The DoD to Contractors: Time to be More Mature

American Flag

Is your company’s cybersecurity program mature and effective?  When asked this question, most executives will answer yes, but the Department of Defense (“DoD”) disagrees.  According to Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Cyber:

“If we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level set because a good portion of our defense industrial base [(“DIB”)] doesn’t have robust cyber hygiene. Only 1% of DIB companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.”  

That is why the United States Department of Defense (“DoD”) recently announced two important changes to its approach to securing its supply chain:  1) cybersecurity costs will soon be allowable under DoD contracts, and 2) the creation of a Cybersecurity Maturity Model Certification (“CMMC”) which will be required under all DoD contracts.[1]

The DoD has not announced additional cost allowability details yet. Subscribe to our newsletter for more details when they become available.

Aggressive CMMC Implementation Timeline

The DoD knows it needs to make fundamental changes quickly to combat threats to its supply chain and has set out an aggressive timeline: CMMC Version 1.0 and the certification process will be finalized in January 2020, and the CMMC will be a mandatory go/no-go part of all solicitations beginning in September 2020

CMMC Details

Rather than focusing on whether certain technologies are deployed in the contractor’s environment, the CMMC measures the maturity of contractors’ cybersecurity programs.  The CMMC will define five levels of maturity, from “basic” to “state-of-the-art”, and all government solicitations will soon include threshold maturity requirements for all contractor cybersecurity programs.  Every vendor on a contract, including subcontractors, must meet those maturity requirements or their proposal will not be considered.  Internal maturity evaluations are not enough: the maturity certifications must be conducted by third-party cybersecurity auditors who will conduct audits, collect metrics, and inform risk mitigation for the entire supply chain.

Conduct a Maturity Assessment Now

Although the CMMC won’t be finalized until January, the uncertainty shouldn’t keep your company from acting.  In our experience, initial cybersecurity maturity assessments are a wake-up call for many companies, and it can take many months, or even years, for the companies to find the resources necessary to improve their maturity.  Assessing systems now will allow your company to improve its maturity before the CMMC requirements take effect.  Fathom Cyber’s maturity assessments use many of the industry standards upon which the CMMC is likely to be built so your company can start acting now.

For more details on the CMMC and how Fathom Cyber can improve your company’s cybersecurity maturity, visit https://FathomCyber.com/CMMC


[1] “Help Me, Help You”: Defense Department Advises Contractors That Cybersecurity Is An Allowable Cost – Damon Silver and Catherine Tucciarello – https://www.jdsupra.com/legalnews/help-me-help-you-defense-department-82203/ (last viewed 6/28/2019)

What Constitutes an Act of War?

We have discussed in the past the thorny issues associated with attributing a malicious act, like a cyber attack, on a nation-state actor. In particular, some insurance companies have attempted to avoid payment of large data breach claims when the claims arose from acts which were attributed to nation states. A recent decision by the U.S. Ninth Circuit Court of Appeals will make it harder for insurance companies to make that claim going forward.

In 2014, NBC Universal began filming a television show called “The Dig” which was to take place in, and be filmed in, Jerusalem. However, shortly after filming ended for the pilot episode, Hamas began attacking the city and NBC Universal was forced to move production to other locations. NBC Universal had purchased production insurance, and filed a claim with its carrier to offset the cost of the production changes. The carrier, OneBeacon Insurance Group, claimed that an “act of war” exclusion in the policy applied, and a US District Court agreed. The Ninth Circuit disagreed, arguing:

Both ‘war’ and ‘warlike action by a military force’ have a specialized meaning in the insurance context and the parties had, at the least, constructive notice of the meaning[.] … The district court erred when it failed to apply that meaning. Under that specialized meaning, both ‘war’ and ‘warlike action by a military force’ require hostilities between either de jure or de facto sovereigns, and Hamas constitutes neither[.] … Hamas’ conduct consisted of intentional violence against civilians[,] conduct which is far closer to acts of terror than ‘warlike action by a military force[.] ” In this instance, “De jure” refers to ‘”existing in law.”

In many cases, cyber breaches are attributed to groups affiliated with different nation-states (e.g., Fancy Bear, APT38, Clever Kitten, etc.), but which have not been formally tied to a particular nation. The actions are more akin to acts of terror than warlike action by a military force, and thus insurance companies will face a much higher bar when claiming that a cyber attack is the result of an act of war.

The Week in which Domestic and International Regulators Flexed Their Collective Muscles

This week saw European regulators impose stiff fines on both Marriott (equivalent to $123 million USD) and British Airways (equivalent to $229 million USD) for violating Europe’s General Data Protection Regulation (GDPR). Although the fines are far from the four percent (4%) of the companies’ annual revenue that was possible under GDPR, they still signal an intent by European regulators to force companies to pay more attention to cybersecurity and data privacy.

Many companies in the US have paid only passing interest to these stories because they take place on foreign shores where the companies do not conduct regular business. However, even in the US things are starting to get more interesting. The Washington State Attorney General’s Office announced late last week that it had successfully entered into a consent decree with Premera Blue Cross, the largest health insurer in the Pacific Northwest, over a data breach it suffered. As the Attorney General’s office stated:

“Premera had an obligation to safeguard the privacy of millions of Washingtonians — and failed[.]”… “As a result, millions had their sensitive information exposed. Premera repeatedly ignored both its own employees and cybersecurity experts who warned millions of consumers’ sensitive health information was at risk.”

Premera will have to pay $10 million in fines (or roughly $1 per impacted individual), which is still well below the per-person fines imposed on Marriott ($4.10 per impacted EU citizen) and British Airways (almost $460 per person impacted). More significant than the fines, however, is the fact that Premera agreed to a multi-year program of regulatory oversight and audits, and that it agreed to make significant management changes to bring about a more security-focused culture throughout the organization.

The fines agreed to under the consent decree are also in addition to any damages assessed as part of a class action suit that is also pending. Those damages are reportedly approaching nearly $75 million USD.

Organization creating defensible cybersecurityTM programs can demonstrate that they have been taking risk-appropriate steps to protect the information with which they are entrusted. This helps organizations reduce, and even eliminate, costly fines and penalties. To find out more about how your organization can benefit from defensible cybersecurity, contact Fathom Cyber.

Are Your Marketing People Creating Cybersecurity-Related Risks?

We are seeing an up-tick in enforcement actions from the Federal Trade Commission regarding vendor cybersecurity claims. The FTC’s recent settlement with D-Link, a major vendor of networking equipment and cameras, is just the latest example (a link to the settlement agreement appears below). The FTC charged the company with “participat[ing] in deceptive acts” when the company advertised that its equipment included top-of-the-line security measures Although D-Link will avoid paying any fines, it must fundamentally overhaul its engineering and development processes. The company must also submit to an independent third-party review of all of its development processes and code.

Vendors need to be wary of the claims they make on their sites. Superlative phrases such as “100% secure”, “unhackable”, and “top-of-the-line” security carry with them significant risks, yet marketing people still love to use these phrases, creating risks for their companies. At the same time, mature buyers know there is no such thing as 100% security or an unhackable device. So why bother using these phrases?

https://www.ftc.gov/enforcement/cases-proceedings/132-3157/d-link

Low-Cost Goods and Services May Cost More in the End

We have written before about the importance of good vendor selection and vendor risk management processes or companies. The article below helps reinforce this. As research conducted by Finite State and ReFirm Labs shows, many low cost devices, including network equipment, mobile devices, and IoT devices, include flaws in their firmware (the low-level software that controls how the equipment operates) that can allow an attacker to take complete control over the equipment. When reported to the vendors, in some cases the vulnerabilities are allowed to persist, and in other cases they are simply moved to other parts of the firmware, suggesting that these are intentionally planted.

Some organizations may feel that their internal data is not worth a criminal’s time, and that the risks associated with the low-cost goods may be acceptable. However, it is important to recognize that most organizations have partner and customer data, such as business plans, buying habits, intellectual property, and the like. This information is often the criminals’ ultimate goal, not merely the data belonging to the organization itself.

As your company evaluates new equipment, it is important to understand that price alone should not be the determining factor. In some cases, low-cost goods can wind up costing you more by introducing vulnerabilities that ultimately lead to cybersecurity incidents and data breaches.

https://breakingdefense.com/2019/07/hunting-huaweis-hidden-back-doors/

Patch…and Verify

tldr: If you use Microsoft Outlook for your E-mail client, whether for home, school, or work, please make sure you have applied all of the latest patches. Want to know more about why? Read on.

Almost all computer software contains bugs. Many bugs are, at least from a security perspective, benign, such as using a wrong mathematical formula or marking words as spelled improperly when they aren’t. However, some bugs create significant security problems. Take, for example, the bug described in the article below. In this case, an attacker can send malicious E-mails to a user and, because of a flaw that was discovered in Microsoft Outlook in 2017, the attacker can gain control over the victim’s machine and use that as a launching point for future attacks.

Like many companies, Microsoft responded quickly to the news that Outlook had a bug that made it vulnerable to attack and issued a “patch”, or updated version of Outlook, that addressed the security issue. Now here’s the rub: despite being available for nearly two years, many organizations and individuals have not applied the patch. In fact, things are so bad that the US Cyber Command, the group in the Department of Defense that is responsible for securing the US cyberspace, has issued a warning that reminds everyone to apply the patch or update to a newer version of the software.

If the patch has existed for nearly two years, why are there still so many vulnerable computers? Well, one reason is a lack of awareness. Many organizations and individuals simply aren’t aware that the patches are even available (despite notices in the software). Another reason is that some are afraid that the patch will break something else (“if it ain’t broke, don’t fix it”). Regardless of the reason, though, the fact is that the vulnerabilities fixed in most patches are real and being actively exploited by criminals and nation-state actors all the time and good patch management is the only effective way to address the risks.

Of course, it is important not only to ensure that patches are regularly run, but also to ensure that they were effectively applied. Sometimes patches fail, such as when the file or application being updated is in use, and it is important to review the patching logs or notices after the patching process completes so you can be sure the patch was properly installed. In some cases, additional assistance may be needed. For example, we recently identified and solved a problem at a client where one machine had been regularly trying to apply a patch for the past 18 months.

Organizations and individuals should get in the habit of allowing automatic updates to their computers, including the operating system and any software that runs on it. If there are logical reasons not to allow automatic updates, then regular (e.g., weekly or at most monthly) review and application of existing patches is critical to ensuring good cybersecurity.

Good patch management is also a key part of a defensible cybersecurityTM program. Contact Fathom Cyber and subscribe to our newsletter to learn more about defensible cybersecurity.

To our security community friends: we didn’t pick the image in the picture, so please don’t blame us for the cliché and blatantly incorrect use of the “hoodie hacker”.

Travel tip: do not use public USB chargers

Developing good cybersecurity requires a mindset change and awareness of the risks around you. Take, for example, charging your phone while on the go. Did you know that it is relatively easy for criminals to build USB charging stations that look like those provided by cell phone companies and other legitimate providers and plant them in shopping malls, airports, or other public locations? It is also easy for criminals to modify existing USB devices, including charging stations, alarm clocks, radios, and TVs in hotel rooms, so those devices steal your data or infect your device with malware.

What can you do? Carrying your down charger and use it by plugging it directly into an electrical outlet is the safest way to charge your phone. Or, carry your own USB cable and a USB Data Blocker.

For more information, see the article below. Enjoy your trip and stay safe!

https://www.rd.com/advice/places-never-charge-phone/

More Cybersecurity Troubles for Executives

Shareholders and regulators are increasingly holding executives’ feet to the fire when it comes to cybersecurity issues. In this latest news, a pension fund has initiated a class action suit against the Directors of delivery giant FedEx over a 2017 cybersecurity incident that occurred at TNT Express NV, a Netherlands-based company it had recently acquired. In the lawsuit, the pension fund argues that “Throughout the Class Period” from the date of the attack until December 18, 2018, when it finally revealed the extent of the damage on TNT’s business, “defendants continually assured investors about its recovery from the Cyberattack and any negative impact from the attack was minimal”. The lawsuit alleges that “[t]he full extent of TNT’s deteriorating business was [not] revealed to investors” until it reported a large profit miss for its second quarter ended Nov. 30, 2018, which was attributed in part by FedEx to a shift in TNT’s product mix to lower margin freight business following the cyberattack. The pension fund alleges that the news resulted in a 12.2% stock drop the next day. “As a result of Defendants’ wrongful acts and omissions, and the precipitous decline in the market value of the Company’s common stock, Plaintiff and other Class members have suffered significant losses and damages”. The suit was filed on behalf of a class of investors who purchased the company’s common stock during the Sept. 19, 2017-Dec. 18, 2018 period.

The Importance of Good Vendor and Customer Vetting

Low-cost smartphones running Google’s Android operating system have been found to be replete with malware. From the article:

“At present, pre-installed partners cover the entire mobile phone industry chain, including mobile phone chip manufacturers, mobile phone design companies, mobile phone brand manufacturers, mobile phone agents, mobile terminal stores and major e-commerce platforms,” reads a descriptive blurb about the company.

The news will have a negative impact on Google’s stock and is also likely to hurt sales of phones made by these brands as well. Many of these smartphone manufacturers may not have been aware that their phones included malware. Instead, their business model focused on offsetting production costs through the installation of paid-for applications, which (hopefully) inadvertently included the malicious applications. But it illustrates a fundamental issue all companies face today: how well do you know your customers and vendors?

Criminals will use a variety of means to hide their actions, and you will never stop them all. But, if companies begin following the Department of Defense’s lead and push for third-party certification of cybersecurity and data privacy programs before they will do business with a vendor or onboard certain types of customers, this will go a long way toward reducing the companies’ overall risk surface.

https://krebsonsecurity.com/2019/06/tracing-the-supply-chain-attack-on-android-2/

Executives Face Jail, Significant Fines if Cybersecurity Incidents are not Handled Properly

Jail Cells

According to news reports, the former CIO of Equifax was recently sentenced to 4 months in prison and ordered to pay over $170,000 in fines and restitution for selling shares in Equifax before the now infamous 2017 breach was reported to the public. He is the second Equifax executive to plead guilty to insider trading related to that data breach.

As we previously discussed, in 2018 the SEC issued guidance on how companies should address reporting cybersecurity incidents to their shareholders, and they are aggressively enforcing this guidance. This creates additional risks that are not always covered by traditional Director and Officer insurance, including jail.

Is your company’s executive cybersecurity education program fully informing your executives about the risks they face? Does the company’s incident response plan include measures to address these risks? Unlike other consultants who focus only on the technical aspects of cybersecurity, Fathom Cyber uses a holistic approach that addresses the technical, business, and legal issues so your executives are better prepared and better protected. In short, we make cybersecurity make sense.

Contact Fathom Cyber to find out how we can help your company build a more comprehensive cybersecurity program.

The Data Privacy Officer’s Role in Strategic Planning

Training and Advisory Services

Many people are aware that, in the absence of action by the U.S. Congress, all fifty states have enacted some form of data breach notification laws. However, the state legislatures, and their constituents, are not content with the laws as written, and nine states have passed new and expanded data breach notification laws. The changes include broadening definitions of personal data (New Jersey, Oregon, Washington), expanded breach notification requirements (Massachusetts, Illinois, Oregon, Texas, Washington), increases scope of those covered (Maryland, Maine), and even establishing minimum protections for certain kinds of information (New York). This rapidly changing privacy landscape means that companies must embrace privacy-by-design and security-by-design principles if they are to survive. Without feedback from the Data Privacy Officer and Chief Information Security Officer, companies can waste time and money developing products or solutions that will encounter significant legal and regulatory problems.

Fathom Cyber’s innovative, Enterprise Risk Management-based approach to creating cybersecurity and data privacy programs provides processes and policies that allow the DPO, CISO, and other relevant parties to weigh in on critical business decisions before the wrong decision is made. Contact Fathom Cyber to learn more about how we can help your company succeed.