The ongoing ransomware attacks have everybody spooked. Now Congress and the Cybersecurity and Infrastructure Security Agency are both contemplating ways to get industry to do something they’ve supposedly been doing for years. Namely, reporting these kinds of attacks to their corresponding federal agencies. But that mechanism has never fully developed. Federal Drive with Tom Temin gleaned some insight from the co-founder of consultancy Critical Insight, Michael Hamilton.
Insight by Carahsoft: This exclusive e-book demonstrates just how far agencies have come and where they still need to go to take fully advantage of DevSecOps to drive modern capabilities to their customers.
Tom Temin: Mr. Hamilton, good to have you back.
Michael Hamilton: Hey, Tom, it’s good to talk to you again.
Tom Temin: And you are a cybersecurity public sector functionary at one time for a large city. And you were also a member of the State, Local, Tribal and Territorial Government Coordinating Council for data sharing and all of this. Just review for us what has been supposedly happening for all these years between Homeland Security — other federal departments — and their corresponding critical infrastructure, operating sectors?
Michael Hamilton: Well, there’s an ecosystem that is developed around critical infrastructure and infrastructure protection. And to date, we have 16 critical sectors, and each one has a Sector-Specific Agency, a Government Coordinating Council, a Sector Coordinating Council, and most of them have an ISAC, an Information Sharing and Analysis Center. And the playing field there throughout the sector’s was never really level in terms of the attention that they were getting, specifically with respect to requirements that they need to meet for security. Some were very serious. For example, the Department of Energy is the Sector-Specific Agency to regulate energy production, and the NERC critical infrastructure protection standards, NERC, North American Electric Reliability Corporation, those are serious. Those have teeth up to/and including a $1 million-a-day fine. So, that’s critical. We understand energy failure is cascading and it affects everything, but the water sector never got that kind of attention, maritime ports didn’t really get that kind of attention. But I think that’s changing.
Tom Temin: So in other words, we had this whole mechanism designed, and that was back in the National Protections and Programs Directorate days before it became CISA. But it never really developed into operational rigor. Is that a fair way to put it?
Michael Hamilton: Well, it did, again, for some sectors. And I think there was an acknowledgement that some were really, really critical. And some, for example, monuments and icons, those don’t stack up against the energy sector in the same way. But now that we’re finding that somebody in a basement in Syria can take down a water utility, that’s changing, I think fairly quickly. And the sector specific agencies that adjudicate regulatory purview over their sector are starting to get a little more vocal now. And I think the example that’s on everybody’s mind is the TSA, which is the Sector-Specific Agency for pipelines. And they had never really gone to the pipeline operators and said, “here are your requirements to meet for a cybersecurity and by the way, we’re going to come back and check.” That’s not going to happen.
Tom Temin: In other words, they’re expanding some of the reach that was established earlier, because we’re seeing that it’s not just a potential threat anymore, that we’ve actually had threats turn into action.
Michael Hamilton: You could say expanding reach, or you could just say, making the process consistent across more of the critical sectors.
Tom Temin: And what about the idea….a lot of areas of industry were worried about data sharing early on. I mean, part of the rationale behind this was that learnings from reported incidents could be shared. And even though companies might compete, one with another, in the marketplace, nobody wanted to be left alone when it comes to cybersecurity, and that was considered off limits with respect to the competition. Does that still hold you think that idea?
Michael Hamilton: I think, in terms of competition, I don’t think it’s as big of a deal as not wanting to share information that would cause regulatory action. And so in the ISACs, the Information Sharing and Analysis Centers, the financial sector ISAC did a very good thing and they negotiated with the federal government that any disclosure is made within the confines of the ISAC would be insulated from regulatory purview. So for example, if I said, “this thing happened at my organization, and you all need to watch out for it,” in my admission of that indicates that I did not have a control in place that I’m required to have, I would be insulated from having the regulator’s come and stand on my neck. That was a good thing. And I think you’ve seen legislation that’s being proposed right now, it’s moving through Congress, about 24-hour reporting on security incidents. Well, let’s not have a knee jerk reaction to, you’re gonna make all my information public, because that’s not what’s going to happen. This will be like an ISAC. You’ll reported it to CISA, it’ll be protected information, it will be protected from public disclosure. I would like to see this whole ‘insulated from regulatory oversight’ be part of this.
Tom Temin: Got it. We’re speaking with Michael Hamilton, co-founder Critical Insight. And what about the issue of liability when a cybersecurity incident happens to a company, and some parties consider themselves harmed by what happened to that company, but that company also had all of the necessary controls in place? Not saying they all do. Clearly Colonial Pipeline did not have NIST full set of controls in place. But if they do, what about the liability question, because that’s always becomes a political tug and pull?
Michael Hamilton: Well, this is what insurance companies think about too. There’s first-party coverage, and then there’s third-party coverage. And that third-party coverages if your actions harm someone else, and they come and they litigate. So, there is insurance there, but the insurance companies have just been taking such a beating with this ransomware business. And now with the federal government starting to change the rhetoric around this and talking more about terrorism than crime, insurance companies have an out there. So soon, the federal government will have to get into the reinsurance business to be able to backstop all of that.
Tom Temin: Because terrorism and acts of war are not normally covered by any insurance policies in other words?
Michael Hamilton: That’s exactly right.
Tom Temin: And do you think there’s a design in the government talking that way?
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
Michael Hamilton: Yeah, I’ve read a little bit that the government is taking up this issue of reinsurance. And they’ve already pulled the ‘T’ word out. And so, insurance companies for sure heard that. So if insurance companies aren’t going to be required to swoop in and make everything right when somebody gets compromised by ransomware, well, the federal government is going to have to be there. And what they can do is they can combine that now with an outright prohibition on paying ransom because the federal government is there to be the reinsurer to put you back together, not to pay the ransom, but to put you back together, and in that way, you break the business model of the ransomware operators, and they move to softer targets.
Tom Temin: And by the way, speaking from your former perch as chief information security officer of Seattle — a lot of municipalities have been hit by ransomware — what’s your best advice to organizations…now, with respect to reacting to a ransomware attack and reporting on it?
Michael Hamilton: Well, I’ll just say what everybody says, make sure you have backups, make sure you have a plan, make sure you test your plan. But, in my view, the most important thing you can do is not have a mindset that you’re going to prevent this. You’re secure until your ticket is punched. And then you have better have a plan to put things back together. Not a bunch of controls that you’re going to rely on to make sure it doesn’t happen to you. Plan for it to happen. Drill that. Read your insurance documents. Make sure you know who that first phone call is going to be to. That’s what I would say.
Tom Temin: And who should be on that team establishing that strategy in that response?
Michael Hamilton: It should be executives that have a fiduciary responsibility, need to be at the top of that, kind of a unified coordination group, was what the government calls it when you’re having a large incident to which you’re responding. But you’re going to need the finance people on there because you’re going to need to pay for stuff. You’re going to need the legal people on there. You’re definitely going to need the HR people in there. So, it’s over and above the incident: we have malware on a workstation. This is going to be all hands on deck and it’s protect the business.
Tom Temin: And what’s your sense of how well the federal government is safe from ransomware attacks, and that if it does get its ticket punched, whatever agency that might be, that those plans are in place?
Michael Hamilton: I would imagine that the plans are in place by virtue of the fact that CISA is part of the federal government and this is what they do, and so is FEMA and this is what they do. Right? They plan for things like this. But the federal government needs to make progress with its technology modernization initiatives, because some of the technology is so old, it’s too easy to knock over. So there’s a little bit of a race going on. I think they are prepared for it to happen. They know what they’re going to do if it does happen, but they are a little overly exposed.
Tom Temin: Michael Hamilton is co-founder of Critical Insight. Thanks so much for joining me.
Michael Hamilton: You bet, Tom. Thank you.