Cybersecurity took a front seat for the Federal government in 2021, with numerous cyberattacks on government and industry helping to spark a sweeping cybersecurity executive order and a host of new efforts to improve the nation’s security posture.
As the year comes to an end, MeriTalk is rounding up our top cyber moments of 2021:
Cybersecurity Executive Order
The White House issued its cybersecurity executive order this May, marking the Federal government’s most determined effort yet to enforce general improvements to cybersecurity nationwide. The White House issued its most authoritative directions to the Federal government, urging agencies to move to the cloud and to zero trust security architectures. The order’s ultimate impact and payoffs likely won’t be fully evident for years to come, for two main reasons – the timeline to execute on some of the order’s directives is long, and staying ahead of adversaries and protecting critical networks is a task that has no end.
TMF Board Names Cyber a Priority, Awards $311 Million in Funding
The Technology Modernization Fund (TMF) has evolved tremendously over the past year, after getting an extra $1 billion of new funding under the American Rescue Plan Act. Before this past fall, the TMF Board had only invested in 11 projects totaling over $80 million over three years. However, in the last five months alone, the board has reviewed dozens of proposals and announced seven new investments totaling $311 million. What’s more, the board announced it would give top priority to cybersecurity modernization projects. At least four of the seven projects that got a piece of the $311 in awards are related to cybersecurity, with three of them focused on advancing zero trust.
Colonial Pipeline Ransomware Hack
The ransomware attack on the Colonial Pipeline Company, a major supplier of fuel to the northeastern U.S., proved to be one of the most impactful ransomware attacks in U.S. history. The company temporarily shut down pipeline operations after disclosing the attack in May, causing fuel shortages and skyrocketing gas prices across the East Coast. Colonial Pipeline Company paid $4.4 million in ransom the day after discovering the attack. However, the Department of Justice was able to recover a portion of that ransom from a cryptocurrency wallet linked to the ransomware group Darkside.
Kaseya and JBS Ransomware Attacks
This summer brought another impactful set of ransomware attacks from the Russia-based REvil organization, which provides ransomware-as-a-service technologies. REvil was responsible for separate ransomware attacks against U.S.-based meat producer JBS USA and American software firm Kaseya. These two attacks were part of a wave of high-profile exploits against U.S. targets that prompted President Biden to publicly elevate such attacks as national security issues, and engage on them with Russian President Vladimir Putin. President Biden and Putin discussed the attacks in early July, and by mid-July, REvil’s ransomware sites had disappeared from the dark web.
Chris Inglis Confirmed as First-Ever National Cyber Director
The Senate confirmed Chris Inglis to become the nation’s first-ever National Cyber Director in June. The creation of the position helped to show President Biden’s commitment to cybersecurity, and was a move for which the U.S. Cyberspace Solarium Commission had strongly advocated. Inglis now serves as the President’s senior advisor on cybersecurity and other emerging tech issues. Staffing in his office has grown since June, with Inglis estimating to have about 25 employees by the end of 2021.
CISA Sets Joint Cyber Defense Collaborative (JCDC) Initiative
The Cybersecurity and Infrastructure Security Agency (CISA) in August announced its Joint Cyber Defense Collaborative (JCDC) initiative, which aims to utilize collaboration to drive down cyber risks faced by Federal agencies, state and local governments, and the private sector. The JCDC has the potential to greatly help Federal government authorities and private sector firms better “connect the dots” on global threats in cyberspace, as National Cyber Director Chris Inglis put it.
DoD Forecasts CMMC in Every Contract by 2026, Issues CMMC 2.0
The Department of Defense (DoD) announced every contractor seeking to do business with the DoD will be required to have at least a Level 1 Cybersecurity Maturity Model Certification (CMMC) by Fiscal Year 2026. The policy means that for the Defense Industrial Base (DIB), cyber maturity is now mandatory. The CMMC also underwent a lengthy review process this year, leading DoD to issue an update to the program – dubbed CMMC 2.0 – that simplifies some of the cybersecurity requirements for contractors in the DIB looking to do business with the government.
White House Conducts Full Review of SolarWinds
Although the SolarWinds hack was launched more than a year ago, much of the beginning of 2021 was spent reacting to the attack and conducting a thorough investigation. In January, President Biden tasked intelligence agencies for a full assessment of Russian involvement in breaches of thousands of government and private-sector networks via SolarWinds Orion products. It wasn’t until March that the nine Federal agencies whose networks were compromised in the hack were close to finishing their remediation reviews. The hack was a powerful reminder of the continued escalation of the threat landscape and led to major U.S. cybersecurity realignment.
OMB, CISA Release Formal Zero Trust Strategy and Maturity Model
The Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) both published key draft guidance documents in 2021 that provide the next set of roadmaps for Federal civilian agencies to transition to zero trust security concepts over the next three years and to guide agencies to securely migrate to cloud services. The Federal government’s transition to zero trust concepts – and its push for agencies to further adopt cloud services – are centerpieces of the Biden administration’s cybersecurity EO. For agencies looking to find a good resource on meeting EO requirements, look no further than these documents.
OMB Issues New FISMA Guidance, Keying in on Cyber EO
Last but certainly not least, the Office of Management and Budget (OMB) issued new Federal Information Security Management Act (FISMA) guidance to Federal agencies for Fiscal Years 2021-2022 that promotes agency action on several items in the Biden administration’s cybersecurity EO. The guidance was just issued this December and also aligns with aspects of current Senate legislation on FISMA reform.
Happy Holidays from MeriTalk! We wish you a cyber-safe and secure holiday season and can’t wait to see what 2022 brings.