When Does a Cyberattack Investigation Go too Far?

In the aftermath of a cyberattack, investigations are essential to identify vulnerabilities, understand the attack’s scope, and develop strategies to prevent future incidents. However, there comes a point where an investigation may cross the line from thoroughness to overreach. This article explores the fine balance required in conducting cyberattack investigations and discusses when it might go too far, drawing from a real case of a county government.

The Necessity of Cyberattack Investigations

Cyberattacks can have devastating consequences for any organization, particularly in the public sector where sensitive data and critical infrastructure are involved. An effective investigation typically includes:

• Identifying the breach source: Understanding how the attackers gained access.
• Assessing the impact: Determining the extent of the damage, including data loss and operational disruptions.
• Developing remediation plans: Implementing measures to prevent future attacks.
• Holding responsible parties accountable: Ensuring that those who failed to follow protocols are identified and corrective actions are taken.

Real-World Example: A Local County Government Cyberattack

In September 2022, a county government experienced a cyberattack. A thorough forensic investigation was completed that identified the breach source and assessed the attack’s overall impact. This forensic investigation was used to identify the accountable parties, and ultimately was leveraged to implement remediation plans that minimize the potential of future attacks. Remediation efforts, including the hiring of a chief information security officer (CISO), were implemented prior to the end of the administration’s tenure on December 31, 2023.

However, nearly two years after the attack and more than six months after a new administration has taken office, a legislative committee, led by a highly paid outside law firm, continues to investigate the attack, questioning the results of a forensic investigation conducted by industry experts and calling witnesses who are no longer with the county.

Political Interference and Overreach

The ongoing investigation has become very politically motivated, leading to several issues:

• Extended Timelines: The legislative committee has prolonged the investigation well beyond the necessary timeframe, causing delays in implementing any security improvement recommendations.
• Invasive Practices: Former employees are being called to testify in public settings, requiring legal defense and creating a hostile environment.
• High Costs: The costs of the legal teams involved may surpass the expenses of the actual forensic investigation and remediation efforts, potentially diverting funds from implementing critical cybersecurity measures.

In one recent public hearing, the lead attorney for the legislative committee suggested that, in his opinion, the county would be attacked again, an alarming statement considering the legislative committee’s mission.

What was even more alarming was that not one member of the committee questioned why the CISO, hired as part of a remediation plan in 2023, was fired two weeks into the new administration’s term in 2024 and how this critical position would be filled. Instead, surprisingly, the committee had more questions about why the CISO wasn’t hired before the cyberattack. This situation clearly highlights how political motivations can overshadow the primary goal of enhancing cybersecurity.

Signs of Overreach in Cyberattack Investigations

While thoroughness is crucial, investigations can sometimes extend beyond reasonable limits, leading to negative outcomes. Signs of overreach include:

Political Agendas

• Partisan Investigations: Investigations driven by political motives rather than objective facts can lead to biased findings and undermine public trust.
• Resource Misallocation: Focusing on political retribution can divert resources from essential cybersecurity improvements, leaving the organization vulnerable to further attacks.

Extended Timelines

• Prolonged Uncertainty: Lengthy investigations can create an atmosphere of uncertainty and hinder the implementation of necessary security measures. The public and stakeholders need timely information to feel secure and confident in the organization’s ability to manage cyber threats.
• Delayed Remediation: The longer it takes to conclude an investigation, the longer the vulnerabilities remain unaddressed, increasing the risk of additional attacks.

Invasive Practices

• Employee Morale: Overly invasive investigation techniques, such as extensive surveillance or intrusive questioning, can damage employee morale and create a culture of fear. This can lead to decreased productivity and a lack of cooperation with an investigation.
• Privacy Concerns: Ensuring that the investigation respects the privacy and rights of individuals is crucial. Overstepping boundaries can lead to legal challenges and further reputational damage.

Balancing Thoroughness and Overreach

To strike the right balance, consider the following strategies:

Clear Objectives and Scope

• Define the investigation’s goals clearly from the outset. Focus on identifying the breach source, assessing impact, and developing actionable recommendations.
• Limit the scope to what is necessary to achieve these objectives, avoiding areas that do not contribute to understanding or mitigating the attack.

Independence and Impartiality

• Ensure the investigation is conducted by independent experts who can provide unbiased insights. Avoid involving parties with potential conflicts of interest.
• Consider forming a non-partisan oversight committee to monitor the investigation’s progress and ensure objectivity.

Timely and Transparent Communication

• Provide regular updates to stakeholders and the public, outlining the investigation’s progress and preliminary findings. Transparency builds trust and ensures accountability.
• Establish a clear timeline for the investigation, with milestones and expected completion dates to manage expectations.

Respect for Privacy and Rights

• Implement investigation protocols that respect individual privacy and legal rights. Avoid invasive practices that could lead to additional issues.
• Ensure that any data collected during the investigation is handled securely and used only for the intended purpose.

Conclusion

Conducting a cyberattack investigation requires a delicate balance between thoroughness and overreach. While it is essential to understand and address the vulnerabilities that led to the attack, it is equally important to avoid letting political agendas, extended timelines or invasive practices derail the process. By maintaining clear objectives, ensuring independence, communicating transparently and respecting privacy, organizations can conduct effective investigations that enhance their cybersecurity posture without overstepping reasonable limits.

Scott Mastellon, former Suffolk County (NY) CIO and current Managing Director of Public Sector at SVAM International Inc., is a distinguished technology leader with over two decades in the experience in government. Renowned for driving digital transformation and operational efficiency in the public sector, his strategic leadership was crucial during Suffolk County’s critical moments, notably amidst the COVID-19 crisis. Leveraging his rich experience as a government CIO, Scott now brings innovative technology solutions to public sector organizations at SVAM, focusing on cybersecurity, RPA and AI, and data modernization.

Image generated by OpenAI’s DALL·E