Will the ransomware surge impact Biden's cyber EO?

Federal officials and private sector leaders are still learning more about the destructive impact a massive ransomware attack had on hundreds of commercial businesses nationwide during the July 4th weekend, as millions of American workers and companies went offline to celebrate the holiday.

While President Joe Biden said his administration had not yet determined where the attack originated, reports indicate the malicious software was developed by the Russian-speaking hacking collective REvil, the group also reportedly behind the ransomware attack that crippled JBS, the world’s largest meatpacking company, earlier this summer.

As ransomware attacks increase in size and scope, officials say no one is safe: the public and private sector are both vulnerable to -- and seen as major targets for -- multi-pronged cyber attacks that can snarl an entire agency’s operations or shut down a global corporation until a ransom is paid or systems are restored from secure and uncompromised backups (if such backups exist). Meanwhile, the White House has sought to get ahead of these attacks by issuing a cybersecurity executive order featuring aggressive deadlines and sweeping reforms to current federal cyber policy.

If the federal government, its contractors and American businesses writ-large have a fighting chance against these increasingly sophisticated attacks, success will require collaboration, organization and new investments in technology and staffing, according to Alan Chvotkin, a partner at Nichols Liu LLP and the former executive vice president and counsel of the Professional Services Council.

Chvotkin spoke to FCW in a recent interview about the latest ransomware attack, and what federal officials can do to meet the moment and prevent similar attacks against government agencies. The following conversation has been lightly edited and condensed for clarity.

FCW: We’re seeing a sharp escalation in sophisticated, tradecraft ransomware attacks targeting the public and private sectors. What’s your initial reaction to the most recent attack, which may be the largest of its kind, impacting anywhere from 800 to 1,500 businesses?

Alan Chvotkin: I’m concerned by the ease at which these Russians -- or whoever may be behind this -- are able to establish access to these various systems and then create the need to pay off a ransom in order to restore those systems. It gets right back to the issue of cybersecurity and cyber hygiene across the board; not just among federal agencies and their contractors, but commercial companies, too. It reinforces the notion that cybersecurity should be a high priority for anyone in any sort of business.

FCW: Just like some federal agencies, many commercial firms are at the very beginning stages of implementing good cyber posture. They’re just becoming aware of important tools like two-factor authentication and encryption. Is that level of progress having any impact preventing cyber incidents, or are they moving too slow?

Chvotkin: Well, we’re seeing two kinds of ransomware attacks: the very sophisticated state actors, either backed by Russia or the North Koreans, and they’re not going to be deterred by basic cybersecurity. Then you have the opportunistic attacker: I think for that group, even minimal cyber hygiene may help minimize the impact or make them look elsewhere for potential victims.

FCW: The executive order demands major reforms to current cyber policy and practices employed across various agencies with fast-approaching deadlines. Will this spate of large-scale ransomware attacks serve as motivation for those agencies working to implement the cyber EO to get the job done on time?

Chvotkin: I’d certainly hope so. You never know what will provide the sufficient wake up call, but what’s clear is that federal agencies are not immune. They remain a target, as do federal contractors. The price of not implementing even reasonable controls is going up, both in terms of the actual cost of the ransom, as well as the risk facing ongoing business operations. Besides accelerating, I think the other thing that’s possible is we’ll see more in-depth coverage: When it comes to the Software Bill of Material, for example, it’s easy to provide a broad outline, but maybe there’s an opportunity for more in-depth regulatory or guidance documents on how to treat these kind of issues.

FCW: There have also been reported concerns around unfunded mandates featured throughout the cyber executive order. What can be done to help agencies meet the deadlines?

Chvotkin: It’s regrettable that many federal agencies are so slow in their response. Some agencies are doing well, and some are not. It’s a combination of resources and money, but both of those are addressable. DHS just recently hired several hundred people for their cybersecurity work, and the Biden administration has put billions in their budget for cybersecurity activities. The need for both of those critical investments still exist -- but I’m hoping that diminishes over time. Instead of criticizing agencies, OMB and others need to be helping agencies to get to a better position in their overall cyber hygiene.

FCW: How can OMB and others move past criticism towards remediation stages, where they are proactively assisting agencies in identifying and rooting out cyber vulnerabilities?

Chvotkin: We’ve got federal procurement rules, and cybersecurity rules for the federal marketplace, and FedRAMP and everything else, but in and of itself it’s not enough. From a policy side, I wouldn’t be surprised to see the federal government impose greater and greater obligations and responsibilities both on agencies and contractors.

And we shouldn’t take things slow. For example, inspectors general are now tasked with reviewing agency systems for vulnerabilities. The IGs have obviously developed some expertise and insight into an agency’s vulnerabilities, but they typically don’t do anything on the programmatic side or remediation side. Rather than simply issuing an over-and-above report, I’m hoping they’re doing what’s called “flash reports,” where they highlight those vulnerabilities immediately to CIOs and agency heads, then work with the agency to make sure the vulnerabilities are addressed. I’d hate to have to wait for the IG to identify a vulnerability in 2021, and not get that report out until 2022, letting the agency miss a long period of time between the evaluation and even a draft report being issued.

FCW: Say we are able to meet the moment by investing the money and staffing necessary to fulfill the deadlines outlined in the executive order. Do we have a fighting chance at thwarting a major ransomware attack against the federal government like the one we saw last weekend targeting the private sector, or is it inevitable that we’ll continue to suffer from large-scale attacks without proper preventative methods in place?

Chvotkin: I think both of those statements are true. As agencies pay greater attention to this, their risk profile goes down, but until each agency gets to that point, the weakest link is still the most vulnerable, and so exposure still exists. We should not be surprised to hear about more ransomware attacks, certainly in the commercial marketplace, but even in the government marketplace. It’s not just targeting government agencies either; they go after the weakest link in their supply chains, too. It may be a second or third-tier contractor. There is a lot of work ahead.

FCW: What’s the endgame here? Can the federal government eventually establish zero tolerance for major cybersecurity vulnerabilities?

Chvotkin: In relation to the executive order, it’s really all about getting to identification and remediation for cyber issues around the federal government faster -- and, by implication, the federal contractors who support it.

Zero tolerance would be great, but I don’t think that’s the expectation, simply based on the increased sophistication of these hackers. Nothing can be foolproof, but you want to make sure it goes somewhere else than to yourself: The more you can do yourself as an individual or agency to prevent people from accessing systems, the more expensive it gets for hackers to try and break into those systems and wreak havoc.