President Joe Biden’s Executive Order on Improving the Nation’s Cybersecurity proposes many ambitious goals, but among the most nebulous and challenging passages in the document is a section that calls for the revision and standardization of government contracts with IT and operational technology service providers in order to remove barriers to sharing threat information.
The EO points to contracts with IT and OT service providers to conduct "an array of day-to-day functions on federal information systems." The order specifically points to cloud service providers as among the companies with access to and insight into cyber threat and incident information. At the same time, current contract terms or restrictions may limit the sharing of such threat or incident information with executive departments and agencies that are responsible for investigating or remediating cyber incidents.
Indeed, procurement challenges often tied to the U.S. Federal Acquisition Regulation, or FAR, may include burdensome restrictions on how information can be propagated, say experts. In other cases, the contracts are too vague, letting IT and OT service providers off the hook from threat-sharing responsibilities.
SC Media spoke with various experts and consultants with knowledge of the federal government procurement space for their opinions on current flaws in contracts and how they might be amended to satisfy Biden’s order.
Error of omission
Error of omission may be one of the biggest issues. A service provider is not necessarily going to volunteer details of certain malicious activity that it becomes aware of unless a government IT/OT contract explicitly compels the company to do so, or the agency is directly and substantially affected.
“On the federal side, there is no standard FAR requirement for contractors to report to the government threat information,” said Alan Chvotkin, partner at law firm Nichols Liu, and former executive vice president and counsel of the Professional Services Council.
While an individual federal agency’s agreement with an IT/OT provider might mandate the timely disclosure of certain data breach events to that specific contracting agency, terms and stipulations can vary from contract to contract. And even so, the service provider is still not compelled to alert an outside federal agency that might see fit to investigate, such as the Cybersecurity and Infrastructure Security Agency or the FBI, Chvotkin continued.
“Because you're not asking specifically for companies to do certain things, they will point to the contract and say, ‘Well it's not in there, so we're not doing that,’” said Chris Cummisky, CEO of Cummisky Strategic Solutions and former undersecretary for management at the Department of Homeland Security under President Barack Obama. “Companies are happy to use that omission to their advantage to say, ‘It's not in there, and plus we weren't interested in sharing it with you anyway.’”
In some ways, the FAR is “very prescriptive about what can be asked of companies and what can’t.” Therefore, when something is left out, that’s contextually significant. And because government contracts have been written like this for years, it’s become standard language that keeps finding its way into multiple contract cycles. Once that happens, “it's very difficult to force a company to comply with newer emerging cyber requirements that the government may or may not want to impose on their private-sector partners,” Cummisky explained.
That said, “the government has gotten much better over the last several years, because they've had more opportunity to insert language that is more advantageous to the government around these kinds of cyber disclosures – that as a condition of doing business with the government, you will disclose, you will make available, information that we can share with other entities," noted Cummisky. The executive order will seek to further facilitate such progress.
This is not to say the service providers are necessarily being negligent when withholding information. There could sometimes be risk and liability reasons they don’t share certain details with some agencies, especially in situations where contractual arrangements emphasize client privacy and discretion.
Many of the IT and OT service providers are under separate commercial agreements with the prime contractors, which brings “confidentiality provisions that limit disclosure by the service provider to anyone other than their client private-sector firm,” said Chvotkin. “So the authority and responsibility” for any such sharing rests with the service providers’ clients – and these clients often lack the skills to investigate threat information, and must confront both liability and public relations issues if they were to report such information to the government.”
The government itself similarly looks to impose limits on sharing across multiple agencies. In a blog post last December, Microsoft President Brad Smith critiqued federal government’s "insistence on restricting through its contracts our ability to let even one part of the federal government know what other part has been attacked."
"Instead of encouraging a need to share, this turns information sharing into a breach of contract," wrote Smith.
Consequently, Cummisky described contracted agencies' position as follows: “If we're going to provide this information to you, then you're going to provide us liability protection in our fights with the Department of Justice or whoever else we have to go toe to toe with in future litigation.”
Defining a standard of operations
With that said, there are certain circumstances under which companies can share attack details more freely, but often the definitions of such instances either aren’t clear, or they are too narrow, said the experts.
“A lot of the reporting requirements are really tied to personally identifiable information,” said Stan Soloway, president and CEO at Celero Strategies LLC and former deputy undersecretary of defense/acquisition reform and director of defense reform at the Defense Department. If PII is not involved, it’s less likely the service provider has an obligation to share details liberally with the federal government.
But that appears to be an antiquated notion, because as the Colonial Pipeline ransomware incident demonstrates, a cyberattack need not involve PII for it to be serious enough to merit disclosure to governmental agencies.
Consequently, “I believe one of the big shifts here is going to be the degree to which the government is going to require contractors to report any kind of operational hack as opposed to just those that involve personal information being exposed,” said Soloway.
This brings up a key point: the thought leaders who draft recommendations for new contractual language will have to refine the thresholds for reporting cyber intelligence to the government. Just as IT/OT service providers may be expected to share more, they also should be aware that sharing too much causes problems – including alert fatigue and the unnecessary sharing of sensitive information.
“There's always a tension between the government and companies as to what to report, when to report, how to report, and how extensive the report needs to be. There are legitimate business and proprietary concerns that companies have, there's legitimate concerns that the government has,” said Soloway. “You can imagine the damage that could be done, reputationally and business-wise, to a company that has to repeatedly report on really, really minor stuff, because nuance is lost in the shuffle. And all it looks like is constant screw ups,” even if it’s just standard day-to-day issues.
That’s why “the most important thing is how we define the information we need,” Soloway concluded. “What kind of information is really important for you to have?”