Crosscurrents of Crisis | Brunswick
Perspectives

Crosscurrents of Crisis

Brunswick’s George Little joins cybersecurity experts from Chertoff to discuss the threats that prompted the Biden Administration to issue an executive order Wednesday demanding greater safety and accountability from government suppliers.

President Joseph Biden signed an executive order on Wednesday placing tight new security standards on all software sold to the federal government. The goal is not just to protect government operations but also to spur the implementation of stronger protections throughout the US business community.

The need for greater cyber security is urgent. The pandemic-induced shift toward work from home has opened potential new cracks in cybersecurity. The disruption of supply chains has resulted in dramatic shifts within operations across every sector, and with disruption comes the possibility of new and unforeseen cyber risks.

Then there is SolarWinds. Attributed to Russian-backed groups, this breach went undetected for several months, until last December, penetrating about 200 organizations around the world, including the US departments of Treasury and Commerce. The final impetus was the cyberattack in recent days on Colonial Pipeline, which disrupted the delivery of gasoline, diesel and jet fuel on the East Coast.

To understand this moment and the government’s response we sat down with Brunswick Partner George Little and two principals at The Chertoff Group, one of the world’s leading cybersecurity firms. All three have national security backgrounds. A cybersecurity specialist, Mr. Little is a former Assistant to the US Secretary of Defense for Public Affairs, Pentagon Press Secretary and Director of Public Affairs and Chief of Media Relations for the US Central Intelligence Agency.

Chertoff’s Mira Ricardel is a former Deputy National Security Advisor and Under Secretary of Commerce for Export Administration in the Bureau of Industry and Security. She is also a former Vice President of Business Development at Boeing and served as Acting Assistant Secretary of Defense for International Security Policy. Her colleague, Adam Isles, was formerly at US defense contractor Raytheon where he was the Director of Strategy and Policy Consulting for homeland security. He also previously served as the Deputy Chief of Staff at the US Department of Homeland Security.

Mira Ricardel is a Principal at Chertoff and former Deputy National Security Advisor and Under Secretary of Commerce for Export Administration in the Bureau of Industry and Security.

One central message that emerged from the broad conversation: Deep collaboration is needed between the private and public sectors.

“Companies and government are still operating, to some extent, in what I think is an old paradigm, that of a traditional firewall between government and the private sector,” Mr. Little says. “Both sides are still figuring out how to work together. And I worry that we’re very far off.”

Another message that rang clear: Nothing about cybersecurity is easy. Each sector, each company, has unique vulnerabilities and widely varied degrees of preparedness.

“There are certain threats that everyone needs to worry about, in the same way that everyone needs to worry about COVID-19,” Mr. Isles says. “Ransomware would fall into that category. Beyond that though, certain categories of companies, based on what they do or where they operate, are going to have additional levels of inherent risk.”

In addition, some specific threats are moving targets, he says.

“We’ve seen that with respect to water and water treatment plants,” Mr. Isles says. “A year ago, we might have been talking about them as a kind of hypothetical scenario. Six months ago, we would have been pointing to Israel where there were several attempted compromises of water treatment facilities. And today it’s no longer unique to the Middle East, as we saw in February with the impact on a water treatment plant in Florida.”

Ms. Ricardel points to aerospace and defense as examples of industries that are more prepared for this moment. “There, you’re already thinking in the mindset of threats, and how do you deal with them, even your own networks as a company because of the attempts to penetrate and exfiltrate data. But other sectors are newer to it and they will have to ramp up because they are vulnerable.”

That vulnerability extends all the way down to individual employees. While the individual worker has always been a weak link in organizations’ cyber defenses, over the past year they have become targets for a broader set of cyber threats, from uninvited pranksters barging in on video conferences (known as “Zoom bombing”) to credit card theft and personal ransomware attacks.

“The pandemic itself prompted a sudden and massive shift in online behavior—not just in telework, but in telehealth and teleschooling,” Mr. Little says. “So in addition to private sector, cybersecurity has become a very personal issue as well.”

On the company level, ransomware attacks have escalated in frequency and scale over the last year and a half, Mr. Little says.

“Companies have had to grapple with ransom requests for as much $20 million, and have faced operational issues, issues with their data—all while they’re trying to operate a business in the new virtual world,” Mr. Little says.

Ricardel notes that companies have to realize that they are at a strategic disadvantage. “It’s easier to deploy a cyberattack than it is to protect against it,” she says. “Leaders need to think about this as a daily, routine issue, much as the physical security that you would have. You might use cameras to monitor who’s coming into the building, taking out documents. It’s harder to see who’s coming into your operating system on your computers.”

Adam Isles, a Principal with Chertoff, was formerly at US defense contractor Raytheon where he was the Director of Strategy and Policy Consulting for homeland security.

That already complex problem has been made much more complicated by pandemic and the transition to remote working. Even dealing with the consequences of an attack have grown harder in the current environment, says Mr. Isles. “Normally, it would be ‘OK, we want to go image a server.’ Well, physically you can’t go anywhere because of pandemic restrictions. Incident response and crisis management is a process that has also needed to go through its own fairly dramatic transformation.”

The Spaghetti Problem

The Biden executive order alone may seem a small step, the three agreed, but is a necessary part of a larger, ongoing government response that appears to be on the right track.

“The US government has accurately identified the threats—that’s always step one,” Ms. Ricardel says. “The responses have been somewhat ad hoc. Frankly, nobody was thinking about what might happen in this environment. Businesses, governments were focused on other things and then comes a SolarWinds attack or something and you say, ‘Oh, my gosh. We need to look at this.’”

The issue of cybersecurity for the country and its business community is a bipartisan one, and previous executive orders have similarly addressed concerns. Some are not yet fully implemented, Ricardel says, citing a telecommunications supply chain executive order as an example, where regulations are still being rolled out.

“It’s not complete,” she says, of the government response. “But at this point, there’s no matrix we can point to say, have we covered every threat? It’s more like a bowl of spaghetti. And you have to pull apart the spaghetti and see what actually is done and where things connect.”

Ms. Ricardel also notes that, while the risks and consequences vary, the fight is the same across all. “You can't look at cybersecurity in a silo,” she says. “It is really part of the landscape. And it will have to be addressed no matter what type of business you have, no matter what part of government you’re in. We don’t have the option to hope it goes away.”

Speaking from his experience in the homeland security sector, Mr. Isles sees three tools that government has to incentivize industries more broadly: rules related to procurement, industry regulations and underwriting by insurance companies. The Biden administration is moving forward on the first of these with the Cybersecurity Maturity Model Certification (CMMC) program, originally launched by the previous administration, which will require cybersecurity programs at defense contractors to be validated by independent third parties.

“That is a model that we’ve seen in banking and payments sectors for years. We’re taking a basic approach that is not new to industry and applying it to this sector,” he said.

In regulation, longstanding public-private partnerships, such as outlined by the Maritime Transportation Security Act in the context of port facilities, have had security expectations for years and can act as models for cybersecurity requirements elsewhere.

George Little Partner & Office Head Washington DC[1]

George Little is a Brunswick Partner and co-chair of the global Cybersecurity and Privacy practice. He is a former Assistant to the US Secretary of Defense for Public Affairs, Pentagon Press Secretary and Director of Public Affairs and Chief of Media Relations for the US Central Intelligence Agency.

“One of the most interesting areas to watch right now is cyber insurance,” Mr. Isles says. “There is enormous pressure from the many kind of ransomware claims that are coming in. But in addition, we have seen some steps, particularly by the New York State Department of Financial Services, to try to go beyond exposure and claims, to have the insurance industry incentivize strong performance as well.”

The Lonely and the Heroes

The SolarWinds break-in held examples of the benefits of strong cooperation with the government, Mr. Isles said. Cybersecurity solutions company FireEye was the first to report the problem.

“Notwithstanding that they were compromised, FireEye were the heroes,” Mr. Isles said. “By disclosing what had happened they disrupted a much larger plot and helped a whole bunch of other companies figure out that they had an issue as well.”

Part of the reason a spirit of collaboration and disclosure are so important, Mr. Little said, is that the government doesn’t have the same kind of authority on cybersecurity that they might elsewhere. 

“Cybersecurity is very lonely space for companies,” Mr. Little said. “You can't call 911 for a cybersecurity incident, generally speaking. Most companies cannot rely on the US government for cybersecurity support.

“But we have to get to a point where we recognize that we face some common threats and work to address them in a way that’s going to benefit us all. The companies that lean forward on these issues could find that it is a competitive discriminator—it will build trust, not only with their immediate clients and customers but also with the government and others that they work with.

“Cybersecurity should not be viewed as a competitive issue for most companies. This is something that affects us all.”

--