While CrowdStrike was accidental, procurement officials should also do the same for the possibility of being shut down by a cyber attack. Essentially, the goal is to consider the procurement tools that are available to reduce the impact of unplanned outages. Procurement officials, CISOs, technology staff and other agencies using the IT should all be part of that evaluation, said Dugan Petty*, former president of both the National Association of State Procurement Officials and National Association of State Chief Information Officers.
State governments typically are locked into software vendors contracts for 12 to 36 months, Petty said, and states cannot immediately rewrite these agreements. But they can start thinking how they want the next ones to look by identifying current weaknesses.
In the short term, governments should see if they have any high priority or essential services underpinned by vendors that would go down during a disruption. Governments need to consider viable backup options for maintaining those services, like reverting to paper-based methods. And knowledge of these risks should inform what requirements they set in new contracts, Petty said.
With future contracts, states need to ask what vendors will do to shield them from the impact of vulnerabilities affecting the vendors. New contracts could require providers meet certain minimum cybersecurity requirements, such as getting StateRAMP certification, for example. Or, they could ask vendors to take more responsibility for IT disruptions, Petty said.
Where liability for third- or fourth-party outages falls isn’t always clear. For example, Delta Air Lines is seeking damages from Microsoft and CrowdStrike for losses the airline suffered when CrowdStrike’s faulty update happened. Meanwhile, Microsoft and CrowdStrike have said Delta’s own practices are why the airline was so badly affected.
Procurement officials could ask IT vendors to assume full liability for outages of their services, Petty said, but they may then struggle to attract bids. Vendors don’t want to be on the hook for potentially massive liabilities with unpredictable expenses — they want to understand the full costs associated with a contract before signing.
As such, procurement officials may be more successful if they lay out costs from the start, Petty said. Construction contracts commonly include liquidated damages, and IT contracts could benefit from the same. Under this, contracts would specify how much tech vendors would compensate agencies for service failures. The agencies would list estimated losses from a vendor’s service going down for a week or an hour, for example, and the vendor would commit to paying should such an event occur.
Still, vendors might charge more for contracts that make them liable for agency’s losses and recovery. So, procurement officials may need to balance both budget and risk concerns.
Contracts with security-as-a-service vendors could also specify the kind of help the vendor will provide during an issue. These could detail how quickly vendors respond to scenarios as well as the types of support they’d provide. The agreement might give agencies the option to purchase extra support hours at a predetermined price. That way, the agency wouldn’t have to pay for unused hours but would have them available in times of need.
Agreements should also specify whether a vendor is expected to get cyber insurance to cover a portion of losses, or whether the agency would secure cyber insurance for a contract.
Along with considering losses, procurement efforts should consider resilience. In one approach, organizations could arrange for a backup IT provider, ready to help should something go wrong.
For example, the procurement team could select the two most competitive vendors on a bid and sign a primary contract with one while keeping the other as a backup. The secondary vendor might take a smaller portion of the work right away or be contracted to step in later on, if needed, Petty said.
Still, quickly shifting data from one vendor to another requires both to be compatible and ready to transition and “takes a fair amount of sophistication” from the agency.
“If you have a situation like this and you wanted to shift off, you can't take 18 months to do it,” Petty said. “They can't be rewriting a bunch of code or translating a different software or building a difficult interface. They have to be able to just pick it up and go with it.”
*Note: Dugan Petty is a senior fellow at the Center for Digital Government, which is part of e.Republic, Government Technology's parent company.