The increased concern about ransomware incidents from both quantitative and severity standpoints, spurred the White House to urge corporate business leaders to improve their defenses and resilience posture against ransomware attacks. In a June 2, 2021 open letter to Corporate Executives and Business Leaders (the Letter), Anne Neuberger, the White House Deputy National Security Advisor for Cyber and Emergency Technology, appealed for business leaders to act following on the heels of the President’s directives to federal agencies and contractors.
The Letter asks business executives to view ransomware not a data theft problem, but rather as a threat to their core business – with the ability to halt operations and cut off the company’s revenue stream. Because this is the true threat from ransomware, business leaders must review their security postures, and rehearse their business continuity plans to test not only their ability to continue operations but also to restore operations.
Tighter cybersecurity requirements within federal agencies
The Letter points to President Biden’s May 12, 2021 Improving the Nation’s Cybersecurity Executive Order (EO) as a resource for best practices to drive down an organization’s ransomware risk. Like virtually all executive orders, this EO is focused on Executive Branch agencies – directing them to strengthen federal computer networks. However, the EO expressly recognizes that the private sector and government have a shared interest in maintaining a secure cyber ecosystem, that strengthens the country’s economic security.
The EO offers several best practices that Ms. Neuberger’s Letter notes are not just “suitable” for the private sector, they are considered “high impact” based on their ability to significantly reduce the risk of a successful cyberattack:
- Mandate the use of Multi-Factor Authentication (MFA) to further protect passwords from being compromised;
- Implement endpoint detection that actively hunts for malicious activity on a network;
- Implement endpoint response to block, trace, and prevent malicious activity;
- Encrypt your data (in transit and at rest) to render it unusable if stolen or accessed without authorization;
- Retain a skilled, empowered security team that is trained to be vigilant and responsive to cyberattack threats, patching software, sharing threat information with trusted partners and updating your defenses.
In addition to the EO’s best practices, the Letter recommends businesses implement five types of protective measures to control or mitigate their cybersecurity risks.
First, businesses must protect their data, by creating regular backups, testing the backups for accuracy, and storing the backups offline or on a separate server. The reason for separating a backup from the business network is that attackers will prioritize finding and then encrypting or deleting any backups on a server before launching their attack. Storing backup data on a separate server or offline improves the odds of restoring normal operations.
Second, the backup data is not only information that should be maintained on separate servers. Although there is some upfront cost to segmenting the network, hosting business support functions and manufacturing/production operations on separate networks increases the likelihood that a breach of one network can be contained and not spread to others. This increases the likelihood that some business functions will remain operational during an attack, thereby preventing the attackers from gaining full access and control over the enterprise.
Third, businesses must commit to installing timely updates and patches of their systems. These include the operating systems, applications and firmware. One technique for accomplishing this obligation is through a centralized patch management system and a risk-based assessment strategy to drive the patch management program.
Fourth, business leaders must not only read, but actually test their incident response plans. Just as strategies and game plans do not last far beyond the start of a contest, rehearing and testing the organization’s ability to respond to incidents will reveal deficiencies in the plan before the plan is actually put to use, and will acclimate the participants to adapting when circumstances change from the original script. Testing the plan should include key assumptions and questions, e.g. the ability to operate without access to certain applications, or running the incident response plan through an alternative communication system, or discovering the attack through an outside source such as the media, or a vital customer.
Fifth, just as the incident response plan must be tested, so must the security team. Validating the company’s security team through third-party testing reduces the overall risk to the company networks by offering additional perspectives on potential vulnerabilities.
Heightened expectations for state governments and private industry
The Letter concludes with a somewhat stark admission, that the federal government cannot fight the ransomware problem alone, and that cooperation amongst international and private sector stakeholders is vital. During a meeting with the National Association of Attorneys General (NAAG), Ms. Neuberger went into greater detail about the roles of these stakeholders.
Ms. Neuberger reiterated that State and local governments have an important role in the nation’s cybersecurity because those governments provide vital services to their residents, as shown by the disruption caused by the ransomware attacks in Atlanta and Baltimore. Similarly, States’ Attorneys General have an essential role in defending the country’s public and private sector computer networks, by initiating legal actions to protect consumer privacy and prosecute cybercrimes.
Because 85% of U.S. critical infrastructure is owned and operated by the private sector, Ms. Neuberger stressed the need for private and public sector partnerships to defend these infrastructure assets from ransomware. Currently, the Administration’s strategy to combat ransomware involved the following lines of effort:
- disrupting ransomware infrastructure and its actors by working closely with the private sector;
- leveraging international cooperation to hold countries who harbor ransom actors accountable;
- expanding cryptocurrency analysis to find and pursue criminal transactions; and
- reviewing the federal government’s ransomware payment policies and approaches.
One example of the cooperation with the private sector was the recent announcement of the public-private Cybersecurity Industrial Control Systems Initiative and its pilot program to strengthen cyber resilience in the electric sector. The goal is for the electric sector pilot program to be followed by similar initiatives in other critical sectors such as pipelines, water, and chemicals.
Ms. Neuberger’s Letter makes clear that the private sector cannot solely rely on the government to intervene in cyber-interventions and to protect private businesses from cyberattacks. To the contrary, the private sector must proactively implement security measures within the business to prevent cyberattacks, and industry must work closely with the federal government to understand how the cyberattacks may be evolving and to adapt its security measures to those evolutions. In a future post, we will review the recently proposed changes to cybersecurity requirements for the oil and gas pipeline sector.
Congress may finally find the will to act
To varying degrees, members of Congress understand the challenge posed by ransomware attacks against critical infrastructure. The same day Ms. Neuberger was speaking at NAAG, Senators Gary Peters and Rob Portman, respectively the Chair and Ranking Member of the Senate’s Committee on Homeland Security and Governmental Affairs wrote a letter to the Biden Administration, asking for its input on future legislation that would address the threat posed by ransomware.
The Senators requested that any response include inputs from the Department of Justice, the Department of Homeland Security, and the Intelligence Community, in the areas of:
- Strategies that federal agencies are developing and implementing to combat ransomware attacks;
- Any new authorities, or revisions to existing authorities, that would further empower relevant federal agencies to combat ransomware attacks and respond when they do occur; and
- Suggestions for Congress to consider as we develop legislation and oversight plans to combat ransomware attacks.
All three areas are broad in nature and there is no indication whether the Senators agree to what extent any proposed legislation would create compulsory requirements on the private sector, as opposed to voluntary best practices for certain industries. On July 21, 2021, Senate Intelligence Committee Chairman Mark Warner introduced a bill that would impose requirements on the private sector, but offer protections as well.
Senate Bill 2407 would require federal contractors and critical infrastructure entities to report cyber intrusions to CISA within 24 hours of discovery. But the bill includes a powerful incentive for complying. Victim companies that timely disclose intrusions to CISA would be shielded from civil liability. The public benefits from this liability shield because timely disclosures facilitate the tracking of perpetrators and mitigating the harm to U.S. critical infrastructure.
Noteworthy developments from the first half of 2021
In the weeks that followed the White House amplifying its message, we have seen federal and state government entities publish additional requirements within their respective industry sectors and jurisdictions. The list below summarizes developments that have occurred in the last six months affecting a variety of industry sectors.
Critical Infrastructure Participants
- Pursuant to President Biden’s EO, the National Institute of Standards and Technology published a definition of EO-critical software, which will be expanded by the Cybersecurity and Infrastructure Security Agency in the future.
- On May 27, 2021, the Transportation Security Administration, which has responsibility for oil and gas pipelines, announced a Initial Pipeline Security Directive that began the transition from voluntary security guidelines to mandatory requirements, discussed in greater detail here.
- On June 20, 2021, TSA announced a Second Pipeline Security Directive requiring pipeline owners and operators to implement multiple protections against cyber intrusions.
Federal Agency Enforcement Actions
- On June 11, 2021 the Securities and Exchange Commission added cybersecurity risks to its spring 2021 rulemaking list, and four days later announced a settled penalty with a company for deficient cybersecurity disclosures.
- The U.S. Department of Labor (DOL) released cybersecurity guidance tips for retirement plan administrators on April 14, 2021. The guidance is not mandatory but it provides insights into DOL’s expectations for retirement plan administrators. As of June 2021, DOL audits have begun asking plan administrators for documents related to their cybersecurity policies and practices.
For Federal and State Government Contractors
- Federal contractors are aware of the slow but steady advancement of cybersecurity requirements within government contracts. The first half of 2021 saw the reuse of security authorization packages nearly double, while the reuse of cloud products rose more than fifty percent.
- Earlier this year the FedRAMP program management office reported on its initiative with CISA to provide a scoring methodology to evaluate security controls against real world cyber threats. The Pentagon’s Cybersecurity Maturity Model Certification (CMMC) Accreditation Board has now established provisional assessors for third-party assessments.
- Not to be outdone by the federal contracting sector, a non-profit organization org launched in January 2021 with the goal of providing state and local governments together to drive strong but fair cybersecurity standards.
For State-regulated entities
- At the state financial services level, the New York Division of Financial Services (NYDFS) published Ransomware Guidance for its regulated entities and cautioned that NYDFS was contemplating revisions to its 2016 cybersecurity regulation. Regular readers of our blogs may recall our March 2021 analysis of the NYDFS Cyber Insurance Risk Framework that cautioned insurers of the hidden risks with cyber insurance policies.
- During 2021, twenty-six state legislatures introduced data privacy and/or information security bills, three of which have resulted in new state laws, with five states still considering legislation. Details for the status of each state’s bills continue to change as the legislative sessions draw to a close, but regular updates can be found here.
Cybersecurity like most defensive activities is reactive in nature. Accordingly, we can expect additional governmental actions in the second half of the year.
Husch Blackwell Summer Associate Brayden Schoonmaker was a contributor of this blog post.