How government can move out of the ransomware bull’s-eye
Connecting state and local government leaders
By strengthening their defenses – and those of their contractors – agencies can make themselves a less attractive target for ransomware, one cyber expert says.
As ransomware attacks increase in size and scope, no one is safe: the public and private sectors are both vulnerable to -- and considered major targets for -- multipronged cyberattacks that can shut down a global corporation or snarl an entire agency’s operations until a ransom is paid or systems are restored from secure and uncompromised backups (if such backups exist). Meanwhile, the White House has sought to get ahead of these attacks by issuing a cybersecurity executive order featuring aggressive deadlines and sweeping reforms to current federal cyber policy.
If the federal government, its contractors and American businesses writ-large have a fighting chance against these increasingly sophisticated attacks, success will require collaboration, organization and new investments in technology and staffing, according to Alan Chvotkin, a partner at Nichols Liu LLP and the former executive vice president and counsel of the Professional Services Council.
Chvotkin recently spoke with GCN’s sibling site FCW about the latest ransomware attack, and what federal officials can do to meet the moment and prevent similar attacks against government agencies. The following conversation has been lightly edited and condensed for clarity.
FCW: We’re seeing a sharp escalation in sophisticated, tradecraft ransomware attacks targeting the public and private sectors. What’s your initial reaction to the most recent attacks?
Alan Chvotkin: I’m concerned by the ease at which these Russians -- or whoever may be behind this -- are able to establish access to these various systems and then create the need to pay off a ransom in order to restore those systems. It gets right back to the issue of cybersecurity and cyber hygiene across the board; not just among federal agencies and their contractors, but commercial companies, too. It reinforces the notion that cybersecurity should be a high priority for anyone in any sort of business.
FCW: Just like some federal agencies, many commercial firms are at the very beginning stages of implementing good cyber posture. They’re just becoming aware of important tools like two-factor authentication and encryption. Is that level of progress having any impact preventing cyber incidents, or are they moving too slow?
Chvotkin: Well, we’re seeing two kinds of ransomware attacks: the very sophisticated state actors, either backed by Russia or the North Koreans, and they’re not going to be deterred by basic cybersecurity. Then you have the opportunistic attacker: I think for that group, even minimal cyber hygiene may help minimize the impact or make them look elsewhere for potential victims.
FCW: The executive order demands major reforms to current cyber policy and practices employed across various agencies with fast-approaching deadlines. Will this spate of large-scale ransomware attacks motivate agencies working to implement the cyber EO to get the job done on time?
Chvotkin: I’d certainly hope so. You never know what will provide the sufficient wake up call, but what’s clear is that federal agencies are not immune. They remain a target, as do federal contractors. The price of not implementing even reasonable controls is going up, both in terms of the actual cost of the ransom, as well as the risk facing ongoing business operations. Besides accelerating, I think the other thing that’s possible is we’ll see more in-depth coverage: When it comes to the Software Bill of Material, for example, it’s easy to provide a broad outline, but maybe there’s an opportunity for more in-depth regulatory or guidance documents on how to treat these kind of issues.
FCW: How can the Office of Management and Budget and proactively assist agencies in identifying and rooting out cyber vulnerabilities?
Chvotkin: We’ve got federal procurement rules, cybersecurity rules for the federal marketplace, and the Federal Risk and Authorization Management Program and everything else, but in and of itself it’s not enough. From a policy side, I wouldn’t be surprised to see the federal government impose greater and greater obligations and responsibilities both on agencies and contractors.
And we shouldn’t take things slow. For example, inspectors general are now tasked with reviewing agency systems for vulnerabilities. The IGs have obviously developed some expertise and insight into an agency’s vulnerabilities, but they typically don’t do anything on the programmatic side or remediation side. Rather than simply issuing an over-and-above report, I’m hoping they’re doing what’s called “flash reports,” where they highlight those vulnerabilities immediately to CIOs and agency heads, then work with the agency to make sure the vulnerabilities are addressed. I’d hate to have to wait for the IG to identify a vulnerability in 2021, and not get that report out until 2022, letting the agency miss a long period of time between the evaluation and even a draft report being issued.
FCW: If we are able to meet the moment by investing the money and staffing necessary to fulfill the deadlines outlined in the executive order, do we have a fighting chance at thwarting a major ransomware attack against the federal government like the one we saw last weekend targeting the private sector? Or is it inevitable that we’ll continue to suffer from large-scale attacks without proper preventative methods in place?
Chvotkin: I think both of those statements are true. As agencies pay greater attention to this, their risk profile goes down, but until each agency gets to that point, the weakest link is still the most vulnerable, and so exposure still exists. We should not be surprised to hear about more ransomware attacks, certainly in the commercial marketplace, but even in the government marketplace. It’s not just targeting government agencies either; attackers go after the weakest link in agency supply chains, too. It may be a second or third-tier contractor. There is a lot of work ahead.
FCW: What’s the endgame here? Can the federal government eventually establish zero tolerance for major cybersecurity vulnerabilities?
Chvotkin: In relation to the executive order, it’s really all about getting to identification and remediation for cyber issues around the federal government faster -- and, by implication, the federal contractors who support it.
Zero tolerance would be great, but I don’t think that’s the expectation, simply based on the increased sophistication of these hackers. Nothing can be foolproof, but you want to make sure attackers target someone else: The more you can do yourself as an individual or agency to prevent people from accessing systems, the more expensive it gets for hackers to try and break into those systems and wreak havoc.
A longer version of this article was first posted on FCW, a sibling site to GCN.