The Ransomware Pandemic and the Federal Government’s Increased Expectations for Private Industry.
By Erik Dullea
On Sept. 17, 2021, cybersecurity companies reported they had discovered a phishing campaign dubbed “Operation Layover” out of Nigeria that has been targeting the aviation industry for the last two years. Operation Layover remained undetected for such a long period of time because it kept a low profile and only engaged in small-scale cyber offensives.
Other than the construction of concrete runways, the aviation and aggregates industries probably do not have many overlapping business interests, but pervasive cyberattacks and cybercrime continues to be a burgeoning problem for American businesses. On Sept. 16, DHS Secretary Mayorkas and CISA Director Easterly wrote an open letter to the manufacturing sector on the growing threat posed by malicious cyber actors.
The DHS-CISA letter describes the economic harm to American businesses, estimating that 2020 saw more than a 300% increase in ransoms paid to cybercriminals, surpassing $350 million. In 2021, the number of highly visible ransomware attacks has continued, but DHS and CISA emphasize that the majority of ransomware victims are small businesses who often face a threat to their economic survival after a ransomware attack.
The DHS-CISA letter did not come out of left field. To the contrary, it is one of many messages the Biden administration has delivered to the private sector on the importance of cybersecurity. Earlier this summer, the White House to urge corporate business leaders to improve their defenses and resilience posture against ransomware attacks.
In a June 2, open letter to corporate executives and business leaders (the WH Letter), Anne Neuberger, the White House deputy national security advisor for cyber and emergency technology, appealed for business leaders to act following on the heels of the president’s directives to federal agencies and contractors.
The WH Letter references President Biden’s May 12, 2021, Improving the Nation’s Cybersecurity Executive Order (EO) as a resource for best practices to drive down an organization’s ransomware risk. Executive orders are not binding on the private sector – they are binding on Executive Branch agencies – however, the EO expressly recognizes that the private sector and government have a shared interest in maintaining a secure cyber ecosystem, that strengthens the country’s economic security.
The WH Letter recommends businesses implement five types of protective measures to control or mitigate their cybersecurity risks:
1. Businesses must protect their data, by creating regular backups, testing the backups for accuracy, and storing the backups offline or on a separate server.
2. The backup data is not only information that should be maintained on separate servers.
3. Businesses must commit to installing timely updates and patches of their systems, to include operating systems, applications and firmware.
4. Business leaders must not only read, but actually test their incident response plans.
5. Just as the incident response plan must be tested, so must the security team. Validating the company’s security team through third-party testing reduces the overall risk to the company networks by offering additional perspectives on potential vulnerabilities.
The DHS-CISA and WH Letters are written from a collaborative rather than a compulsory standpoint because 85% of U.S. critical infrastructure is owned and operated by the private sector, and Congress has yet to pass any federal cybersecurity laws that apply to the entire U.S. economy, instead Congress has taken a sector-by-sector approach to federal cybersecurity legislation.
Recognizing that limitation, the WH Letter agrees there is a need for private and public sector partnerships to defend these critical infrastructure assets from ransomware, but attitudes and concern in Congress may be changing.
To varying degrees, members of Congress understand the challenge posed by ransomware attacks against critical infrastructure. On July 21, 2021, Senate Intelligence Committee Chairman Mark Warner (D-Va.) introduced Senate Bill 2407, which would impose requirements on private sector companies at large, along with liability protections as well. Senate Bill 2407 would require federal contractors and critical infrastructure entities to report cyber intrusions to CISA within 24 hours of discovery.
But the bill includes a powerful incentive for complying. Victim companies that timely disclose intrusions to CISA would be shielded from civil liability. The public benefits from this liability shield because timely disclosures facilitate the tracking of perpetrators and mitigating the harm to U.S. critical infrastructure.
In the weeks that followed the WH Letter, several federal and state government entities published additional cybersecurity requirements within their respective industry sectors and jurisdictions. The list below summarizes developments that have occurred in the last six months affecting a variety of industry sectors.
Critical Infrastructure Participants
Pursuant to President Biden’s EO, the National Institute of Standards and Technology published a definition of EO-critical software, which will be expanded by the Cybersecurity and Infrastructure Security Agency in the future.
On April 14, 2021, the U.S. Department of Labor (DOL) released cybersecurity guidance tips for retirement plan administrators. The guidance is not mandatory, but it provides insights into DOL’s expectations for retirement plan administrators.
On May 27, 2021, the Transportation Security Administration, which has responsibility for oil and gas pipelines, announced an Initial Pipeline Security Directive that began the transition from voluntary security guidelines to mandatory requirements.
On June 11, 2021, the Securities and Exchange Commission added cybersecurity risks to its spring 2021 rulemaking list, and four days later announced a settled penalty with a company for deficient cybersecurity disclosures.
On June 20, 2021, TSA announced a Second Pipeline Security Directive requiring pipeline owners and operators to implement multiple protections against cyber intrusions.
Clearly these initiatives will apply to the specific industries and businesses regulated by the associated agencies, but the inescapable trend from the government is to encourage, pressure and require private sector businesses to do invest more energy, time and resources into cybersecurity.
Erik Dullea is senior counsel at Husch Blackwell LLP. As a member of its Technology, Manufacturing & Transportation team, he focuses on administrative/regulatory law, with an emphasis on heavily regulated industries and government contractors.He can be reached at [email protected]