What smaller organizations can learn from the Target data breach and ‘Network Penetration’ DFARS

Howard A. Miller
L/B/W Insurance & Financial Services, Inc.

In speaking with a number of companies regarding the potential risks of a data breach or unauthorized access, a common response is that we are not on the scale of company such as Target. We do not have the volume of information that would make us a target for attack and therefore do not need to be as concerned with the exposure of a breach of protected or confidential data.

I think it’s important to consider some details of the Target breach. The origin of the Target breach started with the compromise of Fazio Mechanical, an HVAC company who was tasked to monitor energy consumption. My understanding of a Krebs on Security Report, “Inside Target Corp., Days After 2013 Breach”, is that Malware was delivered by email which allowed thieves to steal the credentials needed to access Target systems. A Verizon assessment found that once inside the network, there were little controls to prevent access to POS terminals leading to the compromise of consumer credit information and around a $250-million-dollar loss for Target. To illustrate this further, it was found that access to a deli meat scale allowed communication with cash registers.

What does this teach us? The Internet of Things is connected system. There is also a connected ecosystem of relationships behind these things. There is data communicated between these things and these relationships. The vendors and service providers include everything from HVAC, accounting to cloud services. The third parties that you rely on could expose your company to liability and damage based on how diligent and prepared they are in protecting and defending the confidentiality and integrity of information assets, which in a lot of cases could be yours. Going back to the Target example, many small to mid-size organizations could closer align themselves to the HVAC contractor Fazio Mechanical Services than Target Corporation. The problem with being a small piece in the chain is that you are usually less prepared, less secure and less able to survive the financial and reputational consequences of a data breach then those at the top of the food chain.

The idea that we are only as strong as our weakest link starts to become an unacceptable risk when the integrity of the supply chain, the safety of our products, infrastructure, financial structure, and national defense are threatened. The society that we built on information technology and digital information must be maintained. We are not prepared to revert to an analog environment. Without the ability to meet a certain threshold of confidentiality, integrity and availability, we lose the ability to transact. An unmaintained road full of potholes turns into a crevasse that is not feasible to cross due to risk.

Enter Defense Federal Acquisition Regulation Supplement: Network Penetration guidelines related to Non-Federal Entities. Per the United States Government Accountability Office 02/2015 High Risk Series update, the DOD obligates more than $300 billion annually on contracts for goods and services, including major weapon systems, support for military bases, information technology, consulting services, and commercial items. One needs only to look at the similarities of the latest generation of fighter jets as an example of theft of intellectual property, R&D and Controlled Unclassified Information to see our country’s competitive and military advantage slipping away. Just like Fazio Mechanical, we must control risk throughout the supply chain as we are an integrated system.

Regarding non-federal information systems and organization - as a risk manager I would look at exposures, causes of loss and how strategic partnerships can more effectively manage the risk including risk control and the finance of potential losses. Section 252.204-7012 Safeguarding Covered Defense Information includes subcontracts (thousands of subcontractors who will be involved) “with the operationally critical support, or for which subcontract performance will involve a covered contractor information system, including subcontracts for commercial items.” This type of contractual requirement flows down to mandate better security. Further requirements discuss implementation of security measures NIST 800-171 by 12/31/2017 guidelines and rapid reporting of a cyber incident to the DOD and prime contractor.

What is the exposure? Covered defense information. Unclassified information that is provided, collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. Controlled technical information, critical information (operations security), export control, any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies (e.g., privacy, proprietary business information). There are dozens of categories under CTI further expanding this exposure for subcontractors.

What’s the causes of loss? They include perils such as unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred. Cyber/physical perils could include mechanical failure and altered materials or components.

Compare an example of NIST 800-171 key areas with an insurance application for cyber liability. NIST - 3.6 INCIDENT RESPONSE

Basic Security Requirements:

3.6.1 Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.
3.6.2 Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization.

Derived Security Requirements: 3.6.3 Test the organizational incident response capability.

Cyber Insurance-

Application Question - Do you have written and explicit policies in place to deal with a Data Breach?

How does insurance respond to a breach? It can pay up to the policy limits and provide prearranged forensic resources to determine the scope of breach. Notification coverage can assist with reporting requirements in effective time frame.

Application Question – Has a written data back-up and disaster recovery plan been created and adhered to?

How does insurance respond to a breach? Unlike business interruption triggered by physical loss to tangible property cyber liability insurance can be triggered due to damage caused by malware/viruses that can disrupt a company’s operations and cause loss of profit and extra expenses needed to resume operations. Insurance may provide resources or reimbursement for these type of losses.

You start to see the overlap with the proactive compliance of DFAR requirements. An idea: cyber insurance coverage for subcontractors can give an advantage in regards to breach response, the cost of mitigation and use of pooled resources. Meeting DFAR requirements improves security, shows due diligence and acceptability to qualify on better terms for cyber insurance. This can pay for resources involved in incident response, business interruption and potential legal liability. It helps to transfer risk which supports your efforts and balance sheet in the event of a loss. For those vetting subcontractors in the supply chain, insurance has proved in other areas to provide third party assurance of a financial backstop and possibly a better response in the event of loss.

Please note this is not legal advice so check with a qualified attorney. That being said, these issues will not be resolved immediately but the sense of urgency and the responsibility to meet a higher bar of information security management is evident. I believe involvement from multiple industry sectors and expertise including, but not limited to, legal compliance, insurance and risk control will need to converge in dealing with the lifecycle of information. The demands for a more secure future may become non-optional. Welcome to the internet of everything.