FireEye’s December 2020 announcement that the company had been the target of a nation-state cyberattack led to a series of revelations about major intrusions into government and business systems. Theresa Payton, the federal CIO in the George W. Bush administration, author of the book Manipulated and CEO of Fortalice Solutions, talked to FedTech about how to cope with the ever- changing cybersecurity situation.
FEDTECH: What do you see as the key areas of cyber concern for the Biden administration?
Payton: The administration filled a lot of critical cybersecurity roles and leadership roles; that’s really important. I’d give them high marks on saying they want to do a major infrastructure overhaul, including broadband. And cybercrime is way up on every level; ransomware is way up, extortionware is way up, individual identity theft — every single part of the cybercriminal handbook has accelerated. It’s incredibly concerning.
FEDTECH: It does seem as though there has been an increase in the number of cyber-security alerts in the past year.
Payton: And those are just the things that have been reported and are known. Firms like mine, we’re working on things that are not going to be reported, because there’s no mandate to report it — that’s the client’s call. We always encourage every client to report to law enforcement. If they don’t have a required data breach disclosure, we still encourage them to report for the greater good, because DHS reports cover only what is reported and known.
FEDTECH: Why do nation-state affiliated attackers seem to get more attention than other cybercriminals?
Payton: The nation-states focus on the government-industrial complex. We know the most about the nation-states because that element has been going on for so long. A lot of the cybercriminal syndicates operate like fraud rings, and we’re very good at busting up fraud rings. But the cybercrime element is probably the youngest part of what we’re looking at. Attribution is a little harder; many cybercriminal syndicates are loose collectives, so they’re hard to identify.
The other challenge is cyber incident fatigue; every week there’s something. Everybody’s overwhelmed with life, and this is just one more thing.
FEDTECH: Should any enterprise that has been attacked be required to report it?
Payton: Candidly, I have mixed emotions on this. On the one hand, I would love for every victim of a cybercrime, whether it’s a business or individual, to report it. From a greater-good perspective, it could help. But I have really mixed emotions because of our lack of remedies for individuals and organizations once you are a victim of a crime.
FEDTECH: How valuable would it be for government agencies such as CISA to have the authority to hunt down cybercriminals?
Payton: For CISA, you have to work out the legality of it. Most critical infrastructure is owned by the private sector, so what is your jurisdiction? Second, attribution is very hard. If you’re taking action against the perpetrator, but they’re actually hiding on an unsuspecting victim’s infrastructure, are you taking action against an innocent bystander who doesn’t even know they’re being used? There’s a lot of really interesting, innovative thinking there, but the practicality of executing has challenges.
FEDTECH: Is it possible to tell how much impact the SolarWinds hack has had on agencies?
Payton: In a supply chain event where a code base was compromised and installed, and then stealth access was allowed for months because of that, you don’t ever really, truly have a handle on what you’re dealing with. The only way to ensure ongoing trust is that you can’t trust what you had. That’s the challenge with something of this magnitude. I don’t think we’ll ever fully know the extent of the damages.
FEDTECH: Did the environment of the past year, with people working at home and endpoints scattered outside offices, make everything more vulnerable?
Payton: While SolarWinds began before the pandemic, when I’m advising companies and government organizations now, I say, “Look, if you had a roadmap to do replacements, this could be a really good time to not convert, but to move over and retire.” Take this opportunity to do some cleanup, and then think about what the ongoing playbook should be to avoid the next SolarWinds.
But you don’t want to be so focused on that incident that you miss the point, which is that software code was compromised. This could just as easily have been open source that was implemented into a commercially available product. Open-source development is incredibly popular, but with it comes risks to the supply chain.
FEDTECH: What cybersecurity issue worries you the most?
Payton: I am very, very concerned right now because I am dealing with many cyber incidents that involve ransomware. We have a reputation for helping companies get back online without having to pay. But the insurance companies are starting to say, “We’ve done the numbers, and it’s cheaper for us to pay the ransomware to the syndicate than it is to pay for your restoration.” So I don’t see this problem getting better anytime soon because we’re paying ransom.
The only way to beat these ransomware syndicates at their own game is to have the best and brightest building the master key to unlock the doors so we don’t have to pay. I would like to see that be a major part of critical infrastructure buildout. We just have to put the focus and the resources on it.