Written by Chris Bing

A confidential information-sharing agreement between the Financial Services Information Sharing and Analysis Center (FS-ISAC) and U.S. Cyber Command reveals the blurring line between the country’s public and private sectors as the U.S. government becomes increasingly receptive to launching offensive hacking operations.

The pilot program, codenamed “Project Indigo,” recently established an information-sharing channel for a subunit of FS-ISAC known as the Financial Systemic Analysis & Resilience Center (FSARC). That subunit shares “scrubbed” cyberthreat data, including malware indicators, with the Fort Mead-based Cyber Command, according to current and former U.S. officials.

The broad purpose of Project Indigo is to help inform U.S. Cyber Command about nation-state hacking aimed at banks. In practice, this intelligence is independently evaluated and, if appropriate, Cyber Command responds under its own unique authorities.

It’s possible that a bank could tip off the military about a cyberattack against the financial industry, prompting Cyber Command to react and take action. That could include providing unique insight back to FSARC or even taking offensive measures to disrupt the attacker — such as retaliatory hacking — if it’s appropriate and the Pentagon approves it, according to current and former U.S. officials.

The program is currently organized in a fairly informal manner, but participants have been discussing a more formal arrangement. Eight financial institutions are involved in FSARC: Bank of America, BNY Mellon, Citigroup, Goldman Sachs, JPMorgan Chase, Morgan Stanley, State Street and Wells Fargo. Project Indigo also provides data to the Department of Homeland Security and U.S. Treasury. However, those agencies were already getting data from the banks that is narrowly leveraged for defensive measures.

In an emailed statement, a Cyber Command spokesperson acknowledged Project Indigo’s existence.

“The pilot began in 2017 with USCYBERCOM personnel receiving sector-specific exposure to risks facing critical financial payment systems, and observing exercises related to risk mitigation and recovery around realistic scenarios,” said Cyber Command spokesperson Col. Daniel King. “Later, two samples of anonymized cyber threat information were shared with USCYBERCOM to allow the government and its critical infrastructure partners the ability to jointly assess and address emerging threats.”

“No Personally identifiable Information (PII) was shared with USCYBERCOM as part of this effort,” King added.

The financial institutions that participate in the arrangement gave consent to FSARC to share the data with the U.S. government, a person familiar with the effort told CyberScoop. Sources spoke on the condition of anonymity due to the sensitive nature of the program.

In one recent case, FSARC gave Cyber Command a “combo of open-source derived IOCs [indicators of compromise] associated with DPRK [North Korea] and some observed,” one source said. “Open source” in this case means from outside a financial institution, while “observed” refers to internal data.

Under the agreement, financial institutions share data “considered not exclusive” to any one financial firm, a former U.S. official said. Another source familiar with the program said that it was challenged by the simple fact that the banks weren’t yet “interested in sharing at a level which would be truly useful [for Cyber Command].”

An October 2016 press release originally announcing FSARC explained that its mission is to “proactively identify, analyze, assess and coordinate activities to mitigate systemic risk to the U.S. financial system from current and emerging cyber security threats through focused operations and enhanced collaboration between participating firms, industry partners, and the U.S. government.”

That announcement specifically described “government partners” as Treasury, DHS and the Federal Bureau of Investigation, but it did not mention U.S. Cyber Command or the National Security Agency.

Wells Fargo, Bank of America and JPMorgan Chase did not respond to multiple requests for comment. The Office of the Direction of National Intelligence and NSA deferred to Cyber Command for comment.

It’s widely known that large financial institutions face a bevy of sophisticated cyberattacks from both nation states and well-equipped criminal groups. Organized as a private non-profit organization, the FS-ISAC sits at the center of this activity, collecting and sharing information between companies so they can be collectively informed about active cyberthreats.

The collected data can often be extremely sensitive. Not only does it contain malware indicators, but sometimes other sensitive information tied to the targeted institutions. As a result, the intelligence is usually both highly valuable for defenders and potentially dangerous if it’s ever made public.

In an emailed statement, an FS-ISAC spokesperson said: “[Project Indigo] focuses on sharing cyberthreat intelligence related to key threats facing systemically important critical infrastructure operators, with the intention of protecting our financial institutions, their networks and their clients. No customer information has been shared with the U.S. Government under Project Indigo.”

While it’s common for businesses to voluntarily provide federal agencies with information about incidents in cyberspace, the 2013 Edward Snowden leaks chilled these types of relationships, especially between private companies and intelligence agencies. Cyber Command is not an intelligence unit, but it maintains a close relationship with the NSA, including sharing the same leader and building.

Jason Healey, a former intelligence officer and current senior research scholar at Columbia University’s School for International and Public Affairs, told CyberScoop he believed Project Indigo represented a pragmatic step forward.

“We need to be prepared for there to be a role, especially in time critical incidents, for Cyber Command to contribute so long as they are also coordinating with Treasury and [DHS],” said Healey.

Blurring government boundaries

Project Indigo raises questions about the existing hierarchy in government and whether decision-makers see a need for the military to be more integrated with the private sector on cybersecurity.

Over the last eight years, the Defense Department’s role in working with private companies on cybersecurity has fluctuated significantly.

During the Obama administration, the government took steps to make DHS the lead on public-private partnerships. This push was boosted in 2015, when Congress passed the Cybersecurity Information Sharing Act (CISA). The law gave certain liability protections to private companies whenever they shared cyberthreat data with the government through a portal managed by DHS.

The decision to embolden DHS with CISA came after there was a public outcry over privacy concerns. Just two years after the Snowden leaks, critics worried that the Defense Department would mishandle CISA.

A current U.S. official described Project Indigo as “classic mission creep,” a term used to describe when one agency oversteps its boundaries in regards to another agency’s program.

But experts contend that Cyber Command’s role will need to evolve if it’s to reach its full potential. Additionally, the military is already involved in other information sharing initiatives with the private sector.

In December, a Government Accountability Office (GAO) report called on the Defense Department, including Cyber Command, to clarify and further define how it interacts with companies and civilian agencies.

“DOD was supposed to develop [a] comprehensive plan for CYBERCOM to support civil authorities in responding to cyberattacks. DOD has rigorous requirements for what plans should look like, and this didn’t match,” Joseph Kirschbaum, director of GAO’s Defense Capabilities and Management office, previously told CyberScoop.

Congress is currently weighing what role Cyber Command should play in protecting private companies from hackers. In the past, members of the Senate Armed Service Committee have advocated for the military to be more involved.

Last summer, Lt. General Vincent Stewart, the current deputy commander of Cyber Command, said he would like the military to be able to reverse-engineer malware samples in order to create new hacking tools.

“Once we’ve isolated malware, I want to reengineer it and prep to use it against the same adversary who sought to use it against us,” Stewart described. The practice is already well known inside NSA, based on leaked classified documents.

Generally speaking, the military’s relationship with the banks is still evolving.

During the Cyber Command Strategy Conference earlier this year, a high ranking Cyber Command official remarked on stage that “if J.P. Morgan wants to meet us halfway, then that would mean us monitoring their networks [for malicious cyber activity],” according to two individuals who attended the February event.

The comment stunned some audience members, although former NSA Director Gen. Keith Alexander had said something very similar in 2013.