Kaseya, Maersk, and Microsoft: Do You Do Due Diligence?

I subscribe to the Consumer Protection Law360 newsletter. Although I can’t justify a subscription to the full content, the newsletters have interesting one-paragraph blubs. Recently one such paragraph caught my eye and reads as follows:

Kaseya Ransomware Hit Casts Wide Net Of Potential Liability

A cyberattack on software vendor Kaseya that led to a widespread ransomware spree may also cast a wide net of liability, with regulators and potential plaintiffs likely to question whether Kaseya took reasonable steps to prevent the attack and if victims appropriately vetted their vendors.

The part about whether Kaseya took “reasonable steps” is called due diligence and it’s calling your name. There has been a lot of talk about how, what, who, and oops, when it comes to Kaseya. It seems that “Supply Chain” is Kaseya’s middle name. But you don’t need another rehash of what’s been said, what you need to know is how to limit personal and corporate liability. Simply stated “do due diligence”; especially you, Mr. IT manager.

Like Maersk, Kaseya fell victim to a ransomware attack, and due diligence was called into question. The answer from above was “what the hell is due diligence.” In all fairness, Equifax asked the same question. I really can’t say anything bad about Kesaya as long as marketing defines them as a prospect 😊

You are the Supply Chain!

If we’re going to talk about supply chain then let’s talk about internal supply chain before looking to external vendors. As I occasionally do, I’ll relate a story from my Microsoft days between 1997 and 2005. It’s all about my own due diligence and CYA.

I was responsible for ensuring that Microsoft didn’t release more infected products. After listing the required resources, I stated “Do what I say, and we’ll still be lucky if there isn’t an incident for five years. Antivirus can’t detect everything.” Antivirus was the only tool I had, other than my manager at that time (Did I say that out loud?). That’s CYA through setting expectations. It doesn’t replace due diligence though. I always maintained that my job wasn’t to prevent infected software from releasing, but rather to demonstrate I had gone above and beyond due diligence when it did happen. I assumed the breach well before it was a mantra taught in the annals of the Verizon Data Breach Investigations Reports.

Come about five and a half years later and one got by me. When management came a-knockin’ and asked me how this could happen, I pointed to an email I sent stating that the support I needed to prevent exactly what happened. However, my boss, like the managers at Equifax, Maersk, and Kaseya, failed to heed the warnings. Oh, come on all of you IT practitioners, stop shaking your heads in affirmation, you’re beginning to look like bobblehead dolls. Notifying management was not in and of itself due diligence, it was the steps I took to find the attack surface that needed to be closed. Unlike the others, Microsoft dodged a bullet; the malware was inert as it would have taken great effort to extract and execute it.

If you’re the scapegoat at the bottom of the due diligence stack, you better have asked for the resources you need, documented requests, reasons for the need, and executed your job above and beyond the minimum that may pass for due diligence. Only meeting bare minimum standards is why lawyers can afford to send their kids to prestigious universities. It’s hard to exceed due diligence though if your cybersecurity defense requirements are under-funded. That’s where IT staff get burned time and time again. The management supply chain was grossly negligent.

And so, we return to Kaseya. If management had only read the urgent email to them from George Santayana, they would have known that “Those who cannot remember the past are condemned to repeat it.” I know they got the email from dear George; Wikileaks leaked it.

There are numerous reports from current and former employees of Kaseya management failing to address severe security flaws, and actually being hostile to those who brought them up. In an interesting article by Julie Machal-Fulks from Scott and Scott LLP, she describes the hurdles in trying to sue Kaseya. It will be interesting to see how well the contractual provisions fare in court against irrefutable proof of seemingly deliberate gross negligence.

Should Kaseya’s binding arbitration agreement get shot down, it will be a wake-up call to other large companies. That was a joke. The alarms have been going off for years and few wake up until jarred from their sleep by reality. Equifax, Maersk, Kaseya, and countless other companies prove the point.

Due diligence is becoming more dangerous for a CEO to ignore. As reported by complianceandethics.org, legislation has been proposed that if enacted could result in jail time for CEOs who fail to do due diligence.

Cybercriminals are intelligent (with some exceptions), highly motivated, and often very well-funded. Breaches will happen. If Kaseya, and others, can demonstrate that they performed due diligence they will better be able to limit the damage to that which was caused by cybercrime rather than pouring the salt of increased legal liability into an open wound.

As a public service to my IT brethren, here is how to ask for cybersecurity resources.

[Manager or other executive’s name],

I need budget for the following products/services/headcount to [goal to be accomplished] for the following reasons:

https://www.cbsnews.com/news/ransomware-attack-hackers-70-million-demand-1500-businesses/

https://www.reuters.com/article/us-cyber-attack-maersk-idUSKBN19I1NO

https://www.zdnet.com/article/maersk-forced-to-reinstall-4000-servers-45000-pcs-due-to-notpetya-attack/

https://www.cnn.com/2021/05/10/politics/colonial-ransomware-attack-explainer/index.html

https://time.com/6080293/norsk-hydro-ransomware-attack/

https://siliconangle.com/2021/07/19/law-firm-working-fortune-500-companies-struck-ransomware-attack/

https://techcrunch.com/2021/06/03/fujifilm-becomes-the-latest-victim-of-a-network-crippling-ransomware-attack/

https://www.cnbc.com/2021/06/02/ransomware-attack-hits-ferry-to-cape-cod-nantucket-marthas-vineyard.html

https://www.cnet.com/tech/services-and-software/wannacry-wannacrypt-uiwix-ransomware-everything-you-need-to-know/

https://www.bleepingcomputer.com/news/security/comparis-customers-targeted-by-scammers-after-ransomware-attack/

https://www.hipaajournal.com/advocate-aurora-health-jefferson-health-and-intermountain-healthcare-affected-by-elekta-ransomware-attack/

https://www.msn.com/en-us/news/technology/healthcare-giant-uhs-hit-by-ransomware-attack-sources-say/ar-BB19vfj9

https://www.thetitlereport.com/Articles/Highly-sophisticated-ransomware-attack-sidelines-C-82772.aspx

https://www.cpomagazine.com/cyber-security/ransomware-attack-reported-at-insurance-giant-axa-one-week-after-it-changes-cyber-insurance-policies-in-france/

I also need these resources to keep [CEO’s name] out of jail:

Cyber Security Due Diligence: Will You be the One to Save Your Company & CEO from Disaster?

Yours truly scared [expletive deleted],

[Your name goes here]

Now, if you are a C-level executive you should have a quarterly reminder to ask your IT staff “What do we need to enhance our cybersecurity defenses?”

Be safe. Invest in security. After all, it’s how you give your customers the big ol’ cyber-hug they deserve.

Randy Abrams
Senior Scapegoat
SecureIQLab