A string of recent state-sponsored cyberattacks has US government agencies stepping up their cybersecurity protocols and advisement, creating pressure for private-sector companies to shore up their defenses or risk potentially devastating hacks.
Strengthening cybersecurity is more important than ever ahead of midterm elections in the US, as nation-backed hackers tend to ramp up attacks worldwide on critical systems during politically active cycles, according to cybersecurity advocates. Russia’s invasion of Ukraine in February has also been followed by an increase in Russian-backed attacks on targets in Western nations.
Many companies in industries such as health care and manufacturing lack sophisticated cyber protections, but taking proactive steps now can help prevent security breaches and costly litigation down the road, attorneys say.
Companies should automate online threat testing in the wake of ransomware operations by Iranian-affiliated hackers targeting US critical infrastructure, the Cybersecurity and Infrastructure Security Agency warned in a Sept. 14 multinational cybersecurity alert.
The CISA advisory coincided with the US indictment of three Iranian nationals accused of hacking and extorting electricity providers and a construction company working on infrastructure projects. Ransomware attacks that encrypted computer systems—allegedly conducted by Iran and Russia—in recent weeks have also hit NATO allies, including Montenegro and Albania.
Some state-sponsored attacks may mimic regular ransomware hits, but they’re potentially much more dangerous. While a rogue hacker usually seeks monetary gain, a nation behind a breach also can use the information accessed for intelligence or political purposes, said Melissa Krasnow, a partner at VLP Law Group in Minneapolis.
The 2020 SolarWinds breach, for example, compromised the cyber defenses of nine federal agencies as well as many private-sector systems after Russian hackers included malware in an update to the firm’s Orion software widely used by the government and large companies to monitor IT performance.
The advisory issued by CISA speaks to the “significance and the pervasiveness” that known vulnerabilities pose to security systems, Krasnow said.
Preventable hacks that exploit these vulnerabilities are best addressed with strong “cyber hygiene” practices, such as regularly updating and patching operating systems, encrypting backup data, and limiting access to administrative log-in information, Krasnow said.
Preventative Measures
Perhaps the most impactful cyberattack felt directly by the US public in recent memory came in May 2021, when Russian ransomware hackers breached the Colonial Pipeline systems and disrupted the country’s largest oil pipeline’s operations for several days. The hack sparked short-term gas shortages and price hikes for customers, litigation against the company, and tighter federal security rules for pipelines.
Another example of US vulnerability to targeted attacks occurred only two months earlier, when a cyberattacker gained access to a Florida water treatment plant and created a toxic chemical imbalance that was corrected before anyone was harmed.
The public health-care sector and infrastructure like water and power plants are especially prone to state-sponsored attacks that could hamper operations because they generally lack the resources to erect the kind of cyber defenses that many private-sector targets can afford, according to Robinson & Cole LLP partner Linn Freedman.
“They’re not thinking about cyberattacks, because they’re providing basic services to people using systems that are usually legacy type systems,” Freedman said. “And those are obviously critical industries that our adversaries would be interested in attacking to effectuate chaos and difficulty.”
State-sponsored attacks may focus on vulnerable links in the industrial supply chain for the same reason. Manufacturers are also often hit by nations like China, which can reap economic gains from swiping intellectual property of US-based companies, she said.
Taking preventative measures is paramount to limiting legal liability and the societal damage that successful security breaches can cause, Freedman said.
Understanding the full extent of cyber threats in a sector can be daunting, but resources like the MITRE ATT&CK framework make the process less opaque. MITRE ATT&CK, considered the “encyclopedia of threat actors and tactics,” serves as a useful starting point for taking preventative measures, according to cyber defense adviser Adam Isles of The Chertoff Group.
“We see in many cases situations where security has been partially implemented, and it’s really the exception that ends up creating the issue,” Isles said.
He added that conducting initial security diagnostics using a framework like MITRE, automating threat tests, and developing a rapid mitigation plan to lessen the impact of any potential attack are all best practices.
Following alerts from the FBI and CISA is another useful way of remaining informed on the cyberthreat landscape, as the agencies have coordinated the best collaboration between public and private sectors Freedman said she’s seen in her career.
‘Whole Key to Cybersecurity’
Several attorneys and cyber industry stakeholders noted that the federal government is prioritizing cybersecurity communications and funding more than it has in years.
“We all talk about public-private partnership as the whole key to cybersecurity,” said Andrew Rubin, CEO of cybersecurity company Illumio. “The government has to work with private industry, private industry has to work with the government, and I think we’re probably in a better place on that than we’ve ever been. CISA is doing a great job of embedding itself in that conversation, especially recently.”
The first round of grant applications for $1 billion in cybersecurity funding from the federal government recently opened, and software companies contracting with the government must meet more stringent cybersecurity measures, per a recent memo from the Office of Management and Budget.
Attorneys and data-security professionals also identified vendor contracts and cyber liability insurance as two forces that will push everyone toward better cybersecurity outside of government action.
“I’m advising most of my clients, unless there’s a very good reason not to, to pursue [policies] if they don’t have it, and I think organizations see the need for insurance,” VLP Law Group’s Krasnow said.
The cyber insurance market has become increasingly competitive, she noted, as rising claims have pushed providers to raise the security requirements for obtaining or maintaining, a policy.
Insurance coverage for state-sponsored hacks may also become more difficult to obtain. Lloyd’s of London, the world’s largest insurance marketplace, last month issued a mandate for companies in its market to stop selling insurance covering state-backed cyberattacks. That move could drive other global insurances to restrict that type of coverage, attorneys previously told Bloomberg Law.
Vendor contract provisions and auditing will similarly ensure that business partners meet basic security requirements like multi-factor authentication and data encryption, serving to “enhance cybersecurity all around,” Freedman of Robinson & Cole said.
“You can’t prevent all incidents, you cannot,” she said, but added, “the more barriers you can put in front of them, the better.”
To contact the reporter on this story: Skye Witley at switley@bloombergindustry.com
To contact the editors responsible for this story:
To read more articles log in.
Learn more about a Bloomberg Law subscription.