2021 NDAA: Securing Cyberspace Together

• Progress is being made to protect US critical infrastructure through adoption of Commission recommendations into 2021 NDAA, impacting both the private and public sectors.
• Awareness of new strategic approach is important to align with directives impacting companies through coordinated planning, governance structures, cyber exercises, and cyber integration programs with the US government.
• Prepare for the future with pending Commission recommendations on SOX reportable cyber risks, supply chain resiliency, and adoption of the zero trust paradigm model.

The foreword of the March 2020 bipartisan US Cyberspace Solarium Commission (“Commission”) report,[1] “A Warning from Tomorrow,” depicts ominous scenes of life after catastrophic cyberattacks on US critical infrastructure. The foreword ends with: “What can we really do? No matter what legislation we pass now, after everything that’s happened, we’re too late.” And the authors are right. Even the best federal law will be reactive. Businesses should not wait for federal oversight; they need to be proactive, now.

Progress is being made to protect US private- and public-sector critical infrastructure from future large-scale cyberattacks, similar to the recent SolarWinds breach that affected thousands of companies and federal agencies. Most recently, legislators included twenty-five of the eighty Commission recommendations into the 2021 National Defense Authorization Act (NDAA).[2] In doing so, they adopted a multipronged strategy across domestic, economic, and diplomatic security concerns. While these measures are designed for the public sector, they should also be embraced in the private sector to create an integrated private-public network—one that leads with deterrence and resilience both now and moving forward.

NDAA Impacts on Companies

The Commission advocates for a new strategic approach to cybersecurity where deterrence and resilience are facilitated through joint public- and private-sector initiatives. The Commission recommendations focus on integrating the private sector deeper into national security, primarily because the private sector operates more than 85 percent of critical infrastructure. Companies should be aware of the following directives involving both the private and public sectors:

1. Cyber planning office within Department of Homeland Security to develop a coordinated plan to protect against and recover from cybersecurity attacks
2. Cybersecurity state coordinator to build strategic relationships with a focus on establishing governance structures for secure and resilient infrastructure
3. Department of Defense to assess ongoing collaboration on cybersecurity defense initiatives
4. National cyber exercises to simulate cyber-incident response with coordination on processes and response groups
5. Cybersecurity and Infrastructure Security Agency (CISA) to evaluate resources for programs supporting integration and awareness of cyber threats
6. National cyber director to develop integrated incident response to cyberattacks and cyber campaigns with private-sector leaders on emerging technology

Balancing Global Business Operations and National Security

With the US federal government integrating the private sector into cybersecurity strategy more deliberately, businesses with global operations will need to think strategically about NDAA impacts both domestically and abroad. The balance of business interests and national security is not clearly defined, especially when it extends to international customers and third parties in one’s supply chain.

Businesses also must be aware of similar foreign cybersecurity initiatives, such as the EU Cybersecurity Strategy released in December 2020. The strategy parallels the NDAA in bolstering Europe’s collective resilience against cyber threats to ensure citizens and businesses can benefit from trustworthy and reliable services and digital tools. The EU Commission proposes to launch a network of security operations centers across the EU, establish international standards in cyberspace, and strengthen partnerships around the world for a secure cyberspace.

Actions to Undertake Now and Prepare for the Future

For more than two decades, collaboration between the private and public sectors on cybersecurity initiatives has occurred through Information Sharing and Analysis Centers (ISACs). These information-sharing efforts now will be operationalized by the US federal government, across industries, with the goal of protecting critical infrastructure from cyberattacks. It is more important than ever for companies to extend their preexisting ISAC channels to new involvement opportunities enacted through the NDAA. Scaling-up in this manner will ensure a seat at the table when developing guidelines with CISA and aligning business strategy to elements of the national cybersecurity framework.

Looking ahead, businesses also must be prepared for additional Commission recommendations to come down the pike, whether enacted in future NDAAs and/or as federal cybersecurity recommendations are matured. One major Commission recommendation that has significant traction is the disclosure of cyber risks as a SOX reportable requirement. The Commission’s Enabling Recommendation 4.4.4 encourages the Securities and Exchange Commission (SEC) to mandate reporting and assessment of cybersecurity controls more strenuously on financial reporting under Section 404 of the Sarbanes Oxley Act of 2002 (SOX). Most, if not all, companies keep their financial records electronically. Problematically, threat actors can disrupt the internal control structure for financial reporting by compromising the integrity of those electronic records. Company executives and auditors must have a full understanding of how those electronic records are protected in attesting to their accuracy. The Commission recommends the SEC outline specific responsibilities issuers must make to address cyber risks in attestations made under SOX Section 404, including the issuing of new rules and guidance outlining “adequate” internal control structures to mitigate cyber risks, and engage in enforcement actions to ensure these requirements are followed.

Over the past five years, the Public Company Accounting Oversight Board (PCAOB) has shared concerns of risk-prone cybersecurity incidents that could initiate a material misstatement of financial statements and misreporting.[3] For example, two years ago, Dutch accounting software firm Wolter Kluwer—which serves 92 percent of the world’s top fifty banks and many Fortune 500 companies—experienced a malware incident that caused US accountants delays in accessing their clients’ financial data for several days.[4] The incident showcases the importance of how cybersecurity affects all facets of a business and reiterates the importance of preparing your company for these types of SOX reportable cyber risks.

Companies should view cyberattacks and associated risks as business risks. Companies need to invoke greater transparency and resiliency in managing their supply chains and oversight of those third parties from both a contractual and due diligence perspective. Companies should consider the following:

• Evaluate contracts with third-party vendors to ensure they have proper “right to audit” clauses that provide the ability to perform audits of security controls and assess downstream supply chain vulnerabilities.
• In the event of a vendor being breached, companies should ensure they have proper indemnification clauses to offset risks.

Beyond contract management, companies should reconsider third-party vendor access to sensitive information through the adoption of the zero trust architecture model—an evolving set of cybersecurity paradigms moving defenses from static perimeters. Zero trust focuses on users, assets, and resources to ensure there is no implicit trust granted to assets or user accounts based solely on location or asset ownership. Adoption of the zero trust model will help companies further the Commission recommendations and NDAA’s new strategic approach in leading with deterrence and resilience into the future.

 

[1] Cyberspace Solarium Commission Official Report (March 2020), available at: https://www.solarium.gov/report

[2] National Defense Authorization Act for Fiscal Year 2021; H.R.6395, 116th Congress (2019-2020), available at: https://www.congress.gov/bill/116th-congress/house-bill/6395

[3] PCAOB, “Preview of Observations from 2016 Inspections of Auditors of Issuers;” Staff Inspection Brief, Vol. 2017/4 (November 2017), available at: https://pcaobus.org/Inspections/Documents/inspection-brief-2017-4-issuer-results.pdf

[4] Fazzini, K., “A malware attack against accounting software giant Wolters Kluwer is causing a ‘quiet panic’ at accounting firms,” CNBC (May 9, 2019), available at: https://www.cnbc.com/2019/05/08/wolters-kluwer-accounting-giant-hit-by-malware-causing-quiet-panic.html