Quimbee logo
DMCA.com Protection Status

Cybersecurity Threats to National Security: The Biden Administration’s Response

5.0 out of 5 Excellent(21 reviews)
EJ
Presenter(s)
Start your FREE 7-day trial
Preview this course and the rest of Quimbee's CLE library for free with a 7-day free trial membership.
Buy this course - $49
Get access to just this course for $49
Play video

Cybersecurity Threats to National Security: The Biden Administration’s Response

Cybersecurity attacks and the threat actors that perpetrate them are increasingly threatening our National Security – and the Biden Administration has taken notice. Accordingly, various legislatures and regulators have identified cybersecurity as a key focus, implementing new laws and regulations to encourage businesses in various sectors to enhance security protections for covered data. Additionally, regulators are increasingly pursuing enforcement actions related to cybersecurity security. In this session, we will provide an update regarding recent cybersecurity rules, regulatory guidance, and legislation. Participants will gain an overview of the cybersecurity regulatory landscape and best practices to meet the requirements of the robust cybersecurity regulatory environment.

Presenters

Ericka Johnson
Senior Associate
Squire Patton Boggs

Transcript

- Cybersecurity Threats to National Security, the Biden Administration's Proactive Response. Today we're gonna talk about common cybersecurity incidences. And for those companies or organizations that experience such, we're gonna talk about the common sensitive data that those companies or organizations typically maintain, which are subject to regulatory oversight. Next, we're gonna talk about the cybersecurity landscape and the national security implications of that. Finally, we're gonna talk about the Biden administration's response here in the United States. My name is Ericka Johnson, I'm an attorney here in Washington, DC at Squire Patton Boggs. I primarily assist organizations, both private and public as well as government organizations respond to global and domestic ransonware attacks and data breaches for clients across a variety of industries. Those include healthcare, financial, automotive and among others, education. I've experienced working with IT forensic firms to help my clients understand and meet their various legal obligations. I frequently interface with law enforcement and industry specific regulators in the United States and abroad and coordinate filings with and responses to inquiries from regulators around the world. Prior to joining private practice at Squire Patton Boggs, I serve for six years as a judge advocate in the United States Marine Corps, where I specialized in among other things, cybersecurity operations. And I welcome the opportunity to speak with you here today. So let's get started. The first thing we're gonna talk about today are common cybersecurity incidences, and we're gonna do a deep dive into threat actors, various schemes that unfortunately we see on a daily basis. The first scheme we're gonna talk about are ransomware attacks. Let's start by defining it. Ransomware is a malware that is surreptitiously deployed across an organization's environment that is designed to deny an organization access to its computer files, essentially kicking out an organization out of their entire IT network. By encrypting these files and demanding a ransom payment or an extortion fee for the decryption key, which would allow the company to get back into their computer files, threat actors endeavor to place organizations in a position where paying the ransom is the easiest and cheapest way to regain access to their files and to become operational once more. Now, threat actors create this position in several ways. The first thing threat actors endeavor to do is destroy an organization's backups prior to deploying the malware so that organizations feel and in fact, really oftentimes do have no other choice but to purchase a decryption key to recover their files and regain access to their systems to become operational again. Threat actors also put organizations in this position by stealing sensitive data and threatening to publish the data so that organizations feel that they have no other choice but to pay the ransom or extortion fee in exchange for the threat actors promise to destroy the stolen sensitive data. So threat actors really put organizations in a tough position such that organizations feel, I'll pay the ransom because it's the easiest and cheapest way for our organization to regain access to our files and begin operations once more. Now organizations are typically asked to pay the ransom in some form of cryptocurrency, for example, such as Bitcoin or Monero, and they must pay it in exchange for the decryption key or to destroy stolen data in order to make it difficult to trace the funds back to threat actors. So threat actors really like to leverage cryptocurrency because it's very hard to trace it back to those threat actors. And so it becomes a convenient way for threat actors to receive millions of dollars in extortion fees without the fear of perhaps that money being traced back to their organizations. Now many organizations have some pretty standard considerations on whether or not to actually pay a threat actor this ransom fee. Organizations tend to pay the ransom when they have no viable backups and cannot otherwise recover their data, which is necessary for their business continuity, for their business operations, they are literally handcuffed. They cannot have access to operate their business or their organization. Another consideration to pay the threat actor the extortion fee is that the data that this threat actor has exfiltrated or stolen is so sensitive that the organization decides to pay to mitigate the risk of data leakage, including the risk of litigation or reputational harm. So oftentimes we see organizations that have perhaps customer data or health data, their concern is that they're going to be sued if this data becomes public. And so they pay the ransom to mitigate that risk of that data going public and then raising more potential for litigation and again, reputational harm. But some organizations take a totally different stance. Some organizations take the position that no matter if I don't have viable backups, no matter if my reputation or litigation is a potential risk, organizations will take the position that they morally will not pay the ransom because they will not pay to perpetuate criminal behavior no matter the consequences. And so you see this dichotomy between organizations and those who decide to pay the ransom, whereas those who decide morally for moral reasons that they will not pay, again, no matter the consequences. Either way, threat actors are highly sophisticated. And so they will engage in several high pressure tactics to get companies to pay the ransom. So some examples that we've seen recently is that they'll call an organization's CEO, CFO, the board of directors using prerecorded messages and threatening to post data or to notify the media or to notify, for example, shareholders, if the ransom isn't paid. Other times they'll email the company, individuals within the company samples of stolen data, and they'll threaten to post the data and notify again, the media, if a ransom isn't paid. Now threat actors can use this high pressure tactics by oftentimes giving a abbreviated timeline. You have 24 hours to pay the ransom, 48 hours to pay the ransom. Again, it's high pressure tactics to get a company to pay the ransom. Now let's talk about the practical impacts to organizations from experiencing a ransomware attack. First, companies generally experience an extended downtime in which their organization experiences less than 100% productivity or a material business interruption. In other words, oftentimes because an organization's environment is encrypted, they simply cannot operate. And for those who perhaps may operate, it's certainly well below 100% of their productivity level. So what are some examples of that? Well, for example, employees not may not be able to access their emails to communicate internally. This makes it difficult to coordinate workarounds, to perhaps a system that everyone needs to access. If you are a manufacturing company and you can no longer manufacture, well, if your emails are down, it's hard to coordinate those workarounds. Similarly, oftentimes we'll see a whole phone system will go down. So again, it makes it hard to communicate internally, such that workarounds become very difficult to deploy, particularly if you're a company that operates globally. Second, employees may not be able to operate or rather they may not be able to communicate externally. So this includes your customers, vendors, suppliers, or other third parties. Now, the problem with that is this often raises questions by external parties as to the nature and scope of the incident. Business partners may wanna know why are they not being communicated? Why can't they speak to their points of contacts? And once they have an inkling that the company may have experienced some type of cybersecurity incident, business partners typically wanna know immediately whether or not their own data was impacted. And so that becomes difficult for organizations while they're having a hard time operating internally, then having to manage their communications and their relationships with their third parties. So that's another real practical impact for companies. And for many companies that rely on manufacturing as part of their organization, oftentimes we see production lines that come to a complete halt and those timelines to meet orders are absolutely disrupted. Suffice it to say that no matter what the organization does to make money, they will experience typically an extended downtime that reduces their productivity and makes it very difficult for organizations to operate. The second practical impact to organizations is that they may suffer brand reputation or may suffer damage to their brand reputation. For example, consumers and business partners may no longer trust the organization with their sensitive data and may no longer wanna do business with the data with the organization. Third, organizations may suffer exposure of sensitive data as threat actors steal sensitive data to encourage companies to make ransom payments as we previously discussed, leading to legal fees to meet notification obligations, as well as potential lawsuits filed by those affected by this exposure of sensitive data. The fourth practical implication is that organizations may suffer financial losses associated with the ransomware payment, as well as again, attorney's fees to meet notification obligations, pay forensic fees to secure the IT environment and other fees to restore the company's IT environment, for example, by implementing a decryption key and strengthening the IT environment. So financial losses are a real issue for organizations as a practical impact of a ransomware attack. So some interesting statistics, according to the FBI, there was a nearly 21% increase in reported ransomware cases and a 225% increase in associated loss from 2019 to 2020. In other words, ransomware attacks are becoming more prolific and more expensive. According to Forbes, cyber crimes cost US businesses more than 6.9 billion in 2021 and only 43 of businesses feel financially prepared to face a cybersecurity attack in 2022. Suffice it to say ransomware attacks are operationally devastating and very expensive for organizations. And as we'll discuss shortly lead to many regulatory implications. The second type of common cybersecurity incident is the business email compromise. A business email compromise is one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business. A business email compromise also known as a BEC occurs when a threat actor sends an email message that appears to come from a known source. That's making what appears to be a legitimate request. So let's talk about some common examples. Some common examples of a threat actor posing as a known source include a vendor your company regularly deals with sends an invoice with updated banking information to a fraudulent account when in fact that vendor that you trust is really a threat actor and that banking information is a threat actor's fraudulent account. Another example is a company CEO asks her assistant to purchase a dozen gift cards to send out as employee awards, whereby she asks for the serial numbers so she can email them out right away. Again, the company CEO is a threat actor and those gift card numbers are just gonna be used to fund the threat actor's continued operations, and they're definitely not going to the employees. A third example that we've seen is a company CFO directs a subordinate to send money to vendor for past due payments, providing banking information to a fraudulent account. Again, the CFO is a threat actor and believing that the threat actor is in fact the CFO, the subordinate sends the money to what he believes is a real vendor. And again, that money is going straight to the threat actor to fund their continued operations. These and similar schemes are used to steal millions of dollars annually. So how do criminals carry out this business email compromise? They actually use a variety of different tactics. First, a threat actor can spoof an email account by making slight variations to a legitimate address fooling the victim into thinking fake accounts are authentic. So to be more clear, they'll change a few letters within a person's email account and your quick look at that email account, you think it's legitimate because you don't notice the L has been changed to two Ls or a name has been added, a different domain name account as opposed to the correct domain name, but that slight change allows threat actors to pose as legitimate individuals tricking their victims into complying with whatever their crust is of the threat actor. A second tactic is a threat actor can send spear phishing emails, which are messages that look like they are from a trusted sender to trick victims into revealing confidential information. That information lets threat actors access company accounts, calendars, which gives them the details they need to further carry out business email compromise schemes. Third through phishing emails a thread actor can inject malicious software to infiltrate a company's network and gain access to legitimate email threads concerning, for example, billing and invoices. Threat actors can then use this information to send more spoofed emails to misdirect funds or gain access to sensitive data within user email accounts. Again, threat actors are highly sophisticated as we discussed earlier, and they'll use these schemes to pretend to be someone who is trusted in order to steal money from unsuspecting victims. The third is data leakage. Data leakage refers to the unauthorized passage of data or information from inside an organization to a destination outside of an organization's secure network, which can incur inadvertently or intentionally. Common examples of data leakage include emailing sensitive data to the wrong recipient outside of an organization wherein the data was not encrypted or password protected. We see this very often sending out HR records to the wrong person who they think it's internal, the attempt to send the HR record internally, and they accidentally send it to someone outside the organization. And next thing you know there's 5,000 Social Security Numbers and names that have now been misdirected outside of the organization. Another common example is when an employee posts company data to a public forum, and oftentimes we'll see this in the IT world where an employee will post something thinking it's allowed, it's publicly available information when in fact there's embedded sensitive information in there. And so this can be done accidentally, which the inadvertent is what's a little bit more common, but sometimes you do see, for example, employees that are disgruntled employees will send information, post it publicly before quitting. So that's another example of where we've seen the intentional disclosure of company data. Now, regardless of whether certain sensitive data was inadvertently or intentionally leaked, the exposure may still result in legal notification obligations. And so that's important to understand that the exposure of this sensitive data is really where you need to look at the legal considerations. Now that we've talked about common cybersecurity incidences, for those organizations that do experience a cybersecurity incident, let's now transition to talk about what is that common sensitive data that if impacted by a cybersecurity incident may be subject to regulatory oversight. And unfortunately this type of highly sensitive data is a threat actor's gold mine and is exactly what they're gonna be looking for when they're engaging in these types of cybersecurity incidences. The first type of common sensitive data subject to regulatory oversight is personally identifiable information or PII. PII in general is any data that could potentially identify a specific individual. Every American state and territory has a data breach notification law uniquely defining personally identifiable information and requiring notice to individuals, and in some instances, regulators, for the compromise of personally identifiable information. Personally identifiable information is generally defined as a person's first name or first initial and last name and some other category of sensitive data, for example, a government issued number or ID like a Social Security Number, a driver's license, a military ID or it could be a credit card or banking information. It's some type of sensitive information that a state has defined must be protected and defines it as PII within that specific state. Now for organizations that are victims of some type of cybersecurity incident, this generally applies to their own employees. So generally we see this in human resources records or it could be their customers. And so we see this with those who do business directly with customers, perhaps it could be their banking information and their names. Regardless, threat actors specifically seek out this information because they could readily monetize it by selling the stolen information on the dark web. So what you'll typically see are threat actors when they're in an environment and as we discussed earlier, prior to deploying a ransomware or the malware across an IT environment, they'll steal sensitive data. Oftentimes they'll run scripts to specifically look for personally identifiable information, and then they'll steal that for the purpose again, to strong arm the organization into paying a ransom so that sensitive data is not posted on the dark web. Now, if a company decides not to pay the ransom, a threat actor will monetize that event by selling personally identifiable information on the dark web, again, to monetize as much as possible, their cyber attack activities. The other type of common sensitive data subject to oversight is something called business confidential information or BCI. In general this is information that is subject to a non-disclosure agreement or some other similar agreement. Many companies enter into agreements to protect sensitive information such as trade secrets, proprietary or confidential information or an underlying patent information. Such agreements often require a victim organization to notify its business partners regarding the compromise of business confidential information. Now as discussing the previous slide, threat actors also seek out this information for the purpose of encouraging victims to pay their ransom. Because what they'll do is they'll oftentimes show the victim organization this sensitive data that's stolen and they will threaten to tell business partners that their data was stolen or post proprietary information on the dark web for purposes of strong arming the victim organization into paying extortion fees so that data will not be leaked. And again, mitigating the risk of potential litigation from those business partners. Note personally identifiable information and business confidential information, while both subject to potentially legal obligations in the event of compromise, this is not an exhaustive list as there are other industry specific types of data that may trigger notification obligations. Now that we've got a sense of what are some common cybersecurity incidences and what are some common data subject to regulatory or otherwise business oversight, let's now take a deeper dive into what is the current cybersecurity landscape, and frankly, what are those national security implications. To really understand this, we need to do a deeper dive into the Colonial Pipeline cybersecurity attack and President Biden's executive order. Now President Joe Biden's first watershed moment related to cybersecurity came in the form of the Colonial Pipeline ransomware attack. On May 7th, 2021, Colonial Pipeline suffered a ransomware attack that impacted computerized equipment managing the pipeline. The pipeline originated in Houston, Texas, and carried gasoline and jet fuel to the Southeastern United States supplying about 45% of all fuel consumed on the east coast. As a result of the ransomware attack, the pipeline was shut down for six days resulting in fuel shortages at filling stations, amid panic buying and leading to the average fuel price soaring to the highest since 2014 to meet demand. The threat actor stole nearly 100 gigabytes of data and threatened to release it on the internet if the ransom was not paid. Again, this is a good example of the threat actor strong arming an organization into paying a ransomware or ransom. The company ultimately paid 4.4 million to the threat actor known as DarkSide. Now let's talk about President Biden's response. Images of panic buying at the pump, long gas lines, and over 10,000 gas stations without fuel riveted the everyday American when they're watching this unfold. It was a clear example of the national security implications of cybersecurity and its impact on everyday America and the Biden administration took note. On May 12th, 2022, President Biden signed Executive Order 14028, known as the Executive Order on Improving the Nation's Cybersecurity. The executive order notes that, "It is the policy of my administration, that the prevention, detection, assessment and remediation of cyber incidents is a top priority and essential to national and economic security." The executive order was focused on increasing software security standards for sales to the government, tightening detection and security on existing systems, improving information sharing and training, establishing a cyber safety review board and improving incident response. But as you can see, this executive order was focused on the federal government. President Biden provided in the executive order that the federal government must lead by example. And that's exactly what this executive order was meant to do. It was meant to lead the private sector by example, by investing and in revolutionizing and more regulating the federal government to increase cybersecurity. President Biden sought in effect to lead by example so that the private sector could do the same given the clear national security implications of cybersecurity threats. In addition, this executive order, it really served to set the priority for the Biden administration's priorities. From that, various legislators and regulators have identified cybersecurity as a key focus, implementing new laws and regulations to encourage businesses in various sectors to enhance cybersecurity protections for sensitive data. Additionally, regulators are increasingly pursuing enforcement actions related to cybersecurity to encourage businesses in various sectors to enhance security protections for sensitive data. In effect, by setting the example, President Biden also set the priority that cybersecurity needs to be a priority, not only for the federal government, but for the private sector, and in doing so, he set the priority for the federal government to do what it could to ensure the private sector followed suit. So let's take a deeper dive now into the Biden administration's response to the ever growing cyber threat to national security. And what you'll see here through numerous examples is that President's administration has taken and expanded interpretation of existing regulations and an increased view on enforcement. Now let's take a deeper dive into the Biden administration's response to the ever growing cyber threat to national security. Specifically we'll take a deeper dive into the expanded interpretation of existing regulations and an increased focus on enforcement. So some examples of expanded interpretation of existing regulations will be our next topic. Under President Biden's administration, regulators are more broadly interpreting existing cybersecurity regulations. Let's get into the examples. On September 15th, 2021, the US Federal Trade Commission, or the FTC issued a statement on breaches by health apps and other connected devices. The statement offered guidance on the scope of the FTC's Health Breach Notification rule under 16 CFR Part 318. Given the explosion of health apps and connected devices, it clarified that vendors of personal health records or PHR and PHR related entities must notify US consumers and the FTC and in some cases, the media, if there has been a breach of unsecured, identifiable health information, and if they don't, they may face civil penalties for the violations. Now what was so interesting about this statement is that the rule had been issued over 10 years ago, perhaps at a time where health apps weren't even something that was considered. But to date, it had never been enforced. Accordingly, the commission stated that it intends to bring actions to enforce this rule consistent with the policy statement. And truly what it was, it was a call to those who had healthcare apps that they needed to be aware that the FTC was gonna take this very seriously. And so those who did experience some type of cybersecurity incidents, which led to unsecured identifiable health information needed to ensure they complied with their notification obligations. And as we discussed earlier, threat actors understand sensitive data, like for example, identifiable health information. And it'll specifically look to exfiltrate such data to monetize it either for the extortion or perhaps to sell on the dark web. And so this is a good example of the FTC using existing regulations to further expand the scope of ensuring that private entities and organizations are taking cybersecurity seriously, or in this case face civil penalties for violations of failing to notify those affected individuals. Let's talk about another example, on November 18th, 2021, the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and the Office of the Comptroller of Currency approved a Final Rule concerning notification obligations for US banks. The Final Rule requires a banking organization to notify its primary regulator, federal regulator of any significant computer security incident as soon as possible, and no later than 36 hours after the banking organization determines that a cybersecurity incident has occurred. Notification is required for incidences that have materially affected or are reasonably likely to materially affect the viability of a banking organization's operations, its ability to deliver banking products and services, or the stability of the financial sector. In addition, the Final Rule requires a bank service provider to notify affected banking organization customers as soon as possible when the provider determines that it has experienced a computer security incident that is materially affected or is reasonably likely to materially affect banking organization customers for four or more hours. In effect in creating such a short notification timeline, regulators are showcasing that financial organizations need to be prepared because if they're not prepared, there's no way they would meet this 36 hour notification requirement. So it's again, using existing regulations to ensure that the private sector is taking cybersecurity more seriously and preparing to meet those challenges of the existing cybersecurity landscape. More examples, on February 9th, 2022, the US Securities and Exchange Commission voted to propose rules related to cybersecurity risk management for registered investment advisors and registered investment companies and business development companies or funds as well as amendments to certain rules that govern investment advisors and fund disclosures. More specifically, the proposed rules would require advisors and funds to adopt and implement written cybersecurity policies and procedures designed to address cybersecurity risks that could harm advisory clients and fund investors. The proposed rules also would require advisors to report significant cybersecurity incidences affecting the advisors or its funds or private fund clients to the commissioner on a new confidential form. Finally, the proposal would require advisors and funds to publicly disclose cybersecurity risks and significant cybersecurity incidences that occurred in the last two fiscal years in their brochure and registration statements. Again, another federal regulatory organization, in this case the SEC expanding upon existing authorities to ensure that private organizations are more prepared to meet the challenges of the existing cybersecurity landscape. Now on March 9th, 2022, the US Securities and Exchange Commission, the SEC again, proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident response reporting by public companies. So again, it's a different entity, but the SEC is taking the same stance for public companies. The proposed amendments would require among other things, current reporting about material cybersecurity incidences, and periodic reporting to provide updates about previously reported cybersecurity incidences. The proposal would also require periodic reporting about a registrant's policies and procedures to identify and manage cybersecurity risks. The registrant's board of directors oversight of cybersecurity risks, and then management's role in expertise in assessing and managing cybersecurity risks and implementing cybersecurity policies and procedures. The proposal would further require an annual reporting of certain proxy disclosures about the board of director's cybersecurity expertise if any. Again, it's a federal agency requiring a private company to ensure that they've got the appropriate policies, procedures and controls to mitigate the risk of a cybersecurity incident. And again, to allow those who are investing perhaps in public companies to understand what risks if any, because of the organization's preparation or lack thereof for a cybersecurity incident. Again, this continues to show the administration's use of existing regulations to expand upon those authorities to ensure that the private sector is prepared to meet the evolving cybersecurity landscape. On May 20th, '22, the Federal Trade Commission issued a blog post titled Security Beyond Prevention: The Importance of Effective Disclosure. The FTC announced that the Federal Trade Commission Act codified as 15 USC 45 may create a defacto breach disclosure requirement for companies that experience a compromise of consumer data. Now Section 5 of the FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce. The FTC therefore reasons that it, in a blog posts that a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act by amounting an unfair or deceptive act or practice. Interestingly again, in a blog post, the FTC therefore broadly interprets the FTC Act to provide that the FTC has the authority to implement a federal breach notification law for organizations, again, utilizing existing regulations to interpret them broadly to now say that companies across America may now have a federal breach notification law to notify individuals of a breach that may affect their personal information and failure to do so may violate the FTC Act. That's a very bold move and a very broad interpretation of an existing authority. Now, in addition to increased interpretation of existing regulation, we've also seen the Biden administration take a position of increased enforcement of existing authorities to ensure that the private sector is taking cybersecurity seriously. On October 6th, 2021, the US Department of Justice announced a new Civil Cyber Fraud Initiative. The Civil Cyber Fraud Initiative utilizes the False Claim Act to pursue cybersecurity related fraud by government contractors and grant recipients. The initiative aims to hold accountable entities or individuals that put US information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols or knowingly violating obligations to monitor and report cybersecurity incidences and breaches. On March 8th, 2022, the Department of Justice announced its first enforcement action under this new initiative. A medical service contractor paid 930,000 to settle false claims allegations related to medical service contracts at State Department and Air Force facilities in Iraq and Afghanistan. According to the agreement, the medical service provider had failed to store medical records on a secure electronic medical recording system while submitting claims for the cost to do so. Again, this shows the federal government's willingness to leverage civil fraud enforcement to combat cybersecurity threats to the security of sensitive information at critical systems. It's a good example of increased enforcement using existing authorities to ensure that the private sector is taking cybersecurity seriously and preparing to meet the cybersecurity threats existing in this landscape. Another example of increased enforcement occurred on September 21st, 2021. The US Department of the Treasury's Office of Foreign Asset Control or OFAC issued an updated advisory on potential sanction risk for facilitating ransomware payments. The advisory explicitly provides that the US government strongly discourages all private companies and citizens from paying ransom or extortion demands. The advisory reminds US persons and companies that they are generally prohibited from engaging in transactions, including paying extortion fees to individuals on OFAC's specially designated nationals and blocked persons lists or the SDN list or other blocked persons and those covered by comprehensive country or region embargoes. And this is in accordance with the International Emergency Economic Powers Act or the Trading With the Enemy Act. The advisory warns that OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person's subject to US jurisdiction may be held civilly liable even if that person did not know or have a reason to know that they were engaging in a transaction that was prohibited under sanctions laws and regulations administered by OFAC. In short, the advisory is meant to discourage extortion payments to threat actors. Now, typically those organizations that decide to pay a ransom to a threat actor, they will do something called a due diligence for an OFAC check. They will ensure to the extent practical that the person or persons or the threat actors that they're paying the ransom are not listed on OFAC SDN list. Again, it's to mitigate the risks of running into sanctions violations. But what this advisory tells us is nothing new. This has been around for a long time, but it is a reminder that the federal government is going to continue to enforce this, to mitigate payments to threat actors who we shouldn't be paying. But also as a reminder, that it is a federal government's position not to pay extortion fees to threat actors, and again, to encourage the private sector to not even have to go down this road, ensure that you've got the internal cybersecurity controls to mitigate the risk of some type of ransomware attack, which would put you in the situation in the first place. And so this is a good example of the federal government using their existing authorities to increase enforcement. But one thing that this advisory also does is it encourages the implementation of cybersecurity preventative measures and cooperation with law enforcement. The advisory provides that meaningful steps taken to reduce the risk of extortion by sanctioned actor through adopting or improving cybersecurity practices will be considered a significant mitigating factor in any OFAC enforcement response. Another factor that OFAC will consider under the enforcement guidelines is the reporting of ransomware tax to appropriate US government agencies and the nature extent of a subject person's cooperation with OFAC, law enforcement and other relevant agencies, including whether an apparent violation of US sanctions is voluntarily disclosed. In other words, what the position that OFAC is taking is that in the event that a ransom is paid to a threat actor and a threat actor ends up being on the SDN list, if the organization has previously invested in improving their own cybersecurity practices, having appropriate policies and procedures, and IT controls in place and or engages with its substantial cooperation with government agencies, law enforcements, or perhaps self-reports sanctions violations, that's really gonna be taken into account by OFAC in determining whether enforcement is appropriate. And again, it's a federal agency taking the position and putting forth an advisory seeking specifically to help the private sector and to guide the private sector in implementing their own cybersecurity risk mitigating measures, again, to combat the cybersecurity landscape that we are in now. Finally, OFAC strongly encourages all victims and those involved with addressing ransomware attacks to report the incident to their local FBI field office, the FBI Internet Crime Complaint Center, and other US Secret Service offices as soon as possible. And really this is just to ensure that there is an appropriate response from the federal government to assist private organizations in responding to their own ransomware incidents, or excuse me, cybersecurity incidences. So now that we've talked about increased enforcement and a broader interpretation of existing cybersecurity or existing regulations, now let's shift focus to talking about the Biden's administration response to the ever growing cybersecurity threat to national landscape from the perspective of new bipartisan and support for legislation. But to do so, we need to get a little bit of background on how we got here. On February 24th, 2022, Russia launched a full scale invasion of Ukraine. Now, attribution of Russia's malicious cyber activity against Ukraine, it awoke the international community to the national security implications of cybersecurity attacks. So previously we talked about Colonial Pipeline and how that really woke up the everyday American. The attacks on Russia really had that same effect, but it was really more so looked by the international community really awakening the world to the effects of cyber attacks from almost like a war perspective and why is this? In the months leading up to and after Russia's illegal invasion of Ukraine, Ukraine experienced a series of disruptive cyber operations, including website defacements, distributed denial of service attacks and cyber attacks to delete data from computers belonging to government and private entities. By way of example, on January 14th, 2022, about 70 Ukrainian government websites replaced texts in Ukrainian with the words, be afraid and wait for the worst, and alleging that personal information was stolen. Website defacement, on February 15th, 2022, a large DDoS attack brought down the websites of the Defense Ministry, Army, and Ukraine's two largest banks, Private Bank and Oschadbank. On February 23rd, 2022, data wiping malware was detected on hundreds of computers belongs to multiple Ukrainian organizations, including in the financial, defense, aviation and IT services sectors. Beginning on March 6th, 2022, Russia began to significantly increase the frequency of its cyber attacks against Russian civilians. Now, while we talked about the response globally from cybersecurity attacks and the national security implications from those around the world, let's talk about President Biden's and his administration's response to the Russian-Ukraine conflict. In March, 2022, President Biden warned US companies, particularly those operating in critical infrastructure sectors that based upon evolving intelligence, Russia may be planning a cyber attack against us. Now, during and around that time, the FBI had identified 140 overlapping IP addresses linked to abnormal scanning activities of critical infrastructure by those associated with Russia. The FBI warned that Russia's exploring its options for potential cybersecurity attacks on US companies in critical infrastructure sectors. Now, because of these warnings, in a speech President Biden admonishes, he says very specifically, "Let me be absolutely clear about something. It is not just in your interests that are at stake, it's the national interest at stake. And I would respectfully suggest it is a patriotic obligation to invest as much as you can." In other words, President Biden admonishes to the private sector that it is a patriotic obligation of companies, organizations, state agencies, it's their patriotic obligation to invest in cybersecurity because cybersecurity really truly do have national security implications as evidenced by the Colonial Pipeline attack. And so what you really see here is President Biden almost pleading to the American public that while the federal government can lead by example, as he did in the executive order, while they can increase regulatory enforcement, while they can more broadly interpret existing regulations, what President Biden really is saying is that he needs the private sector's assistance. And he really focuses on that patriotic obligation of them and tries touch on that because President Biden understands that the federal government can only do so much, but the private sector really does need to take the lead on ensuring that they've got the appropriate cybersecurity policies, procedures and internal controls to mitigate the risk of a cybersecurity attack for their organization. And if the private sector does this across the board, we as a country will be in a much better position to mitigate the risks of cybersecurity attacks from abroad, for example, from Russia. And so that's really the approach that he takes and he really tries to appeal to that patriotic obligation to get the public sector, or excuse me, the private sector to respond. But on the other hand, you really see for the first time a bipartisan support, both Republicans and Democrats really understanding that cybersecurity is not a partisan issue, it's a patriotic issue, as President Biden would say. And so a good example of that is on March 15th, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act. And this was passed through bipartisan support. The act applies to organizations that operate within one of the 16 critical infrastructure sectors as defined in Policy Directive 21. This includes, for example, the energy sector, food and agriculture sector, financial services sector, and healthcare and public health sectors. These are critical areas that if, for example, a threat actor was able to bring down through a ransomware attack, it would have true national security implications. So for example, the energy sector, the Colonial Pipeline attack, it brought gas, gasoline and the ability to get gas to a complete almost stop on the east coast for a abbreviated amount of time. And that's exactly what this bipartisan support was meant to mitigate is that to help protect these critical infrastructure areas. So what does the act do? Under the act covered entities must report certain cybersecurity attacks known as covered cyber incidences to CISA within 72 hours of determining the existence of a cybersecurity incident. So they've got a reporting obligation within 72 hours. They also have to report ransomware payments. So if they actually make a payment, so for example, Colonial Pipeline, they have to report those payments within 24 hours. And they have to provide supplemental information if substantial or new information becomes available, and they must preserve relevant data about the incident going forward. And this is really to ensure that cybersecurity incidences are no longer handled in the dark by these critical infrastructures. Now, Colonial Pipeline was obviously very public because people couldn't get gas and it was all over the media, it was all over the news, but often time cybersecurity incidences are responded to by an organization and they don't wanna publicize it for the reasons that we talked at the very beginning of the presentation, reputational harm, financial loss, other reasons that for example, a company just would not want the public to know. But what this bipartisan bill says is that if you are operating in these 16 critical infrastructures, where if something happens to your organization it has national security implications for the American people. You have an obligation to let the federal government know. And the reason is it allows the federal government to now better understand these threat actors, be able to investigate them more, be able to provide more assistance and really try to leverage the resources of the federal government to fight these cybersecurity threat actors. Now, what the act does, and it provides is if a covered entity does not provide this information as they're required, the director may issue a subpoena to those organizations to compel them to provide that information. And if the organization, again, fails to provide that data, the matter may be referred to the Department of Justice to enforce the subpoena. And really truly, this is a way to ensure what this bipartisan bill does is it shows the federal government from a bipartisan perspective is going to continue to implement more regulations to protect the American people from these cybersecurity incidences. And so that's another key takeaway from the Biden administration that we anticipate seeing additional bipartisan support for new legislation to protect the American people from these threat actors. So some key takeaways from this presentation, number one, threat actors are highly sophisticated. They are highly organized, and frankly, they're not going anywhere. They're just gonna continue to become more organized and they're continuing to develop their tactics, techniques, and procedures so that they can monetize their cybersecurity attacks. And as we talked about, threat actors will always look to ways to monetize cybersecurity attacks, particularly as it relates to stealing sensitive data. So what we should anticipate is that these threat actors will continue to hit those types of organizations that they know have sensitive data. For example, hospitals, educators, colleges, or they'll hit to steal sensitive data because they understand that if an organization refuses to pay the ransom, they can still sell that data on the dark web to again, try to monetize it, because given that these threat actors are highly sophisticated, they're continuously looking for ways to make money and profit off of their cybersecurity attacks. But if you are an organization that experiences a cybersecurity incident. And so for example, your sensitive data has been stolen or has been accessed, you may be subject to several notification obligations around the world, not just domestically here in the United States, but there are certain cybersecurity or breach notification regulations in many countries around the world and in almost nearly in all first world, would you say, company or countries around the world. And so if you're an organization that operates globally, you need to be prepared to meet several notification obligations and on several different timelines around the world. Now, given that threat actors are incredibly sophisticated, they're gonna continue to look for ways to monetize their cybersecurity attacks. Given that landscape, the Biden administration has made cybersecurity a priority, and we believe that he'll continue to do so throughout his administrations. And what does that mean from a practical perspective? That means that regulators will continue to interpret their authorities broadly to enhance private sector cybersecurity preparation, and we'll continue to see bipartisan support for legislation increasing cybersecurity regulations and enforcement. The key takeaway from this presentation is that threat actors will continue to engage in cybersecurity attacks. It'll continue to have national implications for the American public. And the federal government will continue to respond either through implementing new regulations, increase enforcement or by new bipartisan support for legislation because threat actors will continue to seek ways to monetize and the federal government will try to seek ways to protect the American public from these threat actors. Well, thank you for your time and in joining this presentation on the cybersecurity threats to national security, the Biden administration's proactive response, we hope you enjoy the presentation. And if you've any questions, please let me know. You can reach me at [email protected]

Start your FREE 7-day trial
Preview this course and the rest of Quimbee's CLE library for free with a 7-day free trial membership.
Buy this course - $49
Get access to just this course for $49

Course materials

HandoutSupplemental Materials

Practice areas


Course details

On demand
1h 10s

Credit information