86.1 F
Washington D.C.
Saturday, July 13, 2024

HST Interview: What Happened in CBP Data Breach and the Future for Contractor Cybersecurity

Homeland Security Today had the opportunity to sit down with John Dalton, CEO of Perceptics, a small government contracting firm that has been working with U.S. Customs and Border Protection for over 30 years.

Recently, Perceptics was the victim of a directed cyber extortion attack on its company and has been weathering the attack, the subsequent investigation, and the process within the federal government to resolve implications of the breach on its contracts. Perceptics’ experience to date serves as an important use case for managing a cyber intrusion while at the same time addressing important government equities and core business imperatives. HSToday talked with Dalton to help inform contractors’ process and protections moving forward in the federal contractor market.

HSToday: Thank you for taking the time to sit down with us. Would you just take a moment to introduce yourself and Perceptics to our readers?

Dalton: Hi, I’m John Dalton. I’m CEO of Perceptics. We’re a small imaging equipment manufacturer based in Knoxville, Tenn.

HSToday: Thank you – so we’re here today to discuss the data breach you suffered earlier this year. Would you share a bit about what happened?

John Dalton Perceptics

Dalton: Of course. We did have a data breach. In May, I received an email saying we had been breached and seeking to extort 20 Bitcoins (which translates to slightly more than $200,000 U.S.). A purported ransom attack. It wasn’t yet ransomware because the hacker claimed to have exfiltrated some of our data from our networks.

At first, we weren’t sure if this was a hoax. Part of our puzzle was figuring out what exactly was at risk and where the hacker had been. It took some cyber forensics to be able to get to that. So, that same day, we talked to our insurance company and our counsel and started to formulate a plan. We contracted with a couple of different cyber firms to understand it. The next day we contacted the FBI. By the end of the week, we were contacting customers to clarify what was at risk.

HSToday: So it sounds like the timeline was pretty short: You learned about the breach, you consulted your folks internally, started cyber forensics to figure out what, if anything, had been compromised, contacted the FBI, and what happened next?

Dalton: We were looking at the validity of the threat during that first week, from May13 to17. The 17th was our deadline to pay on the extortion. I think it was noon on Friday. We don’t believe in paying criminals, so we didn’t pay. When that deadline passed, the bad actor used a surreptitious entryway he had built, and started to encrypt our own network inside of our system.

Thankfully, we realized this early on Saturday morning and air-gapped or unplugged our whole system from the internet. We had a partially encrypted system at that point, internally, that we couldn’t access. So, we had backups and different systems to help us manage that situation. But our system itself, including our email server and our financial ERP system and lots of other data about our business, was encrypted.

HSToday: Were there any indications that the attacker was interested in specific data?

Dalton: He wandered around, but we don’t really know that for sure.

HSToday: The biometrics that you have would be images of faces and images of license plates?

Dalton: Yes.

HSToday: Is that the extent or is there more?

Dalton: The technology we manufacture takes the image of the license plate and figures out the license plate number. These systems also do image processing – meaning they collect and process the best image through our sensors and image processing software. They do not connect the image with any personal information like Social Security number or immigration status. They simply take the picture of the facial image and process it to ensure we are submitting the most accurate image possible for Homeland Security’s purpose. Our systems are also not connected to the CBP network. From time to time, we are provided sample images for quality assurance.

HSToday: Were you able to determine if the bad actor targeted you specifically?

Dalton: No, we are not sure of the exact motivation and target of the bad actor in question. Whether he found us in his searching by happenstance or he had a reason to target us, we don’t know.

HSToday: And did he actually steal data and do something with it?

Dalton: Unfortunately, we did discover that the malicious actor had exfiltrated data. He put well over two terabytes of data on the dark web. This included project files and financial data and health benefit information on employees (which we have provided employee monitoring licenses for all the employees to be able to monitor credit and make sure nobody’s doing anything illegally). When you have been attacked, it is not just a company problem. Cyber attacks hurt our people, too.

HSToday: What was the most frustrating thing about the attack?

Dalton: By far the most frustrating thing was needing to furlough half of my company. [As of publishing this article, those employees have been terminated] CBP was about two-thirds of our revenue last year. So maybe we could be reasonably accused of having too much concentration on our biggest customer, having been working with them since 1982. We had worked to diversify, but we put a lot of resources into CBP over the years. So, to be so quickly halted in what we do and needing to furlough my employees, that’s by far the most frustrating.

HSToday: You’ve spoken a little about the impact on your company, but how do you see this impacting your company in the long term?

Dalton: I strongly believe we will be back on our feet as a contractor in the specialty area we have in a timeframe measured in weeks and months.

HSToday: Are you confident other agencies will contract with you despite this breach?

Dalton: I think agencies will conclude that eventually all companies are going to have a breach, and they’d be wise to contract ahead of time with somebody who knew about cybersecurity and necessary controls. For example, we are using the Center for Internet Security’s 20 Critical Security Controls to prioritize rapid implementation of cyber controls, while also looking at guidance from NIST. We are working to ensure we are taking the necessary corrective actions so our contracting suspension will be lifted. I believe we’ll be able to put together an administrative plan for the government to accept, for CBP to accept, as a step toward us getting that suspension lifted. I believe we will clear the investigation and then we’ll have to earn our business back.

HSToday: Is there any particular lesson you would want to share with other government contractors?

Dalton: I think there has to be a balance of growth and risk management, having had some time to reflect on this on nights I couldn’t sleep. Then being able to understand cyber risk enough to protect appropriately certainly makes sense. You also question things like insurance, are we properly insured?

Everybody has their own makeup of what the risks would be. But managing that and having people that are concentrating on that is important as a business grows. Perceptics is not a new company. We started in the late 1970s. Our current ownership group bought it from Northrop Grumman in 2006. So it was part of a very large IT contractor at the time. So it had 2006-era big company processes, and yet we still missed the mark on cyber.

HSToday: That’s a very good point. Because other companies don’t have that background and support.

Dalton: I’d also offer, compared to most companies within the 20 million revenue area with 50 or so employees, we’re a particularly professional company. I’m an industrial product guy but I came out of private equity. We’ve got a professional management team. We’ve got a professional board of directors that performs governance. We’ve got professional banking relationships. We’re not like a company that’s lost in the weeds in Tennessee and doesn’t understand about any of this risk. We should have known better and I didn’t.

HSToday: Do you think after all of this that it’s even possible to be cyber secure?

Dalton: I don’t think it’s ever possible to prevent attacks, so I think you need to focus on resiliency – making it as hard as reasonably possible for someone to get in, minimizing the amount of time it takes you to detect and contain the intrusion, and having capabilities in place that allow you to continue operations notwithstanding the intrusion. The challenge of it is you can spend infinite amounts of money trying to get there. So, to what degree do we need to be cyber secure? I suspect that the government will get more precise about what they mean about cyber secure. I suspect that larger prime contractors will get more precise about what they mean about cyber secure. I know that Perceptics will get more precise about what we mean, but anything is penetrable. If Equifax can get penetrated, then Perceptics doesn’t really have much of a chance of preventing an attack. Not really.

You have to do that right set of things. However, I don’t think that there’s much clarity on what those right sets of things are. It’s easy to say “be cyber secure,” but even the experts can’t agree on what that actually means for a small equipment manufacturer in Tennessee. I mean, if I lined up 10 cyber experts, I guarantee you we will get a different set of answers on what they would prescribe as a reasonable set of cost-effective measures to be cyber secure. There is no shortage of frameworks out there: NIST 800-53, NIST 800-171, the NIST Cybersecurity Framework. They can be difficult to interpret, but we’re trying to do the right things that will make a difference.

What you have with Perceptics is 50 people that will literally wait for CBP’s call to jump, because they were two-thirds of our revenue. Our people were completely dedicated to the mission. I had a CBP commissioner tell me one time that our purpose was to get the data to the right people, but also to the right place, so that the border officers will not get killed, because he was tired of going to funerals. If we could help him avoid a few funerals because we did a good job identifying the vehicle, that was worth a lot to him. We tell that story as a part of our company lore. We are all about the mission and the CBP mission. The pride that all those people take, even the half on furlough [now terminated], on supporting that mission is extreme. It’s about keeping the border officers alive and getting legitimate trade and travel through quicker.

HSToday: What do you think the government could do that would have helped you avoid the breach? Or is there something you would advise the government to ensure that this situation can’t happen in the future?

Dalton: As it pertains to cyber, we need them to be specific about what they need. At this point, I don’t see strong evidence that that’s really known very widely in the government or in the community of prime contractors that we work with or in the subcontractors in my peer group. So being specific on what cybersecurity capabilities are needed is important. Of course, the bad actors are also finding workarounds to everything you put in place. So if you give a 20 Critical Security Controls list of things you’ve got to do, that list has to change over time as threat evolves. So it is a very complex environment. But I don’t think you can use that as an excuse to leave it to small businesses to figure out. There’s got to be a way to avoid the small companies doing research about what’s the right thing to do because we don’t know.

HSToday: What were the terms on which Perceptics was suspended?

Dalton: This came up in our meeting with the CBP suspension office, which included the Office of Information Technology and other folks. They did not suspend Perceptics because we were breached. They suspended Perceptics because of the perception that we had data that we were not supposed to have.

We believe and I would strongly assert that we are completely within our contractual boundaries to have the images they referred to in order to perform image analysis as part of our normal engineering process for those certain images. That’s why we have the data that we have. The majority of our data – over 99 percent of our data – flows through a normal, standard operating process to get deleted in the right timeframe. We have a project in particular, traveler imaging, that was within that timeframe. At the time of the attack we were still doing work on those images, which included finding a quality image of the face (a “face patch”) for our prime contractor Unisys or the government to determine what they need to do to benefit homeland security. So, we needed the data we collected in order to execute our engineering scope and provide them with what they were asking for. That doesn’t seem to have been recognized.

We’ve been gathering data (and removing data when no longer needed) across 12 years. But the data that was gathered in the recent trial, which has been quoted widely in the press, is considered different. I don’t think there’s any difference except for the politics.

HSToday: What could CBP, Unisys and Perceptics have done better?

Dalton: I think it would help all of us if there was good communication along the process. Not only for the Perceptics instance, at least, not an immediate cancellation, investigation and suspension.

Not because I don’t think they should have. It’s perfectly within the government’s rights to cancel, suspend, and investigate. I’m not denying that in any sense. But I think everybody would have benefited from some sitting around the table and realizing that some of this is a common problem and that we should address it as a common problem.

HSToday: What has been your main takeaway from the attack and the aftermath?

Dalton: I think it’s easy to think about risk management and not get it done very well. Frankly, I think it’s easy to hire consultants that have their own view of risk and that may or may not be the real risk. You really have to put a lot of time and effort from all levels of your organization into this but recognize it still won’t be 100 percent.

To use a manufacturing example, you could spend so much money on safety that you can’t sell your product. If you had the people in the manufacturing plants in suits of armor, then they probably wouldn’t get their fingers dinged or their heads hit on anything, but you couldn’t build any product either. So how to manage cyber risk is a balance, and I don’t think anybody really has the answer yet. It’s hard.

PERSPECTIVE: What I’ve Learned Leading a U.S. Government Subcontractor During a Breach

author avatar
Kristina Tanasichuk
From terrorism to the homeland security business enterprise, for over 20 years Kristina Tanasichuk has devoted her career to educating and informing the homeland community to build avenues for collaboration, information sharing, and resilience. She has worked in homeland security since 2002 and has founded and grown some of the most renowned organizations in the field. Prior to homeland she worked on critical infrastructure for Congress and for municipal governments in the energy sector and public works. She has 25 years of lobbying and advocacy experience on Capitol Hill on behalf of non- profit associations, government clients, and coalitions. In 2011, she founded the Government & Services Technology Coalition, a non-profit member organization devoted to the missions of the U.S. Department of Homeland Security and all the homeland disciplines. GTSC focuses on developing and nurturing innovative small and mid-sized companies (up to $1 billion) working with the Federal government. GTSC’s mission is to increase collaboration, information exchange, and constructive problem solving around the most challenging homeland security issues facing the nation. She acquired Homeland Security Today (www.HSToday.us) in 2017 and has since grown readership to over one million hits per month and launched and expanded a webinar program to law enforcement across the US, Canada, and international partners. Tanasichuk is also the president and founder of Women in Homeland Security, a professional development organization for women in the field of homeland security. As a first generation Ukrainian, she was thrilled to join the Advisory Board of LABUkraine in 2017. The non-profit initiative builds computer labs for orphanages in Ukraine and in 2018 built the first computer lab near Lviv, Ukraine. At the start of Russia’s invasion of Ukraine, she worked with the organization to pivot and raise money for Ukrainian troop and civilian needs. She made several trips to Krakow, Poland to bring vital supplies like tourniquets and water filters to the front lines, and has since continued fundraising and purchasing drones, communications equipment, and vehicles for the war effort. Most recently she was named as the Lead Advisor to the First US-Ukraine Freedom Summit, a three-day conference and fundraiser to support the rehabilitation and reintegration of Ukrainian war veterans through sports and connection with U.S. veterans. She served as President and Executive Vice President on the Board of Directors for the InfraGard Nations Capital chapter, a public private partnership with the FBI to protect America’s critical infrastructure for over 8 years. Additionally, she served on the U.S. Coast Guard Board of Mutual Assistance and as a trustee for the U.S. Coast Guard Enlisted Memorial Foundation. She graduated from the Drug Enforcement Agency’s and the Federal Bureau of Investigation’s Citizens’ Academies, in addition to the Marine Corps Executive Forum. Prior to founding the Government Technology & Services Coalition she was Vice President of the Homeland Security & Defense Business Council (HSDBC), an organization for the largest corporations in the Federal homeland security market. She was responsible for thought leadership and programs, strategic partnerships, internal and external communications, marketing and public affairs. She managed the Council’s Executive Brief Series and strategic alliances, as well as the organization’s Thought Leadership Committee and Board of Advisors. Prior to this, she also founded and served for two years as executive director of the American Security Challenge, an event that awarded monetary and contractual awards in excess of $3.5 million to emerging security technology firms. She was also the event director for the largest homeland security conference and exposition in the country where she created and managed three Boards of Advisors representing physical and IT security, first responders, Federal, State and local law enforcement, and public health. She crafted the conference curriculum, evolved their government relations strategy, established all of the strategic partnerships, and managed communications and media relations. Tanasichuk began her career in homeland security shortly after September 11, 2001 while at the American Public Works Association. Her responsibilities built on her deep understanding of critical infrastructure issues and included homeland security and emergency management issues before Congress and the Administration on first responder issues, water, transportation, utility and public building security. Prior to that she worked on electric utility deregulation and domestic energy issues representing municipal governments and as professional staff for the Chairman of the U.S. House Committee on Energy & Commerce. Tanasichuk has also worked at the American Enterprise Institute, several Washington, D.C. associations representing both the public and private sectors, and the White House under President George H.W. Bush. Tanasichuk also speaks extensively representing small and mid-sized companies and discussing innovation and work in the Federal market at the IEEE Homeland Security Conference, AFCEA’s Homeland Security Conference and Homeland Security Course, ProCM.org, and the Security Industry Association’s ISC East and ACT-IAC small business committee. She has also been featured in CEO Magazine and in MorganFranklin’s www.VoicesonValue.com campaign. She is a graduate of St. Olaf College and earned her Master’s in Public Administration from George Mason University. She was honored by the mid-Atlantic INLETS Law Enforcement Training Board with the “Above and Beyond” award in both 2019 – for her support to the homeland security and first responder community for furthering public private partnerships, creating information sharing outlets, and facilitating platforms for strengthening communities – and 2024 – for her work supporting Ukraine in their defense against the Russian invasion. In 2016 she was selected as AFCEA International’s Industry Small Business Person of the Year, in 2015 received the U.S. Treasury, Office of Small Disadvantaged Business Utilization Excellence in Partnership award for “Moving Treasury’s Small Business Program Forward,” as a National Association of Woman Owned Businesses Distinguished Woman of the Year Finalist, nominated for “Friend of the Entrepreneur” by the Northern Virginia Technology Council, Military Spouse of the Year by the U.S. Coast Guard in 2011, and for a Heroines of Washington DC award in 2014. She is fluent in Ukrainian.
Kristina Tanasichuk
Kristina Tanasichuk
From terrorism to the homeland security business enterprise, for over 20 years Kristina Tanasichuk has devoted her career to educating and informing the homeland community to build avenues for collaboration, information sharing, and resilience. She has worked in homeland security since 2002 and has founded and grown some of the most renowned organizations in the field. Prior to homeland she worked on critical infrastructure for Congress and for municipal governments in the energy sector and public works. She has 25 years of lobbying and advocacy experience on Capitol Hill on behalf of non- profit associations, government clients, and coalitions. In 2011, she founded the Government & Services Technology Coalition, a non-profit member organization devoted to the missions of the U.S. Department of Homeland Security and all the homeland disciplines. GTSC focuses on developing and nurturing innovative small and mid-sized companies (up to $1 billion) working with the Federal government. GTSC’s mission is to increase collaboration, information exchange, and constructive problem solving around the most challenging homeland security issues facing the nation. She acquired Homeland Security Today (www.HSToday.us) in 2017 and has since grown readership to over one million hits per month and launched and expanded a webinar program to law enforcement across the US, Canada, and international partners. Tanasichuk is also the president and founder of Women in Homeland Security, a professional development organization for women in the field of homeland security. As a first generation Ukrainian, she was thrilled to join the Advisory Board of LABUkraine in 2017. The non-profit initiative builds computer labs for orphanages in Ukraine and in 2018 built the first computer lab near Lviv, Ukraine. At the start of Russia’s invasion of Ukraine, she worked with the organization to pivot and raise money for Ukrainian troop and civilian needs. She made several trips to Krakow, Poland to bring vital supplies like tourniquets and water filters to the front lines, and has since continued fundraising and purchasing drones, communications equipment, and vehicles for the war effort. Most recently she was named as the Lead Advisor to the First US-Ukraine Freedom Summit, a three-day conference and fundraiser to support the rehabilitation and reintegration of Ukrainian war veterans through sports and connection with U.S. veterans. She served as President and Executive Vice President on the Board of Directors for the InfraGard Nations Capital chapter, a public private partnership with the FBI to protect America’s critical infrastructure for over 8 years. Additionally, she served on the U.S. Coast Guard Board of Mutual Assistance and as a trustee for the U.S. Coast Guard Enlisted Memorial Foundation. She graduated from the Drug Enforcement Agency’s and the Federal Bureau of Investigation’s Citizens’ Academies, in addition to the Marine Corps Executive Forum. Prior to founding the Government Technology & Services Coalition she was Vice President of the Homeland Security & Defense Business Council (HSDBC), an organization for the largest corporations in the Federal homeland security market. She was responsible for thought leadership and programs, strategic partnerships, internal and external communications, marketing and public affairs. She managed the Council’s Executive Brief Series and strategic alliances, as well as the organization’s Thought Leadership Committee and Board of Advisors. Prior to this, she also founded and served for two years as executive director of the American Security Challenge, an event that awarded monetary and contractual awards in excess of $3.5 million to emerging security technology firms. She was also the event director for the largest homeland security conference and exposition in the country where she created and managed three Boards of Advisors representing physical and IT security, first responders, Federal, State and local law enforcement, and public health. She crafted the conference curriculum, evolved their government relations strategy, established all of the strategic partnerships, and managed communications and media relations. Tanasichuk began her career in homeland security shortly after September 11, 2001 while at the American Public Works Association. Her responsibilities built on her deep understanding of critical infrastructure issues and included homeland security and emergency management issues before Congress and the Administration on first responder issues, water, transportation, utility and public building security. Prior to that she worked on electric utility deregulation and domestic energy issues representing municipal governments and as professional staff for the Chairman of the U.S. House Committee on Energy & Commerce. Tanasichuk has also worked at the American Enterprise Institute, several Washington, D.C. associations representing both the public and private sectors, and the White House under President George H.W. Bush. Tanasichuk also speaks extensively representing small and mid-sized companies and discussing innovation and work in the Federal market at the IEEE Homeland Security Conference, AFCEA’s Homeland Security Conference and Homeland Security Course, ProCM.org, and the Security Industry Association’s ISC East and ACT-IAC small business committee. She has also been featured in CEO Magazine and in MorganFranklin’s www.VoicesonValue.com campaign. She is a graduate of St. Olaf College and earned her Master’s in Public Administration from George Mason University. She was honored by the mid-Atlantic INLETS Law Enforcement Training Board with the “Above and Beyond” award in both 2019 – for her support to the homeland security and first responder community for furthering public private partnerships, creating information sharing outlets, and facilitating platforms for strengthening communities – and 2024 – for her work supporting Ukraine in their defense against the Russian invasion. In 2016 she was selected as AFCEA International’s Industry Small Business Person of the Year, in 2015 received the U.S. Treasury, Office of Small Disadvantaged Business Utilization Excellence in Partnership award for “Moving Treasury’s Small Business Program Forward,” as a National Association of Woman Owned Businesses Distinguished Woman of the Year Finalist, nominated for “Friend of the Entrepreneur” by the Northern Virginia Technology Council, Military Spouse of the Year by the U.S. Coast Guard in 2011, and for a Heroines of Washington DC award in 2014. She is fluent in Ukrainian.

Related Articles

- Advertisement -

Latest Articles