FEDTECH: What is the government’s stance on ransomware payments?
Goldstein: Ransomware attacks often pose a very hard choice for victim organizations. However, we strongly discourage organizations from paying ransom, both given that paying ransom is no guarantee that an organization or victim will actually get data back and that paying ransom further fuels the ransomware economy and encourages these criminal groups to execute further attacks.
FEDTECH: How does President Biden’s executive order on improving the nation’s cybersecurity address these issues and help to mitigate potential harm?
Goldstein: The executive order focuses principally upon steps that we can take to help protect the federal government from cyber intrusions. However, our hope is that the best practices, the concepts, the guidance and the principles that are going to be created and then executed under this executive order will also be adopted nationally. This executive order is the U.S. government saying, “Here are the things that we think that all entities should be doing to mature and advance their cybersecurity. We’re going to do it first for our own agencies, but these are the sort of efforts that all organizations should be doing to minimize the likelihood of intrusions impacting their networks.”
FEDTECH: Will zero trust be a requirement for agencies?
Goldstein: Agencies are required to make progress towards adopting zero-trust models. Now, certainly for any organization, public or private, with a significant legacy infrastructure, moving toward zero trust is challenging. It takes time, it takes effort, it takes not just new technology but also rearchitecting of processes and of governance. We understand that for organizations that are operating in a legacy IT environment, this is a process that will take time. There are a lot of agencies that are quite small, that do their best, but frankly just aren’t resourced to build a leading cybersecurity program. For those agencies, CISA now has the authority and resources to provide shared services that are going to raise the baseline for cybersecurity for those agencies that will benefit most from our help.
FEDTECH: How is CISA making third-party and private sector vendors part of the process to protect the software supply chain?
Goldstein: Third-party and supply chain has always been a challenging area for cybersecurity. Our goals are to make sure that we as a government are rating contracts in a way that will hold our third-party suppliers accountable to the right requirements; that we are understanding cybersecurity incidents that are affecting our significant third-party vendors and could correspondingly affect federal civilian agencies; and that we have the right security controls built into contract language, so we have a reasonable level of assurance in the security being adopted by third parties. The executive order calls out the need to make progress in initiatives like a software bill of materials, which is an essential step forward in understanding the components and the lineage of the critical software utilized across federal networks. None of these solutions is a complete answer in itself, but collectively, they really move us forward in understanding and managing risk posed by third-party vendors.
FEDTECH: The executive order and the most recent National Defense Authorization Act gave CISA new capabilities. How will that help in attributing and responding to future attacks?
Goldstein: The EO includes a requirement to develop a common governmentwide playbook for cyber incident response, which will really improve our codification and then execution of these joint incident responses. This really builds upon authorities that CISA received last year from the National Defense Authorization Act, where we were directed to stand up a Joint Cyber Planning Office. This JCPO is essential to the maturation of CISA’s incident coordination and planning role. We generally know the types of intrusion campaigns that we’ll be facing as a country — not in detail, because our adversaries are adaptable and ever-changing, but we know generally the types of tactics and targets they’ll pursue.