Homeland Security Today had the opportunity to sit down with John Dalton, CEO of Perceptics, a small government contracting firm that has been working with U.S. Customs and Border Protection for over 30 years.
Recently, Perceptics was the victim of a directed cyber extortion attack on its company and has been weathering the attack, the subsequent investigation, and the process within the federal government to resolve implications of the breach on its contracts. Perceptics’ experience to date serves as an important use case for managing a cyber intrusion while at the same time addressing important government equities and core business imperatives. HSToday talked with Dalton to help inform contractors’ process and protections moving forward in the federal contractor market.
HSToday: Thank you for taking the time to sit down with us. Would you just take a moment to introduce yourself and Perceptics to our readers?
Dalton: Hi, I’m John Dalton. I’m CEO of Perceptics. We’re a small imaging equipment manufacturer based in Knoxville, Tenn.
HSToday: Thank you – so we’re here today to discuss the data breach you suffered earlier this year. Would you share a bit about what happened?
Dalton: Of course. We did have a data breach. In May, I received an email saying we had been breached and seeking to extort 20 Bitcoins (which translates to slightly more than $200,000 U.S.). A purported ransom attack. It wasn’t yet ransomware because the hacker claimed to have exfiltrated some of our data from our networks.
At first, we weren’t sure if this was a hoax. Part of our puzzle was figuring out what exactly was at risk and where the hacker had been. It took some cyber forensics to be able to get to that. So, that same day, we talked to our insurance company and our counsel and started to formulate a plan. We contracted with a couple of different cyber firms to understand it. The next day we contacted the FBI. By the end of the week, we were contacting customers to clarify what was at risk.
HSToday: So it sounds like the timeline was pretty short: You learned about the breach, you consulted your folks internally, started cyber forensics to figure out what, if anything, had been compromised, contacted the FBI, and what happened next?
Dalton: We were looking at the validity of the threat during that first week, from May13 to17. The 17th was our deadline to pay on the extortion. I think it was noon on Friday. We don’t believe in paying criminals, so we didn’t pay. When that deadline passed, the bad actor used a surreptitious entryway he had built, and started to encrypt our own network inside of our system.
Thankfully, we realized this early on Saturday morning and air-gapped or unplugged our whole system from the internet. We had a partially encrypted system at that point, internally, that we couldn’t access. So, we had backups and different systems to help us manage that situation. But our system itself, including our email server and our financial ERP system and lots of other data about our business, was encrypted.
HSToday: Were there any indications that the attacker was interested in specific data?
Dalton: He wandered around, but we don’t really know that for sure.
HSToday: The biometrics that you have would be images of faces and images of license plates?
HSToday: Is that the extent or is there more?
Dalton: The technology we manufacture takes the image of the license plate and figures out the license plate number. These systems also do image processing – meaning they collect and process the best image through our sensors and image processing software. They do not connect the image with any personal information like Social Security number or immigration status. They simply take the picture of the facial image and process it to ensure we are submitting the most accurate image possible for Homeland Security’s purpose. Our systems are also not connected to the CBP network. From time to time, we are provided sample images for quality assurance.
HSToday: Were you able to determine if the bad actor targeted you specifically?
Dalton: No, we are not sure of the exact motivation and target of the bad actor in question. Whether he found us in his searching by happenstance or he had a reason to target us, we don’t know.
HSToday: And did he actually steal data and do something with it?
Dalton: Unfortunately, we did discover that the malicious actor had exfiltrated data. He put well over two terabytes of data on the dark web. This included project files and financial data and health benefit information on employees (which we have provided employee monitoring licenses for all the employees to be able to monitor credit and make sure nobody’s doing anything illegally). When you have been attacked, it is not just a company problem. Cyber attacks hurt our people, too.
HSToday: What was the most frustrating thing about the attack?
Dalton: By far the most frustrating thing was needing to furlough half of my company. [As of publishing this article, those employees have been terminated] CBP was about two-thirds of our revenue last year. So maybe we could be reasonably accused of having too much concentration on our biggest customer, having been working with them since 1982. We had worked to diversify, but we put a lot of resources into CBP over the years. So, to be so quickly halted in what we do and needing to furlough my employees, that’s by far the most frustrating.
HSToday: You’ve spoken a little about the impact on your company, but how do you see this impacting your company in the long term?
Dalton: I strongly believe we will be back on our feet as a contractor in the specialty area we have in a timeframe measured in weeks and months.
HSToday: Are you confident other agencies will contract with you despite this breach?
Dalton: I think agencies will conclude that eventually all companies are going to have a breach, and they’d be wise to contract ahead of time with somebody who knew about cybersecurity and necessary controls. For example, we are using the Center for Internet Security’s 20 Critical Security Controls to prioritize rapid implementation of cyber controls, while also looking at guidance from NIST. We are working to ensure we are taking the necessary corrective actions so our contracting suspension will be lifted. I believe we’ll be able to put together an administrative plan for the government to accept, for CBP to accept, as a step toward us getting that suspension lifted. I believe we will clear the investigation and then we’ll have to earn our business back.
HSToday: Is there any particular lesson you would want to share with other government contractors?
Dalton: I think there has to be a balance of growth and risk management, having had some time to reflect on this on nights I couldn’t sleep. Then being able to understand cyber risk enough to protect appropriately certainly makes sense. You also question things like insurance, are we properly insured?
Everybody has their own makeup of what the risks would be. But managing that and having people that are concentrating on that is important as a business grows. Perceptics is not a new company. We started in the late 1970s. Our current ownership group bought it from Northrop Grumman in 2006. So it was part of a very large IT contractor at the time. So it had 2006-era big company processes, and yet we still missed the mark on cyber.
HSToday: That’s a very good point. Because other companies don’t have that background and support.
Dalton: I’d also offer, compared to most companies within the 20 million revenue area with 50 or so employees, we’re a particularly professional company. I’m an industrial product guy but I came out of private equity. We’ve got a professional management team. We’ve got a professional board of directors that performs governance. We’ve got professional banking relationships. We’re not like a company that’s lost in the weeds in Tennessee and doesn’t understand about any of this risk. We should have known better and I didn’t.
HSToday: Do you think after all of this that it’s even possible to be cyber secure?
Dalton: I don’t think it’s ever possible to prevent attacks, so I think you need to focus on resiliency – making it as hard as reasonably possible for someone to get in, minimizing the amount of time it takes you to detect and contain the intrusion, and having capabilities in place that allow you to continue operations notwithstanding the intrusion. The challenge of it is you can spend infinite amounts of money trying to get there. So, to what degree do we need to be cyber secure? I suspect that the government will get more precise about what they mean about cyber secure. I suspect that larger prime contractors will get more precise about what they mean about cyber secure. I know that Perceptics will get more precise about what we mean, but anything is penetrable. If Equifax can get penetrated, then Perceptics doesn’t really have much of a chance of preventing an attack. Not really.
You have to do that right set of things. However, I don’t think that there’s much clarity on what those right sets of things are. It’s easy to say “be cyber secure,” but even the experts can’t agree on what that actually means for a small equipment manufacturer in Tennessee. I mean, if I lined up 10 cyber experts, I guarantee you we will get a different set of answers on what they would prescribe as a reasonable set of cost-effective measures to be cyber secure. There is no shortage of frameworks out there: NIST 800-53, NIST 800-171, the NIST Cybersecurity Framework. They can be difficult to interpret, but we’re trying to do the right things that will make a difference.
What you have with Perceptics is 50 people that will literally wait for CBP’s call to jump, because they were two-thirds of our revenue. Our people were completely dedicated to the mission. I had a CBP commissioner tell me one time that our purpose was to get the data to the right people, but also to the right place, so that the border officers will not get killed, because he was tired of going to funerals. If we could help him avoid a few funerals because we did a good job identifying the vehicle, that was worth a lot to him. We tell that story as a part of our company lore. We are all about the mission and the CBP mission. The pride that all those people take, even the half on furlough [now terminated], on supporting that mission is extreme. It’s about keeping the border officers alive and getting legitimate trade and travel through quicker.
HSToday: What do you think the government could do that would have helped you avoid the breach? Or is there something you would advise the government to ensure that this situation can’t happen in the future?
Dalton: As it pertains to cyber, we need them to be specific about what they need. At this point, I don’t see strong evidence that that’s really known very widely in the government or in the community of prime contractors that we work with or in the subcontractors in my peer group. So being specific on what cybersecurity capabilities are needed is important. Of course, the bad actors are also finding workarounds to everything you put in place. So if you give a 20 Critical Security Controls list of things you’ve got to do, that list has to change over time as threat evolves. So it is a very complex environment. But I don’t think you can use that as an excuse to leave it to small businesses to figure out. There’s got to be a way to avoid the small companies doing research about what’s the right thing to do because we don’t know.
HSToday: What were the terms on which Perceptics was suspended?
Dalton: This came up in our meeting with the CBP suspension office, which included the Office of Information Technology and other folks. They did not suspend Perceptics because we were breached. They suspended Perceptics because of the perception that we had data that we were not supposed to have.
We believe and I would strongly assert that we are completely within our contractual boundaries to have the images they referred to in order to perform image analysis as part of our normal engineering process for those certain images. That’s why we have the data that we have. The majority of our data – over 99 percent of our data – flows through a normal, standard operating process to get deleted in the right timeframe. We have a project in particular, traveler imaging, that was within that timeframe. At the time of the attack we were still doing work on those images, which included finding a quality image of the face (a “face patch”) for our prime contractor Unisys or the government to determine what they need to do to benefit homeland security. So, we needed the data we collected in order to execute our engineering scope and provide them with what they were asking for. That doesn’t seem to have been recognized.
We’ve been gathering data (and removing data when no longer needed) across 12 years. But the data that was gathered in the recent trial, which has been quoted widely in the press, is considered different. I don’t think there’s any difference except for the politics.
HSToday: What could CBP, Unisys and Perceptics have done better?
Dalton: I think it would help all of us if there was good communication along the process. Not only for the Perceptics instance, at least, not an immediate cancellation, investigation and suspension.
Not because I don’t think they should have. It’s perfectly within the government’s rights to cancel, suspend, and investigate. I’m not denying that in any sense. But I think everybody would have benefited from some sitting around the table and realizing that some of this is a common problem and that we should address it as a common problem.
HSToday: What has been your main takeaway from the attack and the aftermath?
Dalton: I think it’s easy to think about risk management and not get it done very well. Frankly, I think it’s easy to hire consultants that have their own view of risk and that may or may not be the real risk. You really have to put a lot of time and effort from all levels of your organization into this but recognize it still won’t be 100 percent.
To use a manufacturing example, you could spend so much money on safety that you can’t sell your product. If you had the people in the manufacturing plants in suits of armor, then they probably wouldn’t get their fingers dinged or their heads hit on anything, but you couldn’t build any product either. So how to manage cyber risk is a balance, and I don’t think anybody really has the answer yet. It’s hard.