A Q&A with Michael McLaughlin of Baker Donelson
Global cyber attacks are on the rise, and the cost of these crimes is expected to reach $8 trillion in 2023, but most organizations lack awareness about the particular threats they may be facing.
Michael McLaughlin is an associate in Baker Donelson’s Washington, D.C. office and a member of the Government Relations and Public Policy Group.
Michael is also the author of Battlefield: Cyber: How China and Russia are Undermining Our Democracy and National Security, about why companies need to be paying closer attention to these threats, and the groups behind them. The book will be released on August 15, 2023.
In part one of our Q&A with Michael, we discussed the evolution of cyber threats with the advent of the war in Ukraine.
Here in part two, we explore new threats from state-sponsored actors in China and what companies can do to prevent attacks and build resilience.
In the first part of our Q&A, we talked about some of the more sophisticated threats occurring now, with threat actors infiltrating networks and “living off the land” for indefinite periods of time. Where are we seeing these tactics deployed?
Actually Chinese state sponsored threat actors just did this in Guam, targeting critical infrastructure. This was the Volt Typhoon group, and what made it so insidious, was that they were using these “live off the land” techniques, and not only did the critical infrastructure operators not see them, but the US Air Force didn’t see them.
We’re starting to see more ransomware actors use those very same techniques, which is in and of itself a sophisticated capability, not because it means you’re using very advanced tools. It means that you are able to stay under the radar of our defensive tools.
What are some other threats that are specific to Chinese actors?
We’ve now seen them use very advanced techniques with respect to living off the land, but there are also different types of malware, such as MgBot, that are unique to Chinese cyber actors.
What is the most important takeaway for companies here to understand?
Understanding the threat landscape writ large is important. I named my book Battlefield: Cyber because the point we’re trying to drive home is that if you connect to the Internet, you’re on the battlefield, period. Whether you are an individual user conducting financial transactions or ordering products from Amazon on your personal laptop or you’re a Fortune 500 company, you’re on the battlefield because your information is of value to someone.
To that end, a network owner who is conducting research on advanced defense capabilities and defense technologies like hypersonic missiles or modular nuclear reactors is going to be targeted by advanced, persistent threats. For instance, by Chinese state-sponsored actors because that intellectual property is of significant value to the Chinese government and to the Chinese military.
Knowing who’s targeting you helps you to better defend against it. If you have a managed service provider who’s doing your cybersecurity for you, make sure that it provides the right resources and has the right level of expertise that can defend you against the level of sophistication and maturity of relevant threat actors. Again, not every company is going to be targeted by Chinese state-sponsored threat actors, but very likely every company, every individual could be targeted by a ransomware actor or cyber criminal.
So how can organizations protect themselves against these threats?
Make sure that you have a general baseline of security, which is everything from multifactor authentication, to moving towards a zero trust environment, to making sure you have backups that are stored on the cloud or in an isolated environment.
You should also be doing your normal cyber training of the workforce and making people generally aware of the threats.
If we can get 90 percent of companies to put the baseline into place, then we can prevent the vast majority of ransomware actors from getting into networks because they’re looking for a high payoff with minimal effort; to extract as much money as possible from the target and move on to the next one. If you’re hardened, and you’re not able to be penetrated easily, then the threat actor is very likely to move on.
Is there any other final advice you would give to our readers?
Know what information about you and your company exists out there in the ether. The vast majority of companies may have had a breach that they don’t know about, and they’re not aware that stolen credentials are still out there on the Dark Web for sale. Even old data from a previous breach potentially leaves you open to a follow-on breach, especially if you never changed your passwords or put mitigations in place after that initial breach.
In addition to understanding your threats, you need to understand the associated liability. Even if you’re doing everything right and working towards a secure environment, you can be setting yourself up for liability. Let’s say you hire a firm to conduct a vulnerability assessment of the network. You have every intention to implement all of the recommendations from that assessment, but you don’t have the budget to do it right now. The mere existence of that report could actually open you up to liability.
If you get hit with ransomware or some type of malware and there’s a breach, that assessment is discoverable in the event of litigation. If you get sued by shareholders, an affiliate, vendor or individuals whose data was breached, you could suffer tortious liability under a theory of negligence because you didn’t do what you should have done or what was reasonably expected of you to do after receiving that report.
However, if you engage outside counsel in preparation for anticipated litigation, then a lot of times those reports are covered by privilege, and you can still be protected as you work towards meeting the recommendations in the threat assessment. Even if you get breached in the interim, correspondence and the ultimate report are likely privileged attorney-client communications.
It’s about being able to not just secure your network, but also to safeguard yourself from liability, and that’s something far too many companies continue to undervalue.
You can purchase Michael’s new book Battlefield: Cyber: How China and Russia are Undermining Our Democracy and National Security on Amazon here. The book is scheduled for release on August 15, 2023.
To learn more about Baker Donelson, visit their website.
To learn more about Mark Greisiger, visit this page.