It is October, and for many of us, we started the month with a small sense of anticipation, if not excitement.  Perhaps it is residue from our childhood, knowing that, in several short weeks, it will be Halloween, the threshold into November and our national holiday season.  October, however, also is Cybersecurity Awareness Month, and, according to the Cybersecurity and Infrastructure Security Agency (CISA), 2021 represents the 18th year our nation has set aside this month to raise the national consciousness about cybersecurity, cyber resources, and safe cyber practices online. 

 At this point, the need to raise the national consciousness about cybersecurity should not be questioned.  According to the Center for Strategic and International Studies (CSIS), so far this year, there have been over 100 significant cyber incidents across the public and private sectors internationally.  By way of example, among these incidents, CSIS includes the following:  

  • Breach of a State Department email server resulting in the theft of thousands of emails (hackers from Russia suspected). 
  • VPN service vulnerabilities exploited to target entities, particularly U.S. defense contractors, in the U.S. and Europe (state-backed hackers, including a group working the Chinese Government’s behalf). 
  • Data theft from thousands of private and public entities around the globe resulting from the targeting of Microsoft enterprise email software (Chinese Government hackers). 
  • Attempted hacks into the systems of Pfizer to obtain COVID-19 vaccine information (hackers from North Korea). 
  • Attempt to attack the water supply of a Florida town by raising the supply’s levels of sodium hydroxide (lye) (unknown hackers). 
  • Social engineering (fake blogs, emails) against cyber researchers to lead them online to sites or emails that expose them to infected materials (North Korean Government hackers). 
  • Ransomware attack shutting down the largest U.S. fuel pipeline in the United States, for which, a $5 million ransom was paid (attributed to a Russian-speaking hacking group). 
  • Hacking attempts to steal the credentials of geneticists, neurologists, and oncologists in Israel and the U.S. (Suspected hackers from Iran). 

The foregoing sampling (the full list is quite sobering) of examples demonstrates that cyber-attacks come in different forms and from different sources.  Thus, combatting them requires not only vigilance, but also adaptability to a changing attack landscape.  To this end, the Administration has not been sitting on its hands.  In May, the President signed an Executive Order on “Improving the Nation’s Cybersecurity,” which takes important steps in leveraging federal requirements to assure that government systems “meet or exceed the standards and requirements for cybersecurity” that the order sets forth.  The Coalition discussed this order in a prior blog, pointing to, among other things, issues it addresses, including: 

  • The removal of contract barriers to facilitate threat, incident, and risk information sharing. 
  • Cyber incident reporting.  
  • The use of a Zero Trust Architecture and the acceleration of “movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).  
  • Centralization and streamlining access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks. 
  • Prioritization of resources to adopt the use of cloud technology. 
  • For data in transit and at rest, the adoption of multi-factor authentication and encryption. 
  • The provision of a Software Bill of Materials containing, among other things, a record of the supply chain relationships associated with the construction of the software. 
  • The establishment of a Cyber Safety Review Board. 

In addition, NIST issued a bulletin on July 9, highlighting its three obligations under the order completed last month: definingcritical software; publishing guidance outlining security measures for critical software; and issuing guidelines recommending minimum standards for vendors’ testing of their software source code.  Finally, CISA published resources on its website specifically directed to Cybersecurity Awareness Month, with topics scheduled for each week of the month.  In addition, it provides technical and nontechnical resources to help various stakeholders to improve their cyber posture. 

The theme for Cybersecurity Awareness Month is: “Do Your Part. #BeCyberSmart.”  CISA pointed out, 

This evergreen theme encourages individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability and the importance of taking proactive steps to enhance cybersecurity. 

We agree, and for its part, the Coalition is working to keep members informed on these issues.  Just this week, the focus of a joint meeting of the Business and Regulatory Issues Committee (BRIC) and the Cyber and Supply Chain Security Committee (CSCSC) was on telework in the post-COVID environment that included a discussion of cyber issues with Sheppard Mullin’s Townsend Bourne (co-chair of the CSCSC), Anne Perry, Jonathan Aronie, and Ryan Roberts. And, just last month, another co-chair of the Coalition’s CSCSC, Bob Metzger from Rogers Joseph O’Donnell, appeared on Federal News Network’s “Off the Shelf” radio show for a wide-ranging discussion of the current policy developments addressing cyber security and the supply chain. In a few weeks, the Coalition’s Fall Training Conference will include two panels relevant to these issues: the Cyber and Supply Chain Compliance Panel, and the DoD Cybersecurity Initiatives and CMMC Panel. 

There is one bottom line here: when it comes to cybersecurity, we cannot rest on assumptions. The dynamic nature of cyber threats requires all of us to maintain our situational awareness and to enhance our understanding of the existing and new threats on the horizon, our ability to respond to those threats, and our resiliency in the face of attack.  The Coalition will continue to do its part, bringing members timely and actionable information to promote business continuity in service to customer agencies and the citizens that rely on them.