Where Cybersecurity Meets Legal

Sit down with Daniel Akridge, CMMC CCP, Summit 7, while he talks with Michael McLaughlin, Shareholder | Co-Lead, Cybersecurity and Data Privacy | Cyber Policy Advisor | Co-Author, Battlefield Cyber: How China and Russia are Undermining our Democracy and National Security

---

Transcript

Daniel: …the CMMC show. Today we have a longtime friend, Michael McLaughlin — legal lawyer extraordinaire when it comes to cybersecurity and compliance. He’s got so many fun stories to share and just incredible life experience. Just got promoted — congratulations, by the way. I won’t steal all your thunder; I’ll go ahead and cue it over to you. So, Michael, tell the crew a little bit about yourself.

Michael: I appreciate that. My name is Mike McLaughlin. I’m the co-lead of the cybersecurity and data privacy practice group at the law firm of Buchanan Ingersoll & Rooney, and, as Daniel just said, I was recently promoted to shareholder — I’m excited about that. I assist clients in a whole array of things dealing with cybersecurity, data privacy, artificial intelligence, and government contracting. My foray into government contracting started many years ago. I did about 15 years in the Navy as a counterintelligence officer — six of which I was senior counterintelligence adviser for U.S. Cyber Command — and worked really closely with a lot of government contractors as well as federal agencies, dealing with threats from China, Russia, North Korea, Iran, and then non-state actors, ransomware groups, and others. So I really cut my teeth on the cybersecurity side working for the government, and now I assist clients doing the same thing.

Daniel: That’s awesome. And what’s so interesting is that you know so much — you actually wrote a book that I read. I don’t read a ton of books, but I read “Battlefield Cyber,” and it’s a modern-day wake-up call for people not taking cybersecurity seriously. Like the example you gave about somebody 10 layers deep in the supply chain compromising one core component, and then a missile potentially unable to fire. You start going through these narratives. So if you have a few moments, share a little about your book, and then maybe some more modern stories about what you’re seeing out there.

Michael: Yeah, absolutely. The book itself was very much a labor of love. When I was getting out of active duty, I was seeing very clearly that a lot of people in the private sector didn’t view cybersecurity and cyber operations the same way we did in the military. In the military, we viewed it as a standalone domain, the same way air, land, and sea are domains of warfare. In the private sector, it had been relegated just to the IT personnel, as opposed to being a primary focus of business concern, the way it should be — and it was not being invested in properly. To me, that was a direct result of executives and people generally not understanding the overall battle space, getting so focused on the trees that they miss the forest around them, and missing the geopolitical drivers — what cyber operations are, what cybersecurity is, how it’s something occurring in China and Russia and directly impacting our national security, even in companies or universities that may not realize it.

So the book drew on my experience within Cyber Command and as a counterintelligence officer, taking that mindset and working really closely with my co-author, Bill Holstein — a fantastic journalist who’s been covering China and the rise of China for decades. We combined to put forth a book that discussed the threats in a way we thought would be palatable for executives and everyday Americans. We started with the idea that the definition of cyber warfare was wholly inadequate. As an attorney, I love my words, I love my definitions, I fall back on semantics — but it’s important. If we look at the traditional definitions of cyber warfare, they generally deal with nation-states attacking other nation-states and their government assets, or potentially their critical infrastructure. But the way our adversaries wage cyber warfare isn’t the same way we wage kinetic warfare. If we’re waiting for the equivalent of a missile strike from Russia to occur in cyberspace, or a missile strike from China to take out our entire electric grid, we’re going to be waiting a very long time, because that’s simply not how they do it.

Our adversaries are using cyber operations in cyberspace more broadly to undermine our political system, to steal intellectual property, to advance their capabilities, to make us question the things we’re doing, or to divide us. That’s how they wage cyber warfare. It’s more like death by a thousand cuts than a Pearl Harbor or a 9/11 event. So the point of the book was to detail the full spectrum of cyber warfare. It’s everything from what you’d expect to be a traditional kinetic strike or a lights-out event in downtown Manhattan, but it’s also things like intellectual property theft and stealing from the defense innovation base or the defense industrial base. It’s ransomware, and leveraging criminal groups as proxies to destabilize us. It’s corporate espionage and stealing IP through malicious insiders. It’s utilizing North Korean IT workers who fake being regular IT workers from the U.S. and infiltrate Fortune 500 companies. All of these aspects — while we look at them as individual criminal activity or otherwise — our adversaries look at as just another cog in their machine, along that spectrum of warfare.

Our executives, our private sector, really needs to prepare itself, because U.S. Cyber Command is not going to come swooping in with a SWAT team. Neither is the FBI. And again, if you’re waiting for that, you’re going to be waiting a very long time. Companies and universities need to prepare themselves for a full onslaught by nation-state adversaries.

Daniel: Man, that’s a pill to swallow — but you’re not wrong. We see it in our space all the time. People come to us after the fact: “Hey, we had kind of cybersecurity, but then North Korea or China or Iran deployed ransomware, and now they took information the defense industrial base really wants to keep controlled and protected. What do we do?” Which is why CMMC is becoming such a big deal — as one of the U.S.’s firmest stances on cybersecurity regulation, saying, “No, you really have to do this, because we really need to protect that data.” So on your side, I’m curious, Michael — have you seen any more practical, frontline examples in the work you’ve done over the years?

Michael: I’ve seen innumerable. And ultimately, I want to clear something up, because a lot of people come to me and, when we talk about CMMC, say, “Well, it’s not going to stop China. If China wants to get in your network, they’re going to get in your network.” They’re a nation-state with unlimited resources and incredible cyber actors developing software and exploits. And while all that’s true — if you’re targeted by China, or really any nation-state, there’s very little you can do, because you’re limited in resources as a company going up against a nation-state that is designed to do this. But that’s not what CMMC is for. CMMC is more of a “rising tide lifts all ships” mentality. We can’t just do nothing, so we have to have a baseline. When people argue “compliance is not security,” I would disagree. Compliance is absolutely security, because if you’re not complying with a specific framework, you are inherently going to be insecure — and that’s essentially what CMMC is. I don’t want to throw the baby out with the bathwater. It’s not a panacea, but it’s certainly better than doing nothing. CMMC is going to increase security broadly, and that’s something defense-industrial-base companies really need to embrace, because their industry supports national security.

You’re not supporting a library down the street — you’re developing innovations to advance our warfighting capabilities. We should want to secure those against our adversaries. So, off my soap box — some of the things…

Daniel: Can I add a little color to that? Here’s another reason. We have people come in our door and say, “We’re protecting our security.” I’m like, “Oh, fantastic — how are you doing it?” And it’s, “We’re locking our server in the attic.” That’s a real story. To your point, compliance doesn’t always equal security, but you have to have a standard playbook that people can adopt, or else people end up doing nothing, and it becomes very problematic. So I have a soap box for that too — Jacob Horn has the biggest soap box of anyone I know. But back to you, and some stories from the front.

Michael: Yeah. Some of the things we’re seeing are non-traditional. CMMC, in reality, goes all the way back to EO 13556 — “this is what CUI is” — and then the implementation of NIST SP 800-171, the DFARS 7012 clause, the GAO report that said this is wholly insufficient because everybody’s lying about their attestation, and then finally CMMC as a result — kind of a knee-jerk reaction to failure on the part of the DIB to actually secure these covered defense networks. What we’re starting to see, as people implement these things and go through the various controls — multifactor authentication is the easiest one to point to, because credentials are by and large the easiest way for threat actors to get into an environment. You’re reusing passwords; it gets hit on another, totally unrelated breach, and that email address and password are then connected and used to access another network. We see it time and time again. If you have multifactor authentication in place, that takes out that entire threat stream. Now, that’s not going to prevent spear phishing, a man-in-the-middle attack, SIM swapping, or anything else, but at the very least you’re stopping that front end. I’ll throw a percentage out there: I think 90% of attacks truly come from simple, stolen, or leaked credentials. So if you can take away that vector, that’s huge in securing our defense supply chain.

But now we’re also seeing other things come into play — things that may not actually be covered by CMMC, quite frankly, and that we need to take a look at. DPRK, right? The IT workers masquerading as U.S. persons, applying for jobs with doctored resumes and fake LinkedIn accounts, getting on video with deepfakes, or having somebody else get on video on their behalf with a fake ID. They gain access to these systems as super users. They’ll get sysadmin credentials, and it’s not until you see they’ve turned off the EDR on their devices, or their devices are pinging from an IP address somewhere they shouldn’t be, that you actually start paying attention. Well, it shouldn’t get to the point where you’re seeing an IP address ping from the wrong place, or getting a notification that EDR has been turned off on a new employee’s device. HR should be involved in the process, but in a lot of cases HR is a third party outsourced to help with recruiting. How many CISOs, how many executives, are actually involved in vetting that HR company from a security perspective — thinking, “Are we going to be giving access to North Koreans by using this HR company?” None of that’s really covered by CMMC.

So when we say CMMC is a baseline, it’s absolutely a baseline for compliance for a specific purpose. We really need to be looking at cybersecurity from a holistic perspective. And that’s not even getting into “harvest now, decrypt later” issues — when we talk about quantum — or the threats from AI that we’re starting to see more and more from threat actors. Just simple things where we need a more holistic look at cybersecurity. But CMMC is absolutely that baseline.

Daniel: Man. It’s crazy to see CMMC is now “old” in the sense of protecting against modern attacks. In a lot of ways it’s still something good to build off of, but a lot of people are like, “Ah, it’s not enough.” And you’re right — it’s not enough. You have to do more, and it expands outside just IT environments. HR is a big piece. Operational security, manufacturing and OT — cyber doesn’t really have a lot of domain there. You start looking at critical infrastructure and it becomes problematic. But to get someone to do something — I’ve found out over all these years — DFARS 7012 didn’t do it. No one actually implemented the controls of NIST 800-171, because no one else did it and the DoD didn’t really check the math. SPRS scores — I’ve known organizations that won contracts with a negative 203, which is the lowest you can go. If the DoD really cared, they’d have stepped this up sooner. Until CMMC was live — and now it is; November 10th of last year we started the phased rollout.

So, question over to you on a couple of fronts, Michael: for people who aren’t doing the right thing but are being forced to do something — which is really where a lot of people are — what organizational risks should they be aware of when it comes to CMMC, or better yet, legacy DFARS 7012 and the False Claims Act? Any insight on that side?

Michael: Yeah, that’s a very loaded question, so we’ll try to unpack it piece by piece. First and foremost, the things people should be aware of with CMMC — for a government contractor, that’s the law of the land now. If you operate a covered defense system, if you’re handling CUI, you have to be in compliance. Understand what CMMC level you’re at. It’s either Level 1, where you’re just dealing with federal contract information, or Level 2, where you’re actually dealing with CUI. If you’re in Level 3, you know it, because the type of data you’re handling is so sensitive that the government’s coming in saying, “We’re going to do the attestation ourselves — we’re not even going to leave it to a C3PAO.”

The point is that companies — especially DIB companies — are coming to the realization that burying your head in the sand is just not a solution. So now we get to the challenge of a bottleneck. There are only — I think about a hundred, and I could be wrong about that number, but somewhere in that ballpark — C3PAOs that have actually been certified. But for 300,000 DIB companies that need to be certified by 2028, the numbers just don’t add up. We’re going to have a significant problem. Those companies that have been waiting and waiting to get compliant and certified are going to run into a real issue. And then it’s going to be: how do we ensure we’re still achieving the same innovation, still attracting the same good small businesses that should be involved in the DIB, and making sure they’re also compliant from a cybersecurity perspective? Ultimately, the answer is going to be managed service providers, because companies themselves are not going to be able to do it. We need MSPs that are already certified, who can move the ball forward — and basically you get a check in the box because you’re using a certified MSP versus one that’s not.

And here’s where I’ll get on my soap box again. The challenge, Dan, is that if you and I wanted to go out and start an MSP today, we could — we could hang out our shingle and be “Mike and Daniel’s MSP.”

Daniel: That’s right.

Michael: And that would be that. We could go offer services, and no one would be able to tell the difference between you and me and a very high-end MSP that’s extremely expensive but very efficient and very good at what they do — because there’s no certification process. There’s no Underwriters Laboratories putting their stamp of approval on an MSP. There’s no American Bar Association saying you’re a certified MSP. So, you know, Billy the IT guy from down the street is just as good as Microsoft in the eyes of any certifying authority, because it just doesn’t exist. That’s a problem. Being able to vet MSPs that can do this is important on one hand, but also vetting those that can actually get you CMMC certified — because if you’re just starting right now, you are way behind the eight-ball, and realistically, being in compliance by 2028 with the number of C3PAOs we have right now is going to be pretty tough, if not impossible.

Daniel: So that’s the tricky part. The DoD, in 32 CFR, said, “We’re going to revise this a little bit — we think 118,000 companies have to be certified for Level 2.” Okay, take that number against 100 or so C3PAOs. Big bottleneck problem — or so we thought. When this started happening, the interesting part is that it’s a bottleneck, but in a place people don’t assume — and it’s to your second point. C3PAOs are continuing to suspend assessments because companies couldn’t provide the SSP — and that’s kind of step one of the actual assessment. We’re seeing the bottleneck actually happen with the managed service providers being able to onboard people into a compliant state before their certification. What’s crazy is there’s that bottleneck, but then ultimately there’s also the C3PAOs you have to schedule — those are scheduled months out in a lot of cases. Sometimes, once in a blue moon, a random assessment date becomes available if you’re ready, but those are being scheduled multiple months out. A lot of people think, “Oh, I can just go” — this is a real story — somebody delivered a 20-slide PowerPoint deck and said, “This is my SSP,” to an assessor. And they had to be told, “No, that’s actually not — you need to go find help.” Well, help’s three or four months away from you even getting started, and then I have to come back in line to get certified. So again, to your point, there are multiple bottlenecks here, and I think a lot of people are overlooking the complexity of CMMC audits versus ISO or other frameworks.

Michael: And all the while, you’ve got the business and operational side of the house trying to live through the “valley of death,” especially for small businesses just starting to do business with the federal government. If you can survive that valley of death, good on you — but now you’re fighting a battle on multiple fronts, also trying to get into compliance with CMMC and address this bottleneck. And let’s say, for the sake of argument, you win the contract but you were unsuccessful in CMMC certification. Now your contract is subject to a protest. Because if I’m representing a company that competed against you and didn’t get the contract, and I get wind that you’re not CMMC certified, the first thing I’m doing is going to the GAO and filing a protest immediately.

Daniel: It’s funny — I was talking with somebody the other day and they’re like, “How would you actually do that?” I sat back and thought, “How would I find out?” The easiest way is to look up their DNS records and see if they’re still pointed to non-fed clouds. Then you have an idea: okay, they’d potentially be in a non-compliant environment, because email is typically in scope, and then I can go protest. It only takes a little publicly available information to potentially protest someone who’s self-attesting to a perfect 110 CMMC Level 2 score when, in reality, they’re not actually meeting the full requirements. Becomes very problematic.

Well, hey Michael, this has been fantastic. I always love to leave guests with one last thing — closing remarks. Any bits of wisdom, your favorite food, best restaurants, whatever you want it to be. The floor is yours, my friend.

Michael: I’m going to try to be a little philosophical. So, my favorite color is red. And favorite restaurant — I love ethnic food. There’s a little place on 9th Street in DC that has the best Ethiopian, right by the convention center. Fantastic. Called Family Ethiopian, in case you’re wondering.

What I’m going to leave you guys with: when we’re talking about CMMC — and this part always shapes me a little when we have government contractors complaining about CMMC, and I understand the challenge — what you have to understand is that when you get into the defense industrial base, you’re essentially in a walled garden. You have unlimited opportunity to do business with an organization with what will soon be a $1.5 trillion budget. That is an incredible opportunity for any contractor. That aside, when you’re dealing with the federal government, particularly the Department of War, your business is national security. You should be focusing on delivering capabilities and tools to warfighters so they can have an edge against our adversaries — or, at the very least, so that the tool, the capability, the equipment functions as it’s supposed to when they’re in a firefight. If that’s not the mindset of a defense contractor, you should not be in the defense industrial base. CMMC plays a critical role in ensuring we’re delivering capabilities with the lethality we want, that are defensible, to our warfighters. That’s the mindset we need to have.

Daniel: Man, what a closing remark — and you’re not wrong. How many defense contractors have integrity and mission and all of that in their mantra, in their mission statement? This applies to all aspects — this is how you run your organization, from a cyber perspective all the way to the materials and equipment you’re delivering to the warfighter. We need to make sure that stream continues from the back office all the way through to the front lines. So, man, what incredible closing remarks, Michael. Thank you so much for your time. Hopefully we’ll have you back to maybe review your second book — “Battlefield Cyber 2: The Reckoning,” right? I’m just throwing out names for you; you don’t have to take any of them, but I really do appreciate your time.

Michael: I’ll know where to send the royalty checks, then. Don’t worry, Daniel.

Daniel: There you go — that’s what I’m talking about.

Michael: Absolutely.

Daniel: Thanks for watching, everybody, and stay tuned for the next one.