Interview transcript:
Terry Gerton In all of the conversation around the reconciliation bill that passed last July, it seems there was a topic that hasn’t garnered a lot of attention, which was explicit funding for offensive cyber operations. You’ve looked into this a bit. Tell me specifically what’s in the bill and why it’s important.
Brandon Robinson Sure. One thing that’s notable about the bill is that in the midst of several cuts to budgets and funding for civilian defensive cybersecurity funding across several agencies, uniquely this bill allocates $1 billion over the next four years to boost U.S. offensive cyber operations, particularly in the U. S. Indo-Pacific Command, which is from the west U.S. coast to about the western part of India. So that includes countries like parts of Russia, China, North Korea, et cetera. And while there’s been discussions and suspicions over offensive cyber capabilities in the past, this is the first time that I, at least, have seen an explicit mandate to increase funding to go on the offensive openly and explicitly like this.
Terry Gerton Well, you raise a great point. I guess most people who watch this space would have assumed there was some offensive operations going on, but we don’t talk about it. We talk about, traditionally, a deterrence-based posture. So what would offensive cyber operations here look like?
Brandon Robinson Well, it could mean a lot of things. But in short, I think it’s the difference between going on the reactive to going on the proactive in being offensive with respect to our cyber operations, with respect to nation states that we consider threats and which are conducting offensive cyber operations towards us every day.
Terry Gerton Are there legal hurdles that you would see here that would make it challenging for the U.S. to scale up offensive cyber operations?
Brandon Robinson Terry, that’s a good question. I don’t know that I am going to have the legal authority to discuss whether there are legal hurdles to conduct those operations. I know that we have a common knowledge that we think it’s been done. We’ve been accused in some cases of being responsible for certain cyber operations in other countries, but it’s never been clear whether we were or not. And as far as the legal implications of us openly and explicitly doing so, that’s not something I’d be an expert in to talk about.
Terry Gerton Would you think that there would be requirements to be accountable and maybe transparent about these kinds of operations at some point?
Brandon Robinson It may depend on who’s doing the operations. We have a lot of three-letter agencies within our government that have a level of flexibility to do certain things without a level of transparency. Other agencies may not have that flexibility, so the devil may be in the details.
Terry Gerton When you think about offensive cyber operations, let’s talk about risk. What are the potential consequences of a shift that would include perhaps retaliatory cyber attacks or supply chain exposure in terms of legal ambiguity and liability? What are those kinds of risks?
Brandon Robinson I’m not a political insider. I don’t place a value judgment on whether this was a good or bad idea. It could be that a decision to quit being reactive and to be open and aggressive will be proactive against nation states that we know are already targeting us. It could be to send a message abroad as a signal of strength.
Terry Gerton I’m speaking with Brandon Robinson. He’s a partner in Maynard Nexsen’s Cybersecurity and Privacy Practice Group. We were talking about the billion dollars over four years for offensive operations, but at the same time, there were cuts to civilian cybersecurity funding. How do you reconcile those two actions that kind of seem to be diametrically opposed?
Brandon Robinson They do. I’m not in a position to second-guess the rationale between the two decisions, one to increase the Indo-Pacific Command’s budget for offensive cyber operations coupled with nearly $1.2 billion cuts from civilian defensive cybersecurity budgets. But while I don’t know the rationale for what seems to be that dichotomy, I do think it presents certain ripple effects that trickle into the private sector that are worth noting.
Terry Gerton And so tell us more about those. How should the private sector be thinking about those two different positions?
Brandon Robinson Well, notably, I think more so on the budget cut side, there are a lot of agencies and public-private partnerships that the private sector relies on. For example, the [Cybersecurity and] Infrastructure Security Administration, CISA, and the ISACs have provided important real-time or near real-time communication and information sharing to the private sector. There’s other agency programs, like the National Science Foundation’s Scholarship for Service program that facilitates the education and training of the next generation of cyber experts who would go out and work in the cybersecurity field for government agencies and for the private sector. There’s agencies like NIST, the National Institute of Standards and Technology, that helps develop standards and frameworks for cybersecurity that the public and the private sector rely on as benchmarks and models for improving their cybersecurity maturity. So those are all examples of public agencies that provide value to the private sector that may have less resources going forward. But I think the other thing that is worth mentioning is that if we are openly and explicitly going on the offensive to these other nation states that are threats, there’s the real possibility that those same nation states, if we know about this, they surely know about this too. And so we might see retaliatory blowback or more open and aggressive actions by other nation states to increase either the level, the frequency, or the sophistication of their attacks, not only on public agencies who may have less resources, but also on the private sector, who downstream may have less resources as well.
Terry Gerton So as you look ahead, how should private sector partners, the government contracting space, and even our international allies be watching this space and what should they be looking for as they try to prepare for what may come?
Brandon Robinson In the event this were to happen, if we see an increase in retaliatory offensive attacks from other nation states, I think the private sector needs, now more than ever, to do what it can to put itself in the best defensive position possible. And we lay out some of those baseline recommendations that we can go through. One of those is reducing your collateral exposure via supply chain. All too often, for an organization, it’s not necessarily you that gets attacked, it’s your vendor. And your control over that is only so limited, and the idea that third party risk management and supply chain management is nothing new, that that’s critical. But I think especially in our global marketplace, with budget constraints and in this new tariff era, it’s more important than ever to have a process in place to conduct due diligence on your vendors, to have strong contractual protections in place with them. And more importantly, to have open lines of communication and a strong incident response plan that you’ve practiced, that you put into action in the event that a vendor incident reorganization occurs. And so to the extent they have it yet, a lot of private sector, they have an incident response plan. For compliance purposes, they drafted one up, they have it, they finalized it and approved it, but it may sit on a shelf collecting dust. It’s all the more important that you take that out and you practice it and you review it on a regular basis and you share it and make your employees aware of it. That you establish clearly documented escalation procedures involving your internal teams, your legal counsel, your cybersecurity, regulatory and investigative authorities, so that in the wake of an incident, you’re not standing around wondering what’s next or who’s responsible for what. And another thing that I would really emphasize from the supply chain perspective, is having clear communication strategies in your contract and in your interactions with your vendors and your supply chain. So all too often, when we talk about negotiating cybersecurity provisions in your contracts with your vendors, it’s about indemnification, it’s not risk allocation, it may be about breach notification in the event. And there are high level obligations to support in the event of an incident response. I think ideally, organizations ought to be also including in their contracts clear lines of communications, clarifying roles and responsibilities and steps to be taken so that when there is an event, when there is an incident, it’s clear what each party is supposed to do in working with each other to resolve the incident. So those are some obligations with respect to one of those areas, which is vendor and supply chain risk management.
Terry Gerton Those recommendations about the vendor chain and the supply chain are so helpful. Are there other recommendations that you have in terms of helping contractors prepare for potential offensive cyber ops?
Brandon Robinson Yes, thank you, Terry. I think another recommendation in addition to your risk management from contractual and supply chain perspective is making sure that you’ve defined and integrated clear communication strategies to manage your public disclosure and stakeholder engagement. This is important in any incident response, but in the event of increasing frequency and severity of them, especially when attribution is difficult to define if a nation state is behind it, there’s a lot of different stakeholders that you have to communicate with. Not only your vendors, but also your investors, your board, your executive leadership, employees, customers, and media, and others, not to mention regulatory authorities and law enforcement. So one of the things we pride ourselves on in handling incident responses is to act as a one-stop shop, to handle communications between all of those entities so that we’re ensuring that the messaging is not only tailored to that audience, but that it also maintains compliance and consistency. We even have an in-house subsidiary crisis communication firm that we work with when we review the communications to make sure that we’re not just looking at it from a legal perspective, but from a more comprehensive perspective. And so I think one important recommendation I’d make for the private sector in preparing for perhaps an onslaught of more frequent or more severe incidents is to make sure not only do you have your legal steps in place, but that you have clear communication strategies for all of the different stakeholders that are involved.
Terry Gerton And what about workforce training? Where does that fit into this?
Brandon Robinson That’s important too. The majority of security and privacy incidents start with human error. It’s not always a brute force attack on the system. Most often, it is a link. It is social engineering that is now, thanks to AI, even more sophisticated. And so employees are always going to be your first line of defense. And so my recommendations in that respect would be first to promote a culture of robust reporting, emphasizing prompt reporting by your employees. If they see something that’s even suspicious, if you’re in doubt, report it. I think that’s more important than ever. And then investing in your IT and security workforce, not only for technical protections to be able to respond to what hopefully is becoming a culture of robust reporting and awareness. Second thing would be to perform the periodic cyber hygiene exercises, the phishing simulations, the training, the awareness, the tabletop exercises, so that everybody in your organization can understand what a suspicious email looks like and what to do in the event of a response. And then the final thing I would say is to keep current, to train your staff and all your leadership on emerging AI-enhanced and other social engineering tactics, risks and mitigations. That’s part of awareness and training. And to have centralized management and responsibility for maintaining patches and upgrades on all your software and computing systems. With that last part, we’re in a world of zero-day exploits, which means exploits that can be exploited, quite frankly, by threat actors until they’re patched. And so, when it comes to patch management, if you don’t have a centralized accountability for that, then you could have a vulnerability that persists and you have the patch for it, but it wasn’t done right away to fix the problem. And so you want to prevent one of those situations where everybody’s standing in the circle pointing to the right, and where if everybody’s responsible, nobody’s responsible. That’s the last thing you want to be able to do. And especially with respect to zero-day exploits, which are a favorite of nation states in a global marketplace, making sure that you have centralized management and accountability for understanding those exploits and patching them when those patches are available as soon as possible.
The post More U.S. cyber offense could mean more risk for companies caught in the crossfire first appeared on Federal News Network.