C-Suite Alert: US DOJ Updates Guidelines for Managing Cyber Attacks
In September, the Cybersecurity Unit of the Department of Justice (DOJ) released an update to its 2015 guidance for navigating cybersecurity incident response, entitled “Best Practices for Victim Response and Reporting of Cyber Incidents.”
The DOJ’s revised guidance reflects the understanding that over the last three years, as the interconnectedness of businesses, individuals, governments and infrastructure has increased, so too have cyber vulnerabilities. Since the 2015 guidance was issued, businesses — through the products they sell and the services they provide, as well as their internal operations — have become increasingly digital. Cloud computing has become ubiquitous, cyber criminals have become more sophisticated, and organizations are collecting more personally identifiable information (PII) from customers, suppliers and partners. These factors increase both the likelihood of cyberattacks and data breaches, as well as their costs and resulting damages.
As a result, new federal and local regulations have been promulgated over the past three years that are intended to lessen both the likelihood and impact of cyberattacks and data breaches. At the same time, the DOJ’s understanding of cyber threats and cyberattacks has grown; so has the availability and sophistication of the resources it commands to assist private and public entities in the prevention and mitigation of incident impacts. Although the DOJ’s guidance does not alter existing regulations, it is a useful tool for businesses seeking to align themselves with data security policy best practices.
Importantly, the new guidance emphasizes that businesses should focus not only on the technical side of cybersecurity but also the governance and business sides. Even though many of today’s cyber criminals have advanced tools, most cyberattacks still involve simple, basic tactics like phishing, which drives 80 to 90 percent of attack volumes. (See: Top Cybersecurity Facts, Figures and Statistics for 2018, Josh Fruhlinger, CSO Online, October 18, 2018.) Posing as the CEO and sending a request via email for critical data or information, for example, may be old-fashioned, but it is still surprisingly effective.
In this article, we will address both what is new in the DOJ’s revised guidance, and what is critical for clients to understand and act upon.
DOJ's Revised Cyber Guidance: Seven Overarching Themes
General counsels and C-suite executives should become familiar with the DOJ’s revised guidance to manage adverse cyber events. Upon examination of the full guidance, seven overarching themes emerge:
- The increased responsibility of senior management and counsel for implementing and executing cybersecurity best practices
- The importance of establishing relationships and lines of communication with relevant and appropriate law enforcement personnel and agencies
- The new basics of good cybersecurity procedures
- The growing importance of partnering with experienced and capable third-party incident response firms
- The imperative for sharing information with law enforcement and other agencies, individuals and non-governmental organizations pursuant to the Cybersecurity Information Sharing Act (CISA) of 2015, and understanding the guardrails that have been put in place to encourage and secure collaborative efforts
- The new data breach laws requiring the immediate notification of relevant federal and state agencies and affected employees, customers and partners
- The government’s increased presumption and expectation of cooperation from cyber incident victims.
These themes apply to what organizations should do before, during and after a cyber incident or attack occurs. The days in which organizations would keep knowledge of cyber incidents and attacks to themselves for fear of reputational harm and loss of business are over.
Before An Attack
Awareness: The DOJ emphasizes that it is critical (and today, expected) for senior management, including boards of trustees, to be fully cognizant of cyber threats and their potential to cause significant organizational disruption, impair customer confidence and incur serious costs. The DOJ recommends senior executives be briefed regularly on existing and emerging threats, and appropriate risk management strategies. It also recommends all appropriate employees participate in regularly scheduled preparedness exercises to ensure that everyone is clear on their roles and responsibilities in a cyber incident and the technologies that will come into play during a response (and how to access and leverage them). These exercises will test lines of communication that allow critical response personnel to be contacted at any time, and these lines of communication will work during a cyber incident both inside the organization and outside with law enforcement and relevant third parties (customers, suppliers and business partners, including incident response firms).
Preparedness: The DOJ’s Cybersecurity Unit understands that “the cost and difficulty of protecting an entire enterprise from all manner of cyber threats can be overwhelming.” Therefore, it recommends organizations prioritize what is most critical to their operations — systems, applications and data — and focus their energies appropriately on protecting these “crown jewels.” For some organizations, like online retailers, that may be their websites and purchasing systems; for other organizations, it could be their customer data stored in the cloud or, for manufacturers, their supply chain systems. In all cases, the key to prioritizing is properly assessing risks. Those assessments should include possible threats from the use of contractors, service providers, and outside entities that host or have access to an organization’s data and/or networks, including (but not limited to) vendors, law firms and clearinghouses.
Most importantly, organizations need to have a detailed incident response plan. Unfortunately, many organizations still lack one. According to a 2018 Ponemon Institute survey on cyber resilient organizations, “77 percent of organizations admit they do not have a formal cybersecurity incident response plan (CSIRP) that is applied consistently across the organization,” even though preparedness was rated the “most important” factor in an organization’s ability to respond successfully to cyber incidents and limit the damage they cause.
The DOJ suggests that hard copies of an incident response plan be readily available to all relevant parties in the event online resources become inaccessible during an incident.
The DOJ’s new guidance also stresses that in this era of cloud computing, the response plan must include processes for contacting and interacting with those parties that host an organization’s data and services and how to work with a retained incident response firm.
Partnerships: Underlying any plan, the DOJ suggests, should be a pre-existing relationship and engagement with the local offices of those federal agencies responsible for investigating criminal cyber incidents, with an internal point-of-contact responsible for that relationship.
Since the DOJ’s 2015 guidance, the government has enhanced its cyber incident response activities and capabilities.The FBI and the U.S. Secret Service conduct outreach to private entities “likely to be targeted for intrusions and attacks,” sharing cyber threat information. There are FBI InfraGard chapters and cyber task forces in each of the FBI’s 56 field offices. And, in partnership with the Department of Homeland Security (DHS), the FBI publishes private industry notifications about ongoing and emerging threats, and provides technical indicators of cyber incidents through the FBI Liaison Alert System (FLASH) reports.
There are also private sources of cybersecurity and cyber threat information that an organization can and should leverage. Critical infrastructure organizations (unnamed in the 2015 guidance, now defined as encompassing 16 sectors: chemical, commercial facilities, communications, critical manufacturing, dams, the defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, IT, nuclear reactors, materials and waste, transportation, and water and wastewater systems) each can draw on dedicated information sharing and analysis centers (ISACs), which provide a forum for disseminating knowledge of cyber threats and facilitating public-private cooperation.
The DHS’s National Cybersecurity and Communications Integration Center (NCCIC) provides alerts, vulnerability information and analysis reports “that can help organizations detect, prevent and mitigate incidents. It also provides automated feeds of indicators of compromise that organizations can access for free.”
The federal government also has encouraged the creation of other information-sharing entities mirroring ISACs, such as information sharing and analysis organizations (ISAOs) for companies not part of the critical infrastructure.
It is worth noting that CISA provides protection from liability for sharing information on both state and federal levels in most instances and, according to the Federal Trade Commission (FTC) and the DOJ Antitrust Division, antitrust laws should not be an impediment to legitimate cyber threat information sharing.
Workplace Policies: Companies must make cybersecurity a part of every employee’s training, and companies should have the ability to immediately cancel the network access credentials of terminated staff members, most critically those of system operators, network administrators and IT staff. [See “Cyber Incident Preparedness Checklist" that follows.]
The New Basics of Cybersecurity: Many breaches and incidents have been traced back to vulnerabilities for which patches were available but not applied. Today, all companies should have effective patch management programs. Furthermore, in an increasingly interconnected world, enterprises should not rely on their firewalls to keep intruders out of their networks. Segmenting networks can limit the ability of bad actors to access complete data sets.
Access to networks should be managed through identity controls that include password management programs and multifactor authentication. Also, companies should enable logging on all their servers, and configure them to preserve copies — not just of intrusions, but of normal traffic through firewalls. These logs will allow law enforcement and incident response firms to reconstruct incidents quickly and efficiently and identify intruders and bad actors.
Today, most enterprise networks include the cloud. Companies should assess their cloud providers’ security policies and the contracts they strike with them, anticipating the need to furnish law enforcement with relevant information. Contracts should stipulate that the cloud provider will both assist law enforcement and provide access to data at the organization’s request.
Responding to an Attack
Working with Your Incident Response Firm: Retaining an incident response firm is a new element in the DOJ’s guidance and, given the increasing complexity and variability of today’s threat landscape, the DOJ strongly recommends that companies work with incident response firms that are “well acquainted with forensically sound methods of evidence collection that do not taint or destroy evidence.”
Experienced and capable incident response firms possess the technical know-how to speed investigations and get to the bottom of incidents. They also are accustomed to working with law enforcement and, therefore, are more capable than most enterprises in recruiting government cyber assistance and working with law enforcement agents.
Once an attack is detected, the organization should direct its incident response firm to prepare a report about the attack’s causes and consequences. In accordance with the DOJ’s guidance, this report is not privileged, even if it is prepared at the direction of the company’s attorneys. However, because law enforcement often requires the technical details of the hack, breach or data exfiltration, they may not need the full forensic report and will work with the victim organization to protect proprietary enterprise information. That said, as soon as an organization becomes aware of a cyber incident, it should immediately share information about the attack with law enforcement as part of a coordinated response. (As noted previously, having established good channels of communication with law enforcement prior to any incident will expedite the process.)
Legal counsel for the victim organization should direct its incident response firm to keep contemporaneous records of all its activities, thereby minimizing the need for reconstructing events based on recollection. That slows response times and potentially introduces errors.
This is where logging becomes critical. The victim organization should document or record any suspicious activity, monitoring its network for possible ongoing communications between an intruder and targeted servers while consulting with legal counsel to ensure this monitoring does not run afoul of the existing law. The law may include exceptions, and “provides private entities with broad authority to conduct cybersecurity monitoring of their own networks, or a third party’s networks, with appropriate consent.”
Notification Responsibilities: All incident response plans should identify points of contact that should be notified in the event of a cyber incident, and channels to alert government agencies.
As of August 2018, all 50 states, the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands have passed data breach reporting laws requiring companies to immediately notify customers whose data has been compromised. The only acceptable reason for delaying this notification would be if law enforcement determines that doing so would impair an investigation, or if it is determined the incident caused no harm to individuals.
CISA authorizes private entities to share information with law enforcement and offers liability protections that cover cyber threat indicators and the defensive measures that private entities share with DHS. This information is “safeguarded from unwarranted or unnecessary disclosure,” and exempts certain records from Freedom of Information Act (FOIA) disclosures if shared with the FBI, the U.S. Secret Service or other federal entities, as consistent with CISA.
The DOJ’s 2018 guidance emphasizes the protections afforded to compliant, transparent companies, and the harm — both societal and company-specific — that may be caused by concealing evidence of breaches and hacks. General counsels should be aware of both the requirement to notify and how best to do so, as obligated under applicable state law. The FTC looks more favorably on companies that report willingly and fulsomely than it does upon companies that do not, and notes that the DOJ will inform regulatory agencies about the level of cooperation it has received from a victim organization.
Even as the arc of the cyber environment bends toward risk, the arc of cybersecurity bends toward the emerging best practices that experience produces. All businesses, large and small, need to leverage knowledgeable professionals in both the public and private sectors. The best way to do this while increasing the pool of knowledge these professionals can bring to bear in the service of protecting you is to be as open, transparent and cooperative as possible when it comes to reporting cyber incidents. This is the biggest takeaway from the DOJ’s 2018 “Best Practices for Victim Response and Reporting of Cyber Incidents.”
© Copyright 2019. The views expressed herein are those of the author and do not necessarily represent the views of FTI Consulting, Inc. or its other professionals.
About The Journal
The FTI Journal publication Offers deep and engaging insights to contextualize the issues that matter, and explores topics that will impact the risks your business faces and its reputation.