The verdict is in, most industry experts and business leaders agree that Government contractors should be legally accountable for not meeting cybersecurity standards. A somewhat harsh stance perhaps, or simply being cruel to be kind?
Cybersecurity attacks are destructive, and the rise of threats, expedited by the global pandemic, has drastically impacted both the public and private spheres, with anyone from large company’s through to government agencies exposed to threat actors, and the truth is, it’s only getting worse. In fact, in 2021 alone, it’s been reported that a ransomware attack will occur every 11 seconds, and this is already amidst a backdrop of high-profile attacks such as SolarWinds and Colonial Pipeline that have coerced governments and entities everywhere to ramp up their responses to the cyberwar that we’re facing. With cybercriminals increasingly focussed on critical infrastructure, and a further rise in supply chain attacks, it’s not surprising lawmakers are taking matters into their own hands.
“Supply chain attacks rose by 42% in the first quarter of 2021 in the U.S., impacting up to seven million people, according to research. Analysis of publicly reported data breached in quarter one by the Identity Theft Resource Centre (ITRC) found 137 organisations reported being hit by supply chain cyber-attacks at 27 different third-party vendors”.
Cue, an initiative from the U.S. Department of Justice, which aims to strengthen defenses and minimize the risk of intrusion on government networks due to poor cybersecurity practices from external partners. “The initiative will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches”. In effect, this initiative gives the Department of Justice the leverage to fight cyber threats stemming from contractors of federal agencies who fail to follow cybersecurity standards.
Taking this into account, I was curious to know the thoughts of my network of industry experts and company leaders as to their response to this legislation.
I posed the following question:
As you can see, the results are definitive.
The feedback and comments touched on some interesting and valuable points:
Enhancing the Partnership
As with any good partnership, both parties need to work together to establish the ground rules of accountability and trust in order for it to be beneficial. The same applies to the public and private spheres working together to achieve cyber-resilience. It’s a complex playing field, and there’s no one solution, however, working in unison will surely achieve results that are far better than suffering a cyber-attack. With threats these days also consisting of insider attacks, this initiative is crucial in making sure that entities that have been contracted by the government are not tainted by corrupt individuals.
From the legislative point of view, I empathise with business leaders and experts who also feel that the lawmakers and government departments also need to ensure that they are incorporating best practice cyber resilience internally and across departments, in addition to, or before issuing any legislative demands. It’s only fair. No one is immune from a cyber threat.
In essence, the initiative has considered legitimate business fears, for instance, the stigma associated with reporting breaches. The Department of Justice has responded to this by incorporating a whistle-blower provision in the overriding Act, allowing parties to identify and pursue fraudulent conduct confidently and anonymously. Furthermore, awareness promoted by an initiative such as this further strengthens the urgency of resiliency against cybersecurity attacks across the government, public sector, and key industry partners, businesses, and individuals and will hopefully improve overall cybersecurity practices in general, a fact that cannot afford to be delayed. We all have the duty of care when it comes to building cyber resilience.
What are other ways in which you would like to see Government’s helping company’s increase cyber resilience?
Fortify your defences
No one vendor can stop all threats, so don’t leave your business exposed. If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a specialist cloud email security solution like MailGuard to enhance your Microsoft 365 security stack.
For more information about how MailGuard can help defend your inboxes, reach out to my team at expert@mailguard.com.au.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.