David Presgraves
Every day it seems that Americans learn about a new cyberattack against either U.S. federal government agencies, American enterprises, or the organizations that comprise our critical infrastructure or supply chains. Many of these cyberattacks are attributed to U.S. nation-state adversaries whose desire is to undermine the U.S. government and cause disruption to the daily lives of Americans.
According to a study from HP, the number of nation-state-backed cyberattacks doubled between 2017 and 2020, cementing the fact that these malicious actors are becoming more sophisticated in their methods and increasing the volume, scope, and reach of their attacks.
But who exactly are behind these cyberattacks? What are their motivations? And how can the federal government and the government contracting community insulate and protect networks and data from falling prey to these highly skilled, state-backed hackers?
On December 15, ACG National Capital will bring together a panel of experts to examine the increase in nation-state-backed cyberattacks against the U.S. and the role certification programs will have in strengthening cyber postures across the government contracting community.
Prior to the upcoming ACG’s December Monthly Meeting, we sat down with one of the participants Pirooz Javan, Chief Operating Officer of Easy Dynamics, to discuss:
- Who are the malicious actors behind these cyberattacks
- How zero trust will play a role in protecting government agencies
- Why all companies – regardless of size or industry – in the national capital area should think about attending this event
Here is what Pirooz had to say:
Corporate Growth, Capital Style (CGCS): Why has there been an increase in nation-state-backed cybersecurity attacks? Who exactly are these nation-states, and what are their motivations behind these attacks?
Pirooz Javan: We live in a time of competitive, geopolitical climates, which means we economically compete against other nations. And we also compete for our own interests, protection, and self-defense.
I think the increase in nation-state attacks is occurring because of the covert nature of cyberattacks, especially in a climate where politics are underscored by conflicts of trust and agendas by each nation.
What’s happening now is that rather than operating above the surface, there’s a cold war of cyberattacks going on between nations. What makes these cyberattacks very attractive for nations as a covert ability is that they can deny that the attacks stemmed from their nation and have plausible deniability for any retaliatory action taken against them.
So, who exactly are these nation-states? Well, there’s been a surge in attacks from Iranian, Chinese, and Russian state-backed actors. And these actors are attacking U.S. critical infrastructure weekly, if not daily. And they work extremely hard to either get in and exfiltrate data that would have negative financial and economic impacts on private sector organizations or erode trust in our government and the government services that we rely on.
And when these state-backed actors carry out a cyberattack, nation-state governments can simply deny it was them and attribute it to being propaganda from the United States or that the messaging is nothing more than a political agenda. Obviously, these allegations are false. And no matter how much data and information we have that gives us confidence that cyberattacks stem from a particular nation-state, we can’t control the media and the messaging they provide to their citizens.
There’s a cold war going on right now with cyberattacks, and it doesn’t look like it’s getting any better.
CGCS: How can the U.S. government prevent and deter these attacks from happening? What can government agencies do to protect themselves?
Pirooz Javan: The public sector has had measures to protect our information systems for years. The Federal Information Security Management Act (FISMA) went into place in 2001, which laid down the framework that has evolved into the risk management framework. The National Institute of Standards and Technology (NIST) also provides guidelines that help government agencies by establishing a north star on how to protect their information systems.
But you know, these things are hard to do. Through several means, I think the government can work to protect its systems. But after some recent attacks, it’s been exposed that the protection of government systems is also reliant on the supply chain of vendors that they rely on. The ecosystem of protection is no longer just protecting government systems. The paradigm shift of how we will be computing in the near future requires heavy reliance on the cloud to access your corporation’s or organization’s servers.
Recent executive orders are giving some hints and direction to where the government wants to go. Zero trust seems to be the modern cybersecurity framework and design paradigm that we’re going towards – as a country – to protect our information systems.
But zero trust is an overarching, holistic change for an organization. It’s not like you can just change one system and apply it or bring in a firewall and protect all your systems. It’s an organizational change that’s going to be very invasive and widespread, and it’s going to take some time for us to get there.
And as vendors and systems integrators who support the government, the one thing we must do is not treat cybersecurity as a second-class citizen. We must treat it as a first-class citizen with networks and systems designed with cybersecurity in mind. And I think everybody has to become fluent in zero trust, including government entities and the vendors that support them.
CGCS: How is the government contracting community responding to these attacks? What solutions and resources can they provide government agencies to help insulate and protect themselves from these cybersecurity attacks?
Pirooz Javan: Right now, the government contracting community is keeping an eye on something called the Cybersecurity Maturity Model Certification (CMMC), which is shaping up to be a north star that’s emerging from the contracting community. It has a lot of similar aspects of what the government uses to protect itself through FISMA.
I think the challenge we’re facing right now is figuring out what’s going to be the governance model to assess and evaluate the government contractor community. What I think is important is that many of the certification programs out there – from the International Organization for Standardization (ISO) to the CMMC – tend to have an assessment process that also has an authorization process that is not independent. And what I mean by that is, you can assess your cybersecurity posture, but you really need an independent body to authorize or certify you for meeting a certain bar maturity model for your cyber posture.
And right now, the Department of Defense (DoD) is kind of going in their own direction. And we just recently learned that the Department of Homeland Security (DHS) is not planning to use a DoD certification model.
What I think the contractor community can do now is to prepare for CMMC and start to strengthen its cyber posture. Contractors shouldn’t wait until that has been finalized. Begin evaluating your own cyber hygiene off of some risk model that makes sense for your organization, whether it’s ISO 27001, SOC 2, or CMMC.
CGCS: You’re going to be appearing at an upcoming panel discussion about the increase in nation-state cyberattacks. What types of things will you be covering as part of that discussion?
Pirooz Javan: Some topics that we will cover include the cybersecurity executive order and its impact on the private and public sectors. We will also be discussing the move towards zero trust as a new security model of choice, and what that means for the short-term and the long-term.
Attendees can expect to learn about digital identity and credential-based attacks and how to protect against phishing and other attacks that are targeting the human elements of cybersecurity. We will also examine the role certification programs will have in building trust across organizations in the future.
CGCS: Who should attend this panel discussion, and why is this a “must attend” event for them?
Pirooz Javan: Anyone who wants to take a step back and look at cybersecurity as not a local problem – but rather a geopolitical-driven activity that isn’t going away – should plan to attend.
We’re at a stage with cybersecurity where we really need to take a step back, rethink how we’re doing cyber, and have a collaborative conversation on how to move forward. And I think discussions, like the one we will be hosting, are extremely helpful to organizations with establishing that perspective in making cybersecurity a high priority for their organization.