A Cybersecurity Guide: Who Do You Call in the U.S. Government?
With an exponential rise in ransomware attacks each year and the personal data of more Americans available for sale on the dark web, ensuring that your company has implemented effective cybersecurity protocols has never been more important. Multiple federal agencies have worked to create and publish cybersecurity resources aimed at the general public. These resources are freely available and companies are encouraged to review and implement the recommended strategies. To help our readers navigate these resources, Lutzker & Lutzker has created the following guide.
Cybersecurity and Infrastructure Security Agency (CISA)
CISA is the most public facing cybersecurity agency, working directly with private entities that run critical infrastructure, including, but not limited to operations in such areas as Internet service, hospital and health care, the electric grid, nuclear power plants, water infrastructure, natural gas and oil extraction, gas and oil pipelines, air travel and shipping and freight transport (air, sea and land). CISA has helped such facilities strengthen their cyber defenses and strategize action plans in the event of a breach.
Founded in 2018 and organized under the Department of Homeland Security (DHS), CISA rapidly became the go-to agency for cyber issues, both within and outside the federal government. CISA builds the national capacity to defend against cyber-attacks and works with the government to provide cybersecurity tools, incident response services and assessment capabilities to safeguard the federal civilian executive branch networks that support the essential operations of partner agencies. CISA coordinates security and resilience efforts using trusted partnerships across the private and public sectors and delivers technical assistance and assessments to both federal stakeholders and private infrastructure owners and operators.
CISA has multiple sub-teams that aid in various aspects of cybersecurity. The penetration testing unit (Red Team) offers to test various cyber defenses to discover vulnerabilities. With an entity’s permission the Red Team will attempt to hack its way into the target system, making the same cost-benefit analyses that a real-life hacker would make. If successful, the Red Team will continue to collect and exfiltrate as much data as possible. Once finished, the team will attempt to remove any evidence that the network had been breached. At the end of the exercise, CISA returns all the collected data and generates a report detailing which defenses held up and which failed, if the in-house IT team noticed the breach, if any remedial steps were successful and how easy it was to evade countermeasures. If the initial breach was due to an employee falling for a phishing email, CISA will not disclose that employee’s identity. CISA maintains that even the most technologically sophisticated and vigilant individual can fall victim to their phishing schemes and that no employee deserves to be disciplined for doing so.
Another tool in CISA’s toolbox is the National Risk Management Center (NRMC). NRMC is a planning, analysis and collaboration center working to identify and address the most significant risks to our nation’s critical infrastructure, such as communications, power and healthcare infrastructure. NRMC works in close coordination with the private sector and other key stakeholders in the critical infrastructure community to identify, analyze, prioritize and manage the strategic risks to our National Critical Functions. National Critical Functions are the tasks so vital to U.S. interests that their disruption, corruption, or dysfunction would have a debilitating impact on security, national economic security and national public health or safety.
National Institute of Standards and Technology (NIST)
NIST is a physical sciences laboratory and non-regulatory agency of the U.S. Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST helps both government agencies and private industry with cybersecurity standards. The NIST cyber website is a resource for cybersecurity tools, suggestions and education and has guides, charts and explanations aimed at the general public.
One of these standards is the NIST Cybersecurity Framework, which is a guide to how both internal and external stakeholders of organizations can manage and reduce cybersecurity risk. It lists organization specific and customizable activities associated with managing cybersecurity risk, and it is based on existing standards, guidelines and practices. The Framework is organized by five key functions: Identify, Protect, Detect, Respond, Recover. NIST recognizes that each organization’s needs are unique and has structured the framework in a way that allows maximum flexibility, while maintaining strong cybersecurity defenses. For example, it may not always be technically or economically possible to recover all stolen data. NIST understands this and recommends taking steps to have secured backups of data in case of a ransomware breach where data is held hostage for an unreasonably large sum of cryptocurrency. A sizable portion of Fortune 500 companies view the NIST Cybersecurity Framework as essential guidance when it comes to protecting a network. However, it can be expensive to implement all of its recommendations. For this reason, NIST has emphasized that something is better than nothing and that taking any steps toward strengthening an entity’s cybersecurity is a step in the right direction.
Any organization interested in strengthening its cybersecurity practices is encouraged to utilize the resources developed by NIST. The training modules and interactive exercises on their cyber hub are informative and easily digestible, even for non-IT experts.
The Federal Trade Commission (FTC)
Along with CISA and NIST, the FTC is focused on commercial entities. While the FTC is known for bringing enforcement actions against companies, it also seeks to provide a helping hand. By providing guidance and resources, the FTC helps companies avoid violating rules and regulations, leading to a reduction in enforcement actions.
The FTC primarily focuses on enjoining unfair and deceptive trade practices. However, as cyber issues have increased exponentially in recent years, the FTC has begun providing businesses with guidance on how best to protect their customer data. In furtherance of this goal, the FTC has developed an online resource center of cybersecurity guidance and advice for small businesses. The FTC recognizes that small and medium sized businesses often do not have the capital or bandwidth to hire a cybersecurity expert or become experts themselves. This fact informed the design and content of the resource center, such that a small business owner can easily navigate to a specific content hub (including hubs on Cybersecurity Basics, Physical Security, Ransomware, Vendor Security, Cyber Insurance and Secure Remote Access) and quickly find actionable advice to better protect their business. The FTC has also worked with NIST to develop a small business specific interpretation of the NIST Cybersecurity Framework, which is available in the resource center.
The Department of Justice Cybersecurity Unit (DOJ Cyber)
In December 2014, the DOJ Criminal Division created the Cybersecurity Unit within the Computer Crime and Intellectual Property Section to serve as a central hub for expert advice and legal guidance regarding how the criminal electronic surveillance and computer fraud and abuse statutes impact cybersecurity. DOJ Cyber is mainly focused on bringing cases on behalf of the U.S. government but will work with outside entities to ensure compliance with cybersecurity best practices. Examples include Two Factor Authentication, zero trust models, encrypting data at rest, in motion and in use and company-wide training on phishing and email attacks. DOJ Cyber typically interfaces with private companies after a cyber-attack, when investigators will work with in-house IT professionals to collect and inspect evidence that may lead to data recovery and identifying the hacker(s) responsible for the attack.
DOJ Cyber also works to ensure law enforcement authorities are used effectively to bring perpetrators to justice while simultaneously protecting the privacy of everyday Americans. It is often difficult to balance these conflicting goals. This was demonstrated several years ago when the DOJ repeatedly asked Apple for a “backdoor” into a criminal’s iPhone. Apple denied these requests, leading to a very public fight between the two entities that was only resolved when the FBI created their own backdoor into the phone’s software.
DOJ Cyber also coordinates with Congress to draft cybersecurity legislation to protect computer networks and individual victims from cyber-attacks. The unit engages in extensive outreach to the private sector to promote lawful cybersecurity practices. Most recently, DOJ Cyber partnered with the Department of Treasury and the FTC to promulgate guidelines on how companies should respond to ransomware attacks and how to avoid violating fiscal sanctions when paying hackers.
Department of Defense (DoD) CYBERCOMMAND (USCYBERCOM)
USCYBERCOM is the least commercially-facing cybersecurity agency of the federal government. It is primarily focused on supporting the military, but also interacts with federal defense contractors. If a federal contractor has a military defense contract, USCYBERCOM regulations, best practices and suggestions are a must read.
USCYBERCOM ensures the U.S. military is prepared to fight and win wars in cyberspace. It primarily achieves this goal through the policy of Defend Forward. Defend Forward entails several policies, including the proactive observing, pursuing and countering of adversary operations. The policy seeks to frustrate and defeat ongoing malicious adversary cyber campaigns, deter future campaigns and reinforce favorable international norms of behavior. Defend Forward is necessary because intelligence collection in cyberspace against an adversary cannot be conducted solely through static, passive collection. Additionally, there are no neutral “international waters” in cyberspace. A user is either in one domain’s network or another’s, necessitating advanced infiltration of our enemies’ networks. USCYBERCOM also seeks to preempt, defeat or deter malicious cyber activity targeting U.S. critical infrastructure that could cause a significant cyber incident regardless of whether that incident would impact DoD’s warfighting readiness or capability. Finally, USCYBERCOM works with U.S. allies and partners to strengthen cyber capacity, expand combined cyberspace operations and increase bi-directional information sharing in order to advance our mutual interests.
Cybersecurity is a vital, yet often confusing, challenge for any 21st century company. Following best practices can ensure that a cyber-attack does not cause catastrophic consequences for the company or its customer data. Lutzker & Lutzker is here to help with your cyber-compliance needs.