shutterstock 2190358237

Stronger Together: How SLTT Agencies Can Win Against Cyber Threats Through Intel Sharing and Collaboration

Tom Stockmeyer
Tom Stockmeyer

Managing Director, Government and Critical Infrastructure, Cyware

A Fragmented Defense Can’t Stop Coordinated Threats 

State, Local, Tribal, and Territorial (SLTT) agencies form the frontline of American critical infrastructure. This makes them a valuable target, and they are increasingly under siege. These agencies provide their citizens with essential services and emergency response, yet face mounting cyber threats from adversaries who exploit their constrained resources. With several cyberattacks targeting organizations with similar profiles, SLTT agency cybersecurity is being tested like never before.

Despite the clear and present danger, most SLTT agencies operate in silos, cut off from the intelligence networks and cyber threat information that larger federal entities have access to in order to stay ahead of nation-state and other cybercriminals. Rigid funding processes, lean security teams, and fragmented toolsets make it difficult for SLTT agencies to build strong cyber defenses. Meanwhile, criminal attackers collaborate and share insights freely, usually within minutes of a new vulnerability disclosure, widening the gap between threat actors and defenders. The result: isolated SLTT agencies with incomplete threat pictures are often unable to act quickly or decisively.

The fastest, most scalable path to resilience that SLTT agencies need to adopt today is collaboration. Intelligence sharing networks like Cyware Collaborate can empower SLTT agencies to pool insights, coordinate faster responses, and elevate their collective defense. 

National security is only as strong as its most local link, and by coming together, SLTT agencies can turn fragmentation into force.

The Cybersecurity Realities for SLTT Agencies 

Let’s look at the cybersecurity “realities” that SLTT agencies face.  

Budget limitations, stemming from lengthy, politically driven legislative processes, not only limit funding for vital cybersecurity solutions, but also leave government cyber teams understaffed.  

Rural SLTT agencies are more likely to have siloed cybersecurity operations teams, born from piecemeal additions of security tools and processes. These teams move ahead as they can, but the government agencies often lack the resources to develop a sound cyber defense strategy, increasing the cybersecurity threat to their sensitive information. 

Rising ransomware risks increase the chance of data breaches. Nation-state-sponsored criminals are increasing their attacks against SLTT critical infrastructure exponentially. Take a look at recent attacks against U.S. water and power utilities and you’ll see that these criminals often target lonely, unassuming utilities first to get a lay of the land. Like supply chain attacks, criminals often attack smaller or less sophisticated SLTT agencies first to fine tune their TTPs and then attack larger States and Municipal governments later.  One thing is sure: the majority of attacks are becoming increasingly coordinated across differing criminal attackers.  

See more on bridging the SLTT threat intelligence gap

Why Intelligence Sharing and Collaboration Are Mission-Critical 

Not only are collaboration and intelligence sharing a plus in cyber operations; I would go so far as to call them an imperative to effectively block threats. 

A. Day-to-Day Operations: 

On a “business as usual” basis, early warnings and shared context from peers will level up the threat intelligence expertise of any small SLTT agency. Multi-point threat information helps teams that are already short-staffed avoid doing the same work twice. Instead of duplicating analysis, these teams can build off each other's insights and save time. This open-handed information sharing enhances community trust and increases the readiness of the whole group before crises hit.  

B. Emergency and Crises Operations: 

Informational sharing across organizations also offers real-time situational awareness across jurisdictions. This makes for faster, more effective coordinated responses. A cross-organization information sharing model supports mutual aid and cross-agency response models, where the security of one is really the security of the whole.  

Remember, an attacker's experience with one member of the group can often set the attacker’s expectations for similarly profiled agencies. In other words, if one rural power plant or Tribal authority was easy to compromise, chances are attacks on other similar SLTT organizations using the same TTPs would yield the attacker the same success

C. Long-Term National Resilience: 

In many cases, the “whole” may mean an industry, sector, or group of corporations. With SLTT governments, the whole often refers to whole cities, counties, or states at large. Because threat actors exploit the weakest link, sharing threat intelligence more freely with other SLTT governments raises the level of security for all – not only the bordering jurisdictions, but also the citizens that rely on those government resources. 

Interconnected systems may also be impacted by local incidents that have national implications. A blow to a statewide utility has an impact on national security. SLTT government collaboration protects local municipalities from reputational damage and bolsters our national cybersecurity posture.  

The Problem: Sharing Is Still Too Manual, Too Slow, and Too Siloed 

So, what is there to say beyond that SLTT governments should share information more? The answer is, it’s not so simple. 

Currently, SLTT agencies primarily share threat intelligence via emails, PDFs, or through legacy portals. Those forms of intel sharing are slow and siloed – not at all near the speed where intel sharing needs to be in order to keep up with AI-based emerging threats. Analysts oftentimes waste days manually reformatting data, chasing context, and verifying information.  

The results of all this manual work are delayed incident response and missed threat indicators, contributing to a fragmented cyber defense. Even if one agency wanted to share information with other agencies, by the time they shared it, the receiving agency may already be impacted by the threat.  

The Solution: Real-Time Collaboration with Cyware 

Thankfully, technology comes to the aid of SLTTl Agencies. This is what the right technology - Cyware - can do.  

What Is Cyware? 

Cyware Collaborate is a purpose-built platform for real-time threat intelligence sharing and operational collaboration across SLTT agencies and other public sector entities. Cyware facilitates smooth and easy ingestion, analysis, processing, and of course, sharing of information across agency and entity lines - while reducing the overall operational workload of each. 

Key capabilities include seamless ingestion of threat data from a myriad of external and internal sources, in both human-readable and machine-readable formats. Cyware boosts situational awareness with automated alerts, distributes threat advisories from any source to any platform, creates working groups to facilitate investigative collaboration, and facilitates sharing at scale. 

Key Benefits to SLTT Agencies 

Cyware enables SLTT agencies to: 

  • Instantly operationalize threat intelligence from peers, ISACs and federal sources. 
  • Build a trust-based sharing community with control over what’s shared and with whom. 
  • Respond faster with shared context, playbooks, and coordination. 
  • Close the loop between intelligence and action. 

Conclusion 

SLTT agencies can no longer afford to wait when it comes to threat intelligence information sharing. Global threat actors are incredibly organized and tactical in their approach. Faced with disorganized government targets, criminals are picking public sector entities off one by one.  

Smaller SLTT organizations may not be able to wave a magic wand and improve in the ways they want to the most – funding, staffing, or legislation – but one thing they can do is put their heads together to experience the synergy of shared threat collaboration. When facing a fast-moving, sophisticated adversary, this is one area of cybersecurity where one and one make three. And, nothing is more resilient than a hardened, unified ecosystem.  

To learn how Cyware can better protect SLTT governments from cyber threats, book a demo now.