As ransomware attacks increase in size and scope, no one is safe: the public and private sectors are both vulnerable to — and considered major targets for — multipronged cyberattacks that can shut down a global corporation or snarl an entire agencyâs operations until a ransom is paid or systems are restored from secure and uncompromised backups (if such backups exist). Meanwhile, the White House has sought to get ahead of these attacks by issuing a cybersecurity executive order featuring aggressive deadlines and sweeping reforms to current federal cyber policy.
If the federal government, its contractors and American businesses writ-large have a fighting chance against these increasingly sophisticated attacks, success will require collaboration, organization and new investments in technology and staffing, according to Alan Chvotkin, a partner at Nichols Liu LLP and the former executive vice president and counsel of the Professional Services Council.
Chvotkin recently spoke with GCNâs sibling site FCW about the latest ransomware attack, and what federal officials can do to meet the moment and prevent similar attacks against government agencies. The following conversation has been lightly edited and condensed for clarity.
FCW:Â Weâre seeing a sharp escalation in sophisticated, tradecraft ransomware attacks targeting the public and private sectors. Whatâs your initial reaction to the most recent attacks?
Alan Chvotkin:Â Iâm concerned by the ease at which these Russians — or whoever may be behind this — are able to establish access to these various systems and then create the need to pay off a ransom in order to restore those systems. It gets right back to the issue of cybersecurity and cyber hygiene across the board; not just among federal agencies and their contractors, but commercial companies, too. It reinforces the notion that cybersecurity should be a high priority for anyone in any sort of business.
FCW:Â Just like some federal agencies, many commercial firms are at the very beginning stages of implementing good cyber posture. Theyâre just becoming aware of important tools like two-factor authentication and encryption. Is that level of progress having any impact preventing cyber incidents, or are they moving too slow?
Chvotkin:Â Well, weâre seeing two kinds of ransomware attacks: the very sophisticated state actors, either backed by Russia or the North Koreans, and theyâre not going to be deterred by basic cybersecurity. Then you have the opportunistic attacker: I think for that group, even minimal cyber hygiene may help minimize the impact or make them look elsewhere for potential victims.
FCW:Â The executive order demands major reforms to current cyber policy and practices employed across various agencies with fast-approaching deadlines. Will this spate of large-scale ransomware attacks motivate agencies working to implement the cyber EO to get the job done on time?
Chvotkin:Â Iâd certainly hope so. You never know what will provide the sufficient wake up call, but whatâs clear is that federal agencies are not immune. They remain a target, as do federal contractors. The price of not implementing even reasonable controls is going up, both in terms of the actual cost of the ransom, as well as the risk facing ongoing business operations. Besides accelerating, I think the other thing thatâs possible is weâll see more in-depth coverage: When it comes to the Software Bill of Material, for example, itâs easy to provide a broad outline, but maybe thereâs an opportunity for more in-depth regulatory or guidance documents on how to treat these kind of issues.
FCW:Â How can the Office of Management and Budget and proactively assist agencies in identifying and rooting out cyber vulnerabilities?
Chvotkin:Â Weâve got federal procurement rules, cybersecurity rules for the federal marketplace, and the Federal Risk and Authorization Management Program and everything else, but in and of itself itâs not enough. From a policy side, I wouldnât be surprised to see the federal government impose greater and greater obligations and responsibilities both on agencies and contractors.
And we shouldnât take things slow. For example, inspectors general are now tasked with reviewing agency systems for vulnerabilities. The IGs have obviously developed some expertise and insight into an agencyâs vulnerabilities, but they typically donât do anything on the programmatic side or remediation side. Rather than simply issuing an over-and-above report, Iâm hoping theyâre doing whatâs called âflash reports,â where they highlight those vulnerabilities immediately to CIOs and agency heads, then work with the agency to make sure the vulnerabilities are addressed. Iâd hate to have to wait for the IG to identify a vulnerability in 2021, and not get that report out until 2022, letting the agency miss a long period of time between the evaluation and even a draft report being issued.
FCW:Â If we are able to meet the moment by investing the money and staffing necessary to fulfill the deadlines outlined in the executive order, do we have a fighting chance at thwarting a major ransomware attack against the federal government like the one we saw last weekend targeting the private sector? Or is it inevitable that weâll continue to suffer from large-scale attacks without proper preventative methods in place?
Chvotkin:Â I think both of those statements are true. As agencies pay greater attention to this, their risk profile goes down, but until each agency gets to that point, the weakest link is still the most vulnerable, and so exposure still exists. We should not be surprised to hear about more ransomware attacks, certainly in the commercial marketplace, but even in the government marketplace. Itâs not just targeting government agencies either; attackers go after the weakest link in agency supply chains, too. It may be a second or third-tier contractor. There is a lot of work ahead.
FCW:Â Whatâs the endgame here? Can the federal government eventually establish zero tolerance for major cybersecurity vulnerabilities?
Chvotkin:Â In relation to the executive order, itâs really all about getting to identification and remediation for cyber issues around the federal government faster — and, by implication, the federal contractors who support it.
Zero tolerance would be great, but I donât think thatâs the expectation, simply based on the increased sophistication of these hackers. Nothing can be foolproof, but you want to make sure attackers target someone else: The more you can do yourself as an individual or agency to prevent people from accessing systems, the more expensive it gets for hackers to try and break into those systems and wreak havoc.
A longer version of this article was first posted on FCW, a sibling site to GCN.
