The White House sent an
open letter last week to "corporate executives and
business leaders" urging their companies to take
"immediate steps" toward better protecting themselves
against ransomware attacks. 1 Although the White House
cannot generally dictate the actions that private companies take,
the Biden administration has emphasized that "[b]usiness
leaders have a responsibility to strengthen their cyber defenses to
protect the American public and . . . economy." 2
To that end, the letter referenced the five "best
practices" set forth in the recently issued Executive
Order on Cybersecurity, including (1) multifactor
authentication; (2) endpoint detection; (3) endpoint response; (4)
encryption; and (5) a skilled and empowered security team. The
letter also outlined five basic but impactful security practices
that the White House recommended companies implement:
- Back-up Data. Back-up data, system
images, and configurations, regularly test them, and keep the
backups offline. If network data is encrypted with ransomware, the
organization may still be able to restore its systems. - Update Systems. Promptly update and
patch systems, including applications and firmware. Test Plans.
Test incident response plans to help identify gaps and understand
how long business operations can be sustained without access to
certain systems. - Conduct Independent Checks. Check the
security team's work and ability to defend against a
sophisticated attack, thereby increasing the likelihood that back
doors or other loopholes can be addressed. - Segment networks. Separate corporate
business functions from manufacturing and production operations,
and limit internet access to operational networks.3
The letter, which was authored by Anne Neuberger, Deputy
National Security Advisor for Cyber and Emerging Technology, was
sent in light of a reported uptick in attacks involving ransomware
(software that seizes control of a computer until the victim pays a
fee), most recently an attack that reportedly closed off beef and
pork production from one of the country's leading food
suppliers. 4
The letter also reflects the Biden administration's growing
emphasis on the need to improve the government's cybersecurity
defenses, both within and across various agencies. Yesterday, in a
press conference regarding the ransomware attack on Colonial
Pipeline, Deputy Attorney General Lisa Monaco emphasized that
companies should take preemptive action against ransomware attacks,
urging them to "pay attention now" and "invest
resources now" because "[f]ailure to do so could be the
difference between being secure now – or a victim
later." 5 The press conference came just a few days
after Deputy Attorney General Monaco issued an
internal memorandum directing US prosecutors to report all
ransomware investigations that they may be working on, stressing
the need for better coordination within the Department.
6 Two weeks ago, the Department of Homeland
Security's Transportation Security Administration announced a
security directive requiring pipelines to
report confirmed and potential cyber incidents and review current
cybersecurity practices. 7 And last month, the White
House issued the Executive Order imposing a variety of requirements
on federal agencies and government contractors that are aimed at
improving the government's cybersecurity defenses.
As companies seek to evaluate cybersecurity and expand their
protections, it is important to consider the following legal issues
alongside business and technical concerns:
- Importance of a Multi-Functional
Team. Cybersecurity and information protection are
broad efforts encompassing many different skills within a company.
Legal counsel should be included in the team to advise about the
application of relevant laws, regulations, and policies, and to
prepare for potential litigation and enforcement actions. - Importance of Legal Privilege.
Companies should consider how to maximize the application of legal
privilege to internal factfinding efforts that are designed to
address potential legal exposure from cybersecurity and data
protection rules.
Outside counsel can help bolster in-house teams and provide
broad industry perspective on common issues in these reviews.
Footnotes
1 Letter from Deputy National Security Advisor for Cyber
and Emerging Technology Anne Neuberger to Corporate Executives and
Business Leaders (June 3, 2021).
2 Press Briefing by Press Secretary Jen Psaki (June 3,
2021),
https://www.whitehouse.gov/briefing-room/press-briefings/2021/06/03/press-briefing-by-press-secretary-jen-psaki-june-3-2021/;
see also Tucker Higgins, CEOs Need to Prepare Now for Exponential
Increase in Ransomware Attacks, Top DOJ Official Says, CNBC (June
4, 2021),
https://www.cnbc.com/2021/06/04/ceos-need-to-prepare-for-increase-in-ransomware-attacks-doj-official.html.
3 Letter from Deputy National Security Advisor for Cyber
and Emerging Technology Anne Neuberger to Corporate Executives and
Business Leaders (June 3, 2021).
4 David E. Sanger and Nicole Perlroth, White House Warns
Companies to Act Now on Ransomware Defenses, N.Y. Times (June 3,
2021),
https://www.nytimes.com/2021/06/03/us/politics/ransomware-cybersecurity-infrastructure.html.
5 Office of Public Affairs, Department of Justice, DAG
Monaco Delivers Remarks at Press Conference on Darkside Attack on
Colonial Pipeline (June 7, 2021).
6 Deputy Attorney General Lisa Monaco, Memorandum for all
Federal Prosecutors on Guidance Regarding Investigations and Cases
Related to Ransomware and Digital Extortion (June 3,
2021).
7 Press Release, DHS Announces New Cybersecurity
Requirements for Critical Pipeline Owners and Operators, Department
of Homeland Security (May 27, 2021).
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Gloss