U.S. government contractors are left exposed by cyber threats and are expected to take cybersecurity seriously or risk losing business with the U.S. government, according to a panel discussion held Monday at the George Washington University. The symposium explored options for government contractors as they suffer cyber attacks, and gave a brief demonstration on how hacking works.
“This (Cybersecurity) is pretty much the topic of the day,” said Michael Chertoff, the former Secretary of the U.S. Department of Homeland Security, Chairman of the Chertoff Group as well as the Chairman of the George Washington University Cybersecurity Initiative.
The speech was followed by a demonstration where Mark Young, the managing director of IronNet Cybersecurity showed some basic hacking techniques using easily accessible software and was able to access sensitive documents. As the audience watched, Young joked, “It’s so easy a lawyer can do it.”
Young said while hackers may not hack the contractors directly, they may gain access by hacking subcontractors, banks, and family relatives. “From the standpoint of the contractors, it’s not just about losing your intellectual property or personal identifiable information,” said Chertoff during his opening speech. “There are very serious contractual implications for your ongoing business with the government.”
He also said that firewalls may be able to detect certain danger. “It is difficult to detect hackers, and it is even more difficult to pinpoint who or what your attacker is,” said Young.
The panels included the authors of the Briefing Papers: Cybersecurity for Government Contractors and spoke about the implications of the Cybersecurity Framework released by the national Institute of Standards and Technology (NIST).
Robert Nichols, one of the authors of the Briefing Paper, said at the moment, when a breach occurs, in order for the contractor to remain in business with the U.S. government, the government must determine whether the breach was caused by lack of preparation on part of the contractor.
According to the NIST website, the NIST framework sought to provide “a structure that organizations, regulators, and customers can use to create, guide, assess or improve comprehensive cybersecurity programs.” Nichols said the NIST framework can be used as a point of reference for the standards of cybersecurity system necessary.
Nichols said the briefing paper was designed to guide businesses to better understand what legal aspects of cybersecurity they are responsible for, as well as the specific rules and regulations involved. However, “Many rules were left intentionally vague, and thus each company must determine their own vulnerabilities and know the types of government information they have,” concluded Nichols.
Chertoff said regardless of that the contractors may say, they will continue to suffer cyber events, the difference will be how they minimize, mitigate, and respond to them.