We interviewed Ian Pelekis and Seungmin (Helen) Lee from Next Peak, part of the Cyber Defense Assistance Collaborative (CDAC). CDAC is a group of leading cybersecurity companies, former U.S. government officials, and top U.S. cyber defense leaders who came together to provide operational cyber defense assistance to Ukraine during the 2022 Russian invasion. Currently, CDAC works in collaboration with participating private sector cybersecurity organizations to meet cyber defense aid requests from Ukrainian government ministries and state-owned organizations. CDAC assistance includes providing cutting-edge tools and cyber threat intelligence to protect critical infrastructure.
CDAC was formed in response to the 2022 Russian invasion. Can you introduce CDAC and explain its mission in providing cyber defense assistance to Ukraine? What were the initial challenges in organizing and coordinating cyber defense aid during such a crisis?
The Cyber Defense Assistance Collaborative (CDAC) is a volunteer-led group of cyber experts, composed of former government officials, top cyber defense leaders, and cybersecurity companies who have come together to provide operational cyber defense assistance to Ukraine since the onset of the invasion by Russia. To date, we have provided upwards of $40 million in assistance across tools, training, cyber threat intelligence, and services to the Ukrainian government and critical infrastructure sectors. While our formation was in direct support of Ukraine, our mission is to provide cyber defense assistance to any democratic nation in exigent circumstances and assist in protecting those nation states in the digital realm.
CDAC faced a number of initial challenges. As far as we are aware, no one has tried to channel private sector cybersecurity assistance to a nation at war before, making us cover a lot of new ground. First, we had to define our mission or what we sought to accomplish. We needed to ensure we stayed on the right side of the law – meaning, we only provide defensive assistance for example. Once we had a clearly defined mission, we were surprised that volunteer organizations were collaborative in finding ways to contribute. For the most part, popular sentiment stood with Ukraine.
The primary challenge then was coordinating effective delivery of assistance. There were two main challenges: communications and defining requirements.
Communication in war is difficult, and our counterparts in Kyiv were in active conflict. In one case, we were communicating with a critical member of Ukraine’s cybersecurity center while they were relocating due to Russian ground fire striking too close to their location. It became quickly apparent that multiple .UA emails were compromised. Defining secure channels of communication to support our activity was a key element in effective aid delivery.
Second, defining requirements—which set of tools and services would be easiest to deploy and most effective—in such a situation was challenging. In a standard setting you would work to understand the networks and infrastructure you are defending. In this case action and reaction needed to be as rapid as possible without the time to gain the level of visibility one would normally desire. However, as communication and trust were built, we were quickly able to bridge the gaps and develop more robust capabilities once the situation stabilized.
CDAC provides advanced cybersecurity tools and threat intelligence to Ukrainian organizations. How do you ensure that these resources are deployed effectively and make a real impact? Can you share a success story where CDAC’s assistance directly helped Ukraine defend against a significant cyber threat?
Effective deployment and impact measurement is a challenge, largely since the organizations we are delivering assistance to are enduring a live conflict; reporting back impact analysis is not their highest priority! Tracking delivery of training, tools, licenses, and services, mapping the gaps in capabilities these tools close is one way to do this; however, there is plenty of unmapped activity that a slim volunteer organization like ours cannot fully take over. Another way is to pull from vulnerability management and attack surface management data to track which vulnerabilities and exploitable devices were fixed.
The Blue Force Tracker and Conflict Assessment has been a workstream for CDAC. We have been working on tracking defense assistance delivered by engaging assistance providers, researching open-source options, and recording internal assistance delivery. The biggest challenge that persists is understanding how our assistance prevented a cyber attack or not. How do you measure something that did not happen? Cybersecurity does not work like other forms of defense assistance. If you donated a missile interception battery you can attribute the interceptor with takedowns as they’re physical and tangible. How do you do that with a SIEM tool? So, we worked with Columbia University’s School of International & Public Affairs to try to understand this problem. We developed a cyber defense assistance effectiveness framework that could help evaluate effectiveness of cyber defense assistance in the immediate, medium, and long term. The phased approach helps keep in mind the exigent circumstances of an ongoing conflict and helps look at the different levels of effectiveness—operational, strategic, and organizational—when it comes to cyber defense assistance.
We often point to our training efforts as a major win. One of our key partners has provided training for at least a few hundred Ukrainian professionals across a dozen government agencies, mostly in critical infrastructure. This effort has provided access to best-in-class training that would likely be out of reach otherwise. The training has allowed them to effectively take advantage of the tools and resources being put at their disposal. On multiple occasions we arranged for Ukrainian Operational Technology (OT) specialists to attend highly specialized events in Germany and the US to receive advanced training and go on to share their knowledge in Ukraine.
What lessons has CDAC learned from its work in Ukraine that could be applied to strengthening cyber defense in other conflict zones or vulnerable nations?
Preparation is everything. Mapping worst case scenarios in advance and planning for those scenarios is critical. While this can sound insurmountable to less well-resourced nations with competing priorities, even completing the analysis helps map in advance where cyber defense measures need to be plugged in if rapid cyber defense is needed. For providers of cyber defense assistance, it means that we know who to contact in the event of a crisis if we have established a relationship, and that contact will know what the priorities are, providing a well-defined set of triaged needs now that an emergency has occurred. One of our major challenges at the onset of the conflict was finding the right person to talk to, the best way to communicate, and the true priority of all requests received. Having all this known in advance will only help reduce confusion and increase efficient defense in the case of a crisis.
For the nation itself, establishing lines of communication, conducting engagement between critical stakeholders in the national ecosystem, and fostering collaboration before a conflict occurs helps. It’s difficult to establish these mechanisms in the middle of a crisis. Once a conflict is relatively stabilized, building out further layers of cyber defense are only augmented by having relationships built in advance. It takes a lot of time invested to build trusted relationships and really understand the long-term needs, especially the known unknowns and unknown unknowns. Combine this with the interdependencies of a complex national cyber ecosystem, political considerations, and finding the right suppliers if we do not have established connections with a required vendor, and you have a lengthy delivery cycle for cyber defense assistance.
What have been the biggest obstacles in sustaining CDAC’s mission, whether in terms of funding, operational challenges, or evolving cyber threats?
Prominently, funding. The organization is run by a handful of volunteers with limited access to resources, and the generosity of private sector companies providing assistance. We are lucky enough to have best-in-class private sector companies willing to provide assistance, who stay up to speed with adversary capabilities. We also happen to have a very nifty and proactive requirements manager who can procure priority defense assistance from lesser-known specialist organizations. However, the scale of what CDAC can do is severely hampered by not having funding for dedicated staff or to fulfill requirements directly through an assistance fund. A core staff would enable CDAC to process increased requirements, source defense assistance, and help scale the organization to additional nations in need. A dedicated fund is critical to help maintain donated and discounted licenses already provided. This also applies to tooling and licenses that we cannot find pro-bono.
How can initiatives like Common Good Cyber best support CDAC’s mission and help sustain its impact?
Common Good Cyber identifies and seeks to resolve many of the issues we are facing: short term trades over sustainable impact, breaking past project-based funding, and lack of resourcing to scale. It is difficult to escape a reactive posture in our current configuration. The opportunity to access sustainable funding will enable CDAC to proactively deliver sustainable cyber defense assistance in advance of adversary activity, enabling successful delivery of our mission, for now to Ukraine, but hopefully to others in need in the future.
Common Good Cyber can enable our ability to build impact analysis and measurement. Understanding what other volunteer groups, nonprofits, and NGOs delivering similar assistance see, and CDAC contributing our data and information to such a project can help the entire cyber ecosystem develop a measurable and coherent view of impact from cyber assistance, providing usable and efficient views to enhance how we all deliver assistance. This benefit further extends in connection with a community of like-minded NGOs, nonprofits, and volunteer groups seeking to contribute to the good of the cyber ecosystem.
