillance and reconnaissance mission that uncovered an Iranian-linked hacking campaign to gain access to software that reports election results. Cyber Command officials passed that information to CISA, which in turn notified the affected jurisdictions and offer incident response support. CNMF, meanwhile, was able to ensure that the hackers did not have access to those networks, Hartman said.

“There was no impact to election infrastructure, no impact to voting systems, no impact to the free and fair conduct of the election,” Goldstein said. “This is a case where we had an adversary with the potential intent to take action relating to an election, we were able to effectively get in front of that activity.”

Another instance related to unidentified foreign hackers carrying out an intrusion campaign against three federal agencies. When CISA discovered the campaign, Goldstein said, the agency took steps to thwart the attack while sharing information with CNMF gathered during the investigation.


“The ability for DHS CISA to be able to rapidly provide us information has become a large driver for CMNF operations around the world,” Hartman said. “I just want to highlight that this isn’t something that we would be talking about if this was a couple of years ago.”

Goldstein said that the next step is to ensure that the relationship endures and becomes institutional and automatic. “A lot of this work is fairly new and fairly novel and it’s only going to mature,” Goldstein said.

Latest Podcasts