The increased concern about ransomware incidents from both quantitative and severity standpoints, spurred the White House to urge corporate business leaders to improve their defenses and resilience posture against ransomware attacks. In a June 2, 2021 open letter to Corporate Executives and Business Leaders (the Letter), Anne Neuberger, the White House Deputy National Security Advisor for Cyber and Emergency Technology, appealed for business leaders to act following on the heels of the President’s directives to federal agencies and contractors.
The Letter asks business executives to view ransomware not a data theft problem, but rather as a threat to their core business – with the ability to halt operations and cut off the company’s revenue stream. Because this is the true threat from ransomware, business leaders must review their security postures, and rehearse their business continuity plans to test not only their ability to continue operations but also to restore operations.
Tighter cybersecurity requirements within federal agencies
The Letter points to President Biden’s May 12, 2021 Improving the Nation’s Cybersecurity Executive Order (EO) as a resource for best practices to drive down an organization’s ransomware risk. Like virtually all executive orders, this EO is focused on Executive Branch agencies – directing them to strengthen federal computer networks. However, the EO expressly recognizes that the private sector and government have a shared interest in maintaining a secure cyber ecosystem, that strengthens the country’s economic security.
The EO offers several best practices that Ms. Neuberger’s Letter notes are not just “suitable” for the private sector, they are considered “high impact” based on their ability to significantly reduce the risk of a successful cyberattack:
In addition to the EO’s best practices, the Letter recommends businesses implement five types of protective measures to control or mitigate their cybersecurity risks.
First, businesses must protect their data, by creating regular backups, testing the backups for accuracy, and storing the backups offline or on a separate server. The reason for separating a backup from the business network is that attackers will prioritize finding and then encrypting or deleting any backups on a server before launching their attack. Storing backup data on a separate server or offline improves the odds of restoring normal operations.
Second, the backup data is not only information that should be maintained on separate servers. Although there is some upfront cost to segmenting the network, hosting business support functions and manufacturing/production operations on separate networks increases the likelihood that a breach of one network can be contained and not spread to others. This increases the likelihood that some business functions will remain operational during an attack, thereby preventing the attackers from gaining full access and control over the enterprise.
Third, businesses must commit to installing timely updates and patches of their systems. These include the operating systems, applications and firmware. One technique for accomplishing this obligation is through a centralized patch management system and a risk-based assessment strategy to drive the patch management program.
Fourth, business leaders must not only read, but actually test their incident response plans. Just as strategies and game plans do not last far beyond the start of a contest, rehearing and testing the organization’s ability to respond to incidents will reveal deficiencies in the plan before the plan is actually put to use, and will acclimate the participants to adapting when circumstances change from the original script. Testing the plan should include key assumptions and questions, e.g. the ability to operate without access to certain applications, or running the incident response plan through an alternative communication system, or discovering the attack through an outside source such as the media, or a vital customer.
Fifth, just as the incident response plan must be tested, so must the security team. Validating the company’s security team through third-party testing reduces the overall risk to the company networks by offering additional perspectives on potential vulnerabilities.
Heightened expectations for state governments and private industry
The Letter concludes with a somewhat stark admission, that the federal government cannot fight the ransomware problem alone, and that cooperation amongst international and private sector stakeholders is vital. During a meeting with the National Association of Attorneys General (NAAG), Ms. Neuberger went into greater detail about the roles of these stakeholders.
Ms. Neuberger reiterated that State and local governments have an important role in the nation’s cybersecurity because those governments provide vital services to their residents, as shown by the disruption caused by the ransomware attacks in Atlanta and Baltimore. Similarly, States’ Attorneys General have an essential role in defending the country’s public and private sector computer networks, by initiating legal actions to protect consumer privacy and prosecute cybercrimes.
Because 85% of U.S. critical infrastructure is owned and operated by the private sector, Ms. Neuberger stressed the need for private and public sector partnerships to defend these infrastructure assets from ransomware. Currently, the Administration’s strategy to combat ransomware involved the following lines of effort:
One example of the cooperation with the private sector was the recent announcement of the public-private Cybersecurity Industrial Control Systems Initiative and its pilot program to strengthen cyber resilience in the electric sector. The goal is for the electric sector pilot program to be followed by similar initiatives in other critical sectors such as pipelines, water, and chemicals.
Ms. Neuberger’s Letter makes clear that the private sector cannot solely rely on the government to intervene in cyber-interventions and to protect private businesses from cyberattacks. To the contrary, the private sector must proactively implement security measures within the business to prevent cyberattacks, and industry must work closely with the federal government to understand how the cyberattacks may be evolving and to adapt its security measures to those evolutions. In a future post, we will review the recently proposed changes to cybersecurity requirements for the oil and gas pipeline sector.
Congress may finally find the will to act
To varying degrees, members of Congress understand the challenge posed by ransomware attacks against critical infrastructure. The same day Ms. Neuberger was speaking at NAAG, Senators Gary Peters and Rob Portman, respectively the Chair and Ranking Member of the Senate’s Committee on Homeland Security and Governmental Affairs wrote a letter to the Biden Administration, asking for its input on future legislation that would address the threat posed by ransomware.
The Senators requested that any response include inputs from the Department of Justice, the Department of Homeland Security, and the Intelligence Community, in the areas of:
All three areas are broad in nature and there is no indication whether the Senators agree to what extent any proposed legislation would create compulsory requirements on the private sector, as opposed to voluntary best practices for certain industries. On July 21, 2021, Senate Intelligence Committee Chairman Mark Warner introduced a bill that would impose requirements on the private sector, but offer protections as well.
Senate Bill 2407 would require federal contractors and critical infrastructure entities to report cyber intrusions to CISA within 24 hours of discovery. But the bill includes a powerful incentive for complying. Victim companies that timely disclose intrusions to CISA would be shielded from civil liability. The public benefits from this liability shield because timely disclosures facilitate the tracking of perpetrators and mitigating the harm to U.S. critical infrastructure.
Noteworthy developments from the first half of 2021
In the weeks that followed the White House amplifying its message, we have seen federal and state government entities publish additional requirements within their respective industry sectors and jurisdictions. The list below summarizes developments that have occurred in the last six months affecting a variety of industry sectors.
Critical Infrastructure Participants
Federal Agency Enforcement Actions
For Federal and State Government Contractors
For State-regulated entities
Cybersecurity like most defensive activities is reactive in nature. Accordingly, we can expect additional governmental actions in the second half of the year.
Husch Blackwell Summer Associate Brayden Schoonmaker was a contributor of this blog post.