After a series of high-profile supply chain and ransomware attacks, the federal government is ramping up its effort to improve the nation’s cybersecurity. In the past several months, multiple federal departments and agencies announced new policy initiatives and regulatory directives to drive their cybersecurity agenda forward, and state regulators are following the trend. It is unmistakably clear that companies in regulated sectors are entering a new era of cybersecurity regulatory compliance. And although much of this early action targets specific sectors (e.g., government contractors, pipeline operators, and public companies), these requirements will indirectly touch companies in other sectors and are a preview of broader regulation to come. Here, we discuss recent notable actions on cybersecurity by federal and state government agencies.
Policy Initiatives from the Top (and Elsewhere)
On May 12, 2021, President Joe Biden signed the Executive Order on Improving the Nation’s Cybersecurity. The order focuses on improving the executive branch’s cybersecurity posture in response to recent supply chain and ransomware attacks. The order calls for:
The standards on software development are likely to have the greatest security impact (and impose the greatest burden) as they will impose new security and disclosure requirements on software developers that the National Institute for Standards and Technology (NIST) is now developing. Although these requirements will apply only to suppliers to the federal government, any improved security should benefit other organizations that use the same software (and suppliers should expect state governments and private organizations to copy procurement requirements).
The White House also published an open letter to U.S. business leaders and executives, urging them to implement protective measures against ransomware attacks. The letter confirms that disrupting ransomware actors is one of the Biden administration’s top priorities and recommends that private companies adopt the following security measures against ransomware attacks:
The White House also emphasized cybersecurity and the need to impose consequences on criminal actors during meetings with foreign leaders. At the G7 summit, world leaders, including Biden, identified ransomware as one of the biggest threats to people and businesses around the globe and urged Russia to “identify, disrupt, and hold to account” cybercriminals operating from the country. Notably, the emphasis on cybersecurity at the G7 summit came soon after an in-person meeting between U.S. Secretary of State Antony Blinken and Russian Foreign Minister Sergei Lavrov, during which the pair reportedly discussed cybersecurity-related issues.
Biden continued this emphasis on July 9, 2021, several days after another massive ransomware attack by the REvil ransomware gang (believed to operate in Russia) affected more than 1,000 businesses over the July 4 weekend. Biden warned Putin that the U.S. will take “any necessary action” to defend U.S. infrastructure from cyberattacks. Importantly, Biden “made it very clear to [Putin] that the United States expects when a ransomware operation is coming from his soil, even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is.” Following this remark, on July 13, all infrastructure tied to the REvil ransomware group, including its data leak and payment sites, went offline.
On July 14, the White House announced a new ransomware task force to coordinate both defensive and offensive actions against ransomware operators, which may include launching cyberattacks against foreign ransomware operators. This follows earlier remarks by Department of Homeland Security (DHS) Secretary Alejandro Mayorkas, who recently declared ransomware a national security threat and announced the department’s plan to create recommendations to slow the ransomware epidemic, including mandatory reporting of ransom payments. Some lawmakers and policymakers, such as Sen. Mark Warner, D-Va., and Energy Secretary Jennifer Granholm, are taking it a step further by suggesting that ransom payments should be made illegal for U.S. companies to remove financial incentives for cyber criminals.
Continued pressure and strong government action to create consequences for criminal actors will be critical to curb the current wave of ransomware attacks. The government must continue sending a clear message that no safe havens exist from which individuals can run global cybercrime operations without consequences.
Regulatory Pressure Mounting
On the regulatory side, the Transportation Security Administration (TSA) issued a new directive mandating critical pipeline owners and operators to report cybersecurity incidents—which the directive defines broadly—to the Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours of identifying such an incident (both TSA and CISA fall within DHS). The directive also requires pipeline companies to designate a cybersecurity coordinator and conduct a one-time vulnerability assessment and report the findings to the TSA and CISA. This is a swift change from the voluntary reporting regime TSA introduced in March 2018 and was in direct reaction to the recent Colonial Pipeline attack. DHS has signaled that additional regulations governing cybersecurity for pipeline operators will be coming.
The Securities and Exchange Commission (SEC) is also signaling a more aggressive posture on cybersecurity. In June, the SEC announced its intention to propose rule amendments that would enhance issuer disclosure requirements regarding cybersecurity risk factors. In addition, the SEC recently settled charges against real estate settlement services company First American for an inadequate Form 8-K disclosure related to First American’s 2019 cyber incident, imposing an approximately $500,000 civil penalty. The SEC’s charges focused on an alleged failure in First American’s disclosure controls—that is, that its 8-K disclosure was deficient because it failed to accurately describe the current state of First American’s cybersecurity posture, as known at the time to the company’s information security team. This action highlights the need for strong disclosure controls to ensure that information security teams elevate material information to those making disclosures, which can be especially challenging during the early days of a cyber incident. The SEC also reportedly launched a large-scale probe into companies that were potentially affected by the SolarWinds supply chain attack, requesting information related to the SolarWinds incident and other cyber incidents the companies may have experienced. In all, the SEC’s recent moves signal that cybersecurity will remain high on the agency’s regulatory and enforcement agenda.
Not to be outdone, on June 30 the New York Department of Financial Services (DFS) issued an Industry Letter on ransomware to its regulated entities with ransomware prevention steps and guidance on when entities “should” report ransomware attacks to DFS. The letter cautions entities to “assume that any successful deployment of ransomware on their internal network should be reported to DFS” and that “any intrusion where hackers gain access to privileged accounts should be reported.”
Reading the SEC and DFS guidance together, we may see agencies seeking to lower the bar on when companies in various regulated industries must report or disclose network intrusions and other cyber incidents, which may be based on an expanded interpretation of materiality in the cyber context.
Meanwhile, the Department of Defense (DoD) continues moving in fits and starts toward its Cybersecurity Maturity Model Certification (CMMC) program. The CMMC program, as currently envisioned, will require all defense contractors and subcontractors to obtain a CMMC certification, based on DoD-approved third-party security assessments, when handling certain government information in connection with their contracts. The CMMC program establishes five certification levels tied to increasingly mature controls sets as companies move toward Level 5. Many companies will require certification at Level 3, which is an enhanced version of current requirements under NIST special publication 800-171, while certain companies that handle more sensitive information must obtain a higher level of certification designed to thwart more sophisticated attacks. Although the CMMC has experienced numerous delays and is currently undergoing an internal review at DoD, CMMC limited assessments may yet start later this year, with full implementation rolled out over five years under a November 2020 interim rule. Meanwhile, the interim rule now requires certain contractors to report their 800-171 self-assessment scores to DoD, and under new authority granted in the rule, the DoD has begun conducting targeted government-run assessments against the 800-171 framework.
Lastly, the Department of Labor (DOL) issued its first-ever cybersecurity guidance for companies managing employee retirement plans. The guidance provides (1) tips for hiring a service provider, including cybersecurity due diligence and leveraging contracts to ensure an adequate cybersecurity posture from service providers; (2) cybersecurity best practices; and (3) online security tips for plan participants and beneficiaries. According to the DOL, this guidance complements the existing regulations requiring that reasonable controls and safety measures be in place to protect electronic record-keeping systems of companies managing retirement plans.
DOJ Making Ransomware Top Priority
On the criminal side, the DOJ reportedly issued internal guidance elevating ransomware to the top of its enforcement priority list, assigning ransomware a priority similar to that of terrorism. The DOJ also created a procedure to centrally coordinate all ransomware investigations. Reflecting ransomware’s elevation on the priority list, the DOJ, in a surprise move, seized approximately $2.3 million in Bitcoin that was paid as a ransom in the Colonial Pipeline case. The DOJ looks poised to ramp up its investigative efforts to combat ransomware.