High-profile ransomware attacks affecting government agencies and major organizations have significantly increased in their number, scalability, and severity, ranging from simple phishing scams to digital extortion. Recent cybersecurity incidents that made headlines in the last year include SolarWinds, Colonial Pipeline, and meat processor JBS USA Holdings.
As a means to discuss the everchanging cyber threat landscape, a group of Fordham Law alumni and fellow practitioners delved into the latest cybersecurity issues, new government enforcement activity against cyber crime, and best practices on how private companies can avoid hacks.
The event—virtually hosted by Fordham Law’s IP and Information Law Affinity Group on Dec. 8—was moderated by David Feder ’07, counsel at Fenwick & West LLP and co-chair of the affinity group. Panelists included:
- Sean Farrell ’07, Chief, Cybercrime Unit, U.S. Attorney’s Office, District of New Jersey
- Kelly Ann Harris, Director and Assistant General Counsel, Cybersecurity, Incident Response & Privacy, Deloitte
- Haseen Usman, Chief Information Security Officer, Cohere Cyber Secure
- Jamie Yavelberg, Director, Fraud Section, USDOJ Commercial Litigation Branch
An Escalating Threat
Suspected ransomware payments reported by banks and other financial institutions between January and June 2021 totaled $590 million—the highest value reported since 2011, according to the latest “Financial Trend Analysis” report published by the Department of the Treasury’s Financial Crimes Enforcement Network in October.
Internet security company SonicWall found that nearly 500 million attempted ransomware attacks were made in the first nine months of 2021 and that more than 307,500 previously unknown malware variants were discovered in the same timeframe. The company expected to see another 214 million ransomware attack attempts by the end of 2021, marking a 134 percent surge over the previous year’s totals.
“Multiple vulnerabilities exist in our environment nowadays and those vulnerabilities are unpatched,” said Usman, whose organization investigates cyber attacks as well as creates threat intelligence techniques to develop indicators of compromise for affected entities. “These hackers take advantage of exploiting those vulnerabilities to get into the environment, deploy their malware and ransomware, log onto systems, and then ask for the ransom.”
How Companies Can Stay Safe from Cybersecurity Threats and Attacks
Companies can protect themselves against cybersecurity threats and attacks in a myriad of ways, as explained by the panelists—from preparing preventative compliance programs to establishing contacts with law enforcement agencies.
Harris highlighted the importance of regularly involving company executives on technical tabletop exercises and revising incident response plans. “The guidance is that you can’t just do an assessment, come up with a policy, and put it on the shelf—you’re to be consistently looking at incidents and looking at threats,” she said. “The threats that I was thinking about every day two years ago are not the threats I’m thinking about right now.”
Farrell emphasized how having good rapport with law enforcement is critical to helping investigations and prosecutions proceed. “In the case of ransomware attacks, they [agencies such as the FBI and Department of Justice]may have a lot of familiarity with the strain, who the bad actors are, how they operate, and how the malware itself operates,” he said. “From an enforcement standpoint, it’s crucial to get that information early and to get us and the agencies working on the different investigative steps.”
Initiatives Already Taken and Where To Go From Here
Though the United States does not have a federal cybersecurity law, new laws have been enacted to strengthen existing cybersecurity guidelines.
“What we’ve seen over the last year or so is a real multi-layered commitment at all levels of government to curb and combat cybersecurity in different areas,” Feder explained, “from setting up cyber defense standards for federal agencies and government contractors to beefing up cyber investigative capabilities to facilitating information sharing.”
In May 2021, President Joe Biden signed an executive order to improve the nation’s cybersecurity and protect federal government networks. The order sets forth seven different ways in which the federal government intends to prevent, detect, assess, and remediate cyber incidents—including establishing a cybersecurity safety review board and creating a standard playbook for responding to cyber incidents.
In October, the DOJ announced the Civil Cyber-Fraud Initiative, which establishes the use of the False Claims Act “to identify, pursue and deter cyber vulnerabilities and incidents that arise with government contracts and grants and that put sensitive information and critical government systems at risk,” according to Brian Boynton, acting assistant attorney general for the Civil Division at the DOJ. The False Claims Act is a federal statute that allows the government to sue any person or entity who knowingly submits false claims to the government for up to three times its damages, in addition to a penalty for each false claim.
“This initiative is not about going after every company that has a breach or fails to report a breach,” Yavelberg explained. “This is about looking at companies that have obligations and ensuring that they are held accountable to what those are.”