Alarmed by ransomware, the White House has been telling the private sector to get serious about cybersecurity. Just this month, a letter to corporate executives and business leaders, urged companies to do what amounts to basic cybersecurity. It told companies they have a key and distinct responsibility. For what it all could mean, Federal Drive with Tom Temin talked to partner and information security group practice leader at the law firm Davis Wright Tremaine, Michael Borgia.
Insight by LexisNexis Risk Solutions: Experts from DHS, SBA and GSA will explore how agencies are approaching fraud prevention in this free webinar.
Tom Temin: Mr. Borgia, good to have you one.
Michael Borgia: Thank you for having me. I appreciate the opportunity.
Tom Temin: First of all, this letter from the White House, specifically from Anne Neuberger, the deputy assistant to the president, and the deputy national security advisor for cyber, who did go to exactly?
Michael Borgia: Well, it is addressed to the private sector. So, it’s got a broad audience. And I think it looks like the intention was to really get the word out broadly to companies all over the private sector, and let them know what the White House thinks they should be doing and perhaps set some kind of baseline around cyber hygiene. As you said, I would think of this as pretty basic hygiene, people who have been in the industry for a while I think nothing in here is going to be shocking or surprising to them.
Tom Temin: Right. It said you should have two-factor authentication, you should have backups that are stored offline, and all these other good things in place, again, basic stuff, but coming from the White House, that’s kind of open-letter, telling people you have a distinct and key responsibility almost implies like there could be some sort of regulatory push here, not just for federal contractors, but for industry in general, coming. It has that ‘Dear Colleague,’ tone.
Michael Borgia: Exactly. It’s funny. On the one hand, you think, well, what does this mean that this doesn’t really do anything? On the other hand, here we are talking about it. And there has been quite a bit of discussion around this. It’s generated a lot of buzz, a lot of thought about, what should we be doing? Should there be regulation? What should that look like? What should companies be doing to prepare? A lot of clients have been asking me not about the letter itself. It’s been kind of a poke for them to say, we really should do more on this, and what should we be doing? So, if that was the White House’s goal, they’ve certainly had some success there to advance the conversation.
Tom Temin: Sure. And of course, in the military contracting community, there is the Cybersecurity Maturity Model Certification Program. And there is some evidence that that’s going to spread to the commercial contracting sector in the civilian agencies. But it sounds like there could be some even wider application of that, not the program itself, but the idea behind it. That, to do business, you need to do this, that and the other. Do you feel that that could be behind the velvet glove here?
Michael Borgia: I think that’s possible. It’s always hard to predict. And there are so many proposals out there competing. And as you know, making proposal is easy. Getting it through Congress or through the regulatory process is another thing. But there is definitely a push in May. The White House’s executive order on cybersecurity, certainly a big push to improve cybersecurity both among the federal government and among contractors of both the military and civilian variety. We are definitely seeing a push to improve security, to push out more guidance and regulation on technical controls, and really get contractors and others up their game. A lot of people have said this. And it’s correct. The government obviously, because they have more authority over government contractors and it’s easier for them to change the rules around contractors. What they’re hoping to do is….certainly they want to affect contractors for themselves, but they also want to create new standards and baselines, both in kind of a set of expectations, but also, no doubt, they’re hoping that some of the enhancements will bleed over into the private sector as well. For example, in the executive order, you have all of these rules around software security in supply chain, probably inspired by SolarWinds and similar incidents. I think clearly trying to not only improve the quality of software used in the government, but also change the industry and change the standards that the industry uses.
Tom Temin: We’re speaking with Michael Borgia. He is information security group practice leader at the law firm Davis Wright Tremaine. And there’s a third layer in all of this that doesn’t come up as much in the public discussions, but that is the role of insurance and the relationship between companies and their insurance providers in say, a ransomware or some similar type of cybersecurity problem. And then there’s also the question of liability. If you have been in total compliance with all of these best practices for cyber, what is your legal liability? Those questions I think are probably as much on the minds of business leaders and executives, to use the phrase from the letter, as the cybersecurity results themselves.
Michael Borgia: That’s right, the insurance market around cybersecurity has been changing dramatically and a lot of my clients have received some pretty rude awakenings when they’ve gone to renew their policies this year. Rates have gone up, retentions have gone up, the amount you have to pay out-of-pocket before the insurance kicks in have gone way up. More coverage exceptions, and some carriers are starting to exempt ransom. So previously, and some people are surprised to learn this, many policies would actually cover the ransom payment, you pay a million dollars to a bad actor in Eastern Europe or wherever and some or all of that, depending on your policy, could be covered. It’s kind of the never ending sort of balance to be struck in the insurance industry is provide the services that the client wants without incenting them to do bad things and spend lots of money. Right now we’re seeing insurance companies kind of cut the other way and say we really need to dial back what we’re covering, because the payouts have been massive, and a lot of companies are just paying ransoms because they’re largely or entirely covered.
Tom Temin: Sure, and speaking recently with Michael Hamilton, he was a municipal chief information security officer. He says one of the dangers here is if the administration starts calling these types of cyber attacks terror, then the insurance companies are immediately off the hook, because terrorism, acts of war, are not covered by any insurance policies so far as I’ve ever seen.
Michael Borgia: Right. Yup, it’s a very good point. And there’s certainly a lot of debate right now, you saw the Justice Department earlier in June said that they haven’t labeled them terror, but they said they would be handling them in a similar rubric that they use to handle terror. So we do see a bit of a collapse of those concepts. And the liability, the point you addressed is a very good one, too. Right now it’s hard to say. We don’t have comprehensive legislation in this area. And, what that’s often led to is sort of a name and shame rubric. If you have a breach, then everyone says, “Boo to you,” and you get a lot of criticism, and maybe you get fined. If you have terrible security, but just don’t happen to have a breach or not one that gets reported you are effectively off the hook. So, it is a little hard to advise clients in that space exactly. One thing we might see, although it’s, as you know, it’s just hard to know and hard to see where it would come from right now, is more comprehensive legislation around or regulation around, what should I be doing? Because ultimately the test of liability here should not be, did you have a breach? It should be, what are your risks? Are your controls addressing those risks? Mistakes happen, advanced adversaries get through defenses, it shouldn’t be strict liability, it should be the quality of your program that matters here.
Tom Temin: To summarize, then, what is it you’re telling clients to do? They say, “Oh my gosh, I got a letter from the government.” And they say, “I have key responsibility, and the government is there to help.” That can cut both ways in terms of people’s sense of reassurance?
Michael Borgia: Absolutely, it can. What we’re telling clients a lot right now is to think hard about their risk, in the industry we call this a risk analysis or risk assessment. Really think about what are the risks that you have, and then start through a risk management process developing cyber controls, and those could be technical controls, like encryption, firewalls, etc., but also training and other types of policies, administrative operational controls, and be able to articulate why your program looks the way it does. If you have a breach and you’re missing some control, the government regulator of some kind will come in potentially and say to you, “Well, why don’t you have that? Well, this system didn’t have two-factor [authentication], it should have.” Rather than post-talk try to say, “Well, here’s why it was missing.” Have an explanation to say the reason our cybersecurity controls and systems look the way they do. We have risks, we’ve addressed the risks in this way. There are certain ways in which we decided that we wanted to balance operability over security because of the relatively low risks. That’s the kind of conversation you want to be able to have. But you want to be able to have done that before. It is much harder if you’ve never done that, you have a breach, and then you were trying to piece this together and say, “What’s an explanation for why it looks this way? Because we actually hadn’t thought about it before.”
Tom Temin: And basically, then you would say that cyber security and the implications, and this is again, not a new thought, but it’s a thought we need to reinforce I guess, has to be a top-of-mind for the top of the company, and not something you delegate to the computer guys.
Michael Borgia: Absolutely. I mean, the computer guys are obviously essential, but it is not purely, maybe even not entirely really, or mostly a technical problem. The technical controls are part of it. But it’s a whole program. Just like any other program in your company, you need policies, you need procedures, you need training, everyone has to be involved. And unfortunately, those things cost money, too. So you need leadership, you need a budget, you need a strategy and a direction.
Tom Temin: Michael Borgia is the information security group practice leader and a partner at the law firm Davis Wright Tremaine. Thanks so much for joining me.
Michael Borgia: Thank you. Appreciate it.