Will the ransomware surge impact Biden's cyber EO?

Alan Chvotkin, a federal acquisition expert and the former executive vice president for PSC, reveals how federal officials can better respond to attacks while meeting the deadlines featured in the cybersecurity executive order.

spread of ransomware
 

Federal officials and private sector leaders are still learning more about the destructive impact a massive ransomware attack had on hundreds of commercial businesses nationwide during the July 4th weekend, as millions of American workers and companies went offline to celebrate the holiday.

While President Joe Biden said his administration had not yet determined where the attack originated, reports indicate the malicious software was developed by the Russian-speaking hacking collective REvil, the group also reportedly behind the ransomware attack that crippled JBS, the world’s largest meatpacking company, earlier this summer.

As ransomware attacks increase in size and scope, officials say no one is safe: the public and private sector are both vulnerable to -- and seen as major targets for -- multi-pronged cyber attacks that can snarl an entire agency’s operations or shut down a global corporation until a ransom is paid or systems are restored from secure and uncompromised backups (if such backups exist). Meanwhile, the White House has sought to get ahead of these attacks by issuing a cybersecurity executive order featuring aggressive deadlines and sweeping reforms to current federal cyber policy.

If the federal government, its contractors and American businesses writ-large have a fighting chance against these increasingly sophisticated attacks, success will require collaboration, organization and new investments in technology and staffing, according to Alan Chvotkin, a partner at Nichols Liu LLP and the former executive vice president and counsel of the Professional Services Council.

Chvotkin spoke to FCW in a recent interview about the latest ransomware attack, and what federal officials can do to meet the moment and prevent similar attacks against government agencies. The following conversation has been lightly edited and condensed for clarity.

FCW: We’re seeing a sharp escalation in sophisticated, tradecraft ransomware attacks targeting the public and private sectors. What’s your initial reaction to the most recent attack, which may be the largest of its kind, impacting anywhere from 800 to 1,500 businesses?

Alan Chvotkin: I’m concerned by the ease at which these Russians -- or whoever may be behind this -- are able to establish access to these various systems and then create the need to pay off a ransom in order to restore those systems. It gets right back to the issue of cybersecurity and cyber hygiene across the board; not just among federal agencies and their contractors, but commercial companies, too. It reinforces the notion that cybersecurity should be a high priority for anyone in any sort of business.

FCW: Just like some federal agencies, many commercial firms are at the very beginning stages of implementing good cyber posture. They’re just becoming aware of important tools like two-factor authentication and encryption. Is that level of progress having any impact preventing cyber incidents, or are they moving too slow?

Chvotkin: Well, we’re seeing two kinds of ransomware attacks: the very sophisticated state actors, either backed by Russia or the North Koreans, and they’re not going to be deterred by basic cybersecurity. Then you have the opportunistic attacker: I think for that group, even minimal cyber hygiene may help minimize the impact or make them look elsewhere for potential victims.

FCW: The executive order demands major reforms to current cyber policy and practices employed across various agencies with fast-approaching deadlines. Will this spate of large-scale ransomware attacks serve as motivation for those agencies working to implement the cyber EO to get the job done on time?

Chvotkin: I’d certainly hope so. You never know what will provide the sufficient wake up call, but what’s clear is that federal agencies are not immune. They remain a target, as do federal contractors. The price of not implementing even reasonable controls is going up, both in terms of the actual cost of the ransom, as well as the risk facing ongoing business operations. Besides accelerating, I think the other thing that’s possible is we’ll see more in-depth coverage: When it comes to the Software Bill of Material, for example, it’s easy to provide a broad outline, but maybe there’s an opportunity for more in-depth regulatory or guidance documents on how to treat these kind of issues.

FCW: There have also been reported concerns around unfunded mandates featured throughout the cyber executive order. What can be done to help agencies meet the deadlines?

Chvotkin: It’s regrettable that many federal agencies are so slow in their response. Some agencies are doing well, and some are not. It’s a combination of resources and money, but both of those are addressable. DHS just recently hired several hundred people for their cybersecurity work, and the Biden administration has put billions in their budget for cybersecurity activities. The need for both of those critical investments still exist -- but I’m hoping that diminishes over time. Instead of criticizing agencies, OMB and others need to be helping agencies to get to a better position in their overall cyber hygiene.

FCW: How can OMB and others move past criticism towards remediation stages, where they are proactively assisting agencies in identifying and rooting out cyber vulnerabilities?

Chvotkin: We’ve got federal procurement rules, and cybersecurity rules for the federal marketplace, and FedRAMP and everything else, but in and of itself it’s not enough. From a policy side, I wouldn’t be surprised to see the federal government impose greater and greater obligations and responsibilities both on agencies and contractors.

And we shouldn’t take things slow. For example, inspectors general are now tasked with reviewing agency systems for vulnerabilities. The IGs have obviously developed some expertise and insight into an agency’s vulnerabilities, but they typically don’t do anything on the programmatic side or remediation side. Rather than simply issuing an over-and-above report, I’m hoping they’re doing what’s called “flash reports,” where they highlight those vulnerabilities immediately to CIOs and agency heads, then work with the agency to make sure the vulnerabilities are addressed. I’d hate to have to wait for the IG to identify a vulnerability in 2021, and not get that report out until 2022, letting the agency miss a long period of time between the evaluation and even a draft report being issued.

FCW: Say we are able to meet the moment by investing the money and staffing necessary to fulfill the deadlines outlined in the executive order. Do we have a fighting chance at thwarting a major ransomware attack against the federal government like the one we saw last weekend targeting the private sector, or is it inevitable that we’ll continue to suffer from large-scale attacks without proper preventative methods in place?

Chvotkin: I think both of those statements are true. As agencies pay greater attention to this, their risk profile goes down, but until each agency gets to that point, the weakest link is still the most vulnerable, and so exposure still exists. We should not be surprised to hear about more ransomware attacks, certainly in the commercial marketplace, but even in the government marketplace. It’s not just targeting government agencies either; they go after the weakest link in their supply chains, too. It may be a second or third-tier contractor. There is a lot of work ahead.

FCW: What’s the endgame here? Can the federal government eventually establish zero tolerance for major cybersecurity vulnerabilities?

Chvotkin: In relation to the executive order, it’s really all about getting to identification and remediation for cyber issues around the federal government faster -- and, by implication, the federal contractors who support it.

Zero tolerance would be great, but I don’t think that’s the expectation, simply based on the increased sophistication of these hackers. Nothing can be foolproof, but you want to make sure it goes somewhere else than to yourself: The more you can do yourself as an individual or agency to prevent people from accessing systems, the more expensive it gets for hackers to try and break into those systems and wreak havoc.

NEXT STORY: FCW Insider: July 8, 2021

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.