The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has announced that several federal government agencies were hit in a wave of global cyberattacks during 2023. These malicious events exploited a widely used software.
To understand the significance Digital Journal reached outto one of the foremost experts in cybersecurity in the U.S.
Robert “Bob” Cattanach is a partner at the international law firm Dorsey & Whitney. He has previously worked at the U.S. Department of Justice and was also special counsel to the Secretary of the Navy. He is one of the country’s top experts on cybersecurity, data breaches, ransomware, privacy, telecommunications, and international regulatory compliance.
Cattanach begins by explaining how these attacks reached the attention of the state: “Alarm bells that started in the U.K. private sector, then spread to the U.S., are now going off throughout the federal government.”
These alarms came “after Russian cybercriminal group Cl0p boasted online that it had exploited vulnerabilities in MOVEit file transfer software to penetrate numerous organizations, most recently and significantly many agencies in the United States Government.”
This is an ongoing process, observes Cattanach: “The hackers continue to add victims to their dark-web list of extortion victims, and as the full scope of the supply chain exposure continues to unfold exponentially, the Critical Infrastructure Security Agency (CISA) is engaging in full-time damage control.”
In terms of the impact, Cattanach’s assessment is: “The depth and scope of the compromise are already believed to be staggering, and making matters worse, the only thing known for certain is that the extent of the vulnerability still isn’t known. While some federal agencies (TSA and the State Department) were quick to assert that their systems remain secure, it’s a sure bet that those agencies less fortunate are scrambling to assess the full impact of the hack on their systems before they offer any public assessment of the damage.”
In terms of how the attacks have happened and what these mean for vulnerabilities, Cattanach observes: “The latest round of revelations follows a now-familiar playbook: cyber criminals uncover a software flaw, exploit it surreptitiously to avoid drawing attention, then pounce quickly on unsuspecting victims to maximize leverage before software fixes are in place. What’s unique about this hack is the apparent ability of the attackers to move laterally among connected systems of different entities, allowing them access to companies that supposedly did not even employ the defective software, meaning that the MOVEit supply chain is only the beginning, rather than the end of the compromise.”
In terms of the next steps and building the foundations of an appropriate defence, Cattanach notes: “While CISA has been increasingly focused on supply chain vulnerabilities in its contingency planning and regulatory initiatives, this latest round of expanding shockwaves is sure to add new impetus to those initiatives, and influence the ongoing debates between software developers and government cyber-policy experts about who should bear the ultimate responsibility for software that proves to be defective”
