By Dietrich Knauth
Law360, New York (September 23, 2014, 4:30 PM ET) — Government contractors’ cybersecurity practices are coming under increasing scrutiny from the government, and recent events highlight the unique risks and vulnerabilities that companies face when they hold valuable government data.
Government and contractor networks are under continuous threat from cyberattack, and security and reporting remain serious challenges, as shown by a Sept. 17 Senate report on successful attacks on the networks and databases of U.S. Transportation Command contractors.
The fallout for contractors, especially ones that rely principally on the government for business, can be significant if cyberattacks cause the government to lose faith in them, as has happened to embattled U.S. Investigative Services, which lost its Office of Personnel Management contracts earlier this month.
“What’s happened with USIS should be a wake-up call to industry,” said Robert Nichols, co-chair of Covington & Burling LLP’s government contracts group. “USIS won’t be the last company that suffers from this. I think major contractors will be put out of business to set an example for other contractors.”
USIS had a history of contracting woes dating back to its background checks for NSA leaker Edward Snowden and Navy Yard shooter Aaron Alexis and continuing with a massive fraud suit that accuses the company of filing incomplete background check reports while billing the government for completed work.
But a state-sponsored cyberattack that breached USIS’ systems was apparently the straw that broke the camel’s back, with the OPM and the Department of Homeland Security suspending USIS’ contracts in its wake. OPM, which was USIS’ primary customer, decided Sept. 9 that it would not renew USIS’ background check contract, putting a serious dent in the company’s revenues.
To truly protect themselves, contractors should not relegate cybersecurity just to their IT departments and should instead embrace a top-down approach that recruits all a company’s employees into the effort, according to Michael Chertoff, a former Secretary of Homeland Security who now heads a security consulting group.
Chertoff and Nichols, who are partnering with George Washington University for a Sept. 29 seminar on cybersecurity for government contractors, said the recent events re-emphasized the need for bigger thinking from vulnerable companies.
“There is a bit of a tendency to think of this as if it’s just a technical issue, but you’ve got to take a broader view of this than just finding the right piece of equipment or software to put on your network,” Chertoff said.
Before investing in software or other technical solutions, companies should think long and hard about the types of data that could be an attractive target and come up with a comprehensive strategy to limit access to that data, Chertoff said. That strategy could include steps like limiting access to data within the company, limiting remote access or preventing downloads of certain data, Chertoff said.
“Once you’ve laid the rules down, you can then configure your hardware and your software to enforce those rules,” Chertoff said. “What you can’t do is just buy hardware and software and put it on a network and think that solves the problem.”
Ray Aghaian, co-chair of McKenna Long & Aldridge LLP’s cybersecurity practice, also advocates a broad approach where employees, “from the executives on down, place a strict emphasis on security.”
Without high-level executive attention, companies may not be able to align their cybersecurity budgets to their actual needs and may not be able to move quickly enough to respond to breaches, Aghaian said. Employee sloppiness can create vulnerabilities if training isn’t seen as a high priority, as can overemphasizing static defenses over more demanding but more responsive approaches, he added.
“The mistake that a lot of folks make is that there’s a lot of emphasis placed on the intrusion protection system,” Aghaian said. “People often forget about their IDS, their intrusion detection system — and that is just as important, if not more, because you need to very quickly understand if you’ve been compromised.”
Contractor cybersecurity remains a high priority for the government. In the week after the USIS decision, the Senate passed legislation that would grant DHS additional hiring and compensation authority to help recruit and retain cybersecurity experts. It also released a report on cyberattacks launched on U.S. Transportation Command contractors, which carry valuable intellectual property and sensitive information about military personnel movement and cargo transportation.
“These peacetime intrusions into the networks of key defense contractors are more evidence of China’s aggressive actions in cyberspace,” Sen. Carl Levin, D-Mich., said when announcing the report’s findings. “Our findings are a warning that we must do much more to protect strategically significant systems from attack and to share information about intrusions when they do occur.”
The public version of the report revealed that Chinese hackers had stolen emails, documents, passwords and other sensitive information from Transcom contractor networks multiple times between 2008 and 2014. The report called for a tightening of information sharing and disclosure requirements, noting that Transcom heard about only two of the intrusions, even when the FBI and other federal agencies had learned of the successful attacks.
Contractors holding government data are often the “weak link” for potential cyberattackers, and agencies are attempting to enforce better security through several pieces of regulation, as well as through ad hoc contract clauses, according to Nichols.
Because the penalties for a failure can be so steep — terminated contracts, negative past performance ratings, and the threat of suspension and debarment — contracting attorneys need to take care to look
for cybersecurity clauses that could impact their clients’ business, Nichols said.
“Different agencies are putting clauses into contracts that shift enormous risk to contractors, without the contractors really understanding what they are agreeing to,” Nichols said. “Because they don’t understand it, they’re not getting insurance for it, so what they are effectively doing is putting the viability [of] the continued existence of their companies at risk.”
Lawyers can help companies set up insurance policies covering cyberattacks and data breaches — a market that remains somewhat underdeveloped — and help them seek DHS certification under the Support Anti-terrorism by Fostering Effective Technologies Act, or SAFETY Act, according to Aghaian. The SAFETY Act limits liability for “claims arising out of, relating to, or resulting from an act of terrorism” and allows the DHS to designate certain cyberattacks as acts of terrorism.
“It’s a very powerful form of liability protection to have, but surprisingly, most companies aren’t making use of that,” Aghaian said.
In the near term, the USIS breach should be a stark reminder that companies face significant risk and uncertainty even when they appear to have handled a cyberattack responsibly, according to Anuj Vohra, a senior associate at Covington.
“Because this is such an evolving threat and the government hasn’t gotten its hands around it, it’s hard for contractors to know what to do,” Vohra said. “USIS is obviously its own discrete circumstance because of everything else it had going on, but it seemed to take all the right steps following the breach to work with the government and address the threat and the breach in an efficient and responsible way, and it still ended up in the same place.”
Published by Law360