Photo of Matthew B. Welling

Matthew B. Welling is a partner in Crowell & Moring's Washington, D.C. office, where he practices in the firm's Privacy & Cybersecurity and Energy groups. Matthew has a deep technical background that he leverages to represent clients in a wide range of counseling and regulatory matters. His experience includes cybersecurity and privacy incident response, compliance reviews, risk assessments, and the development of corporate policies and procedures, such as incident response plans. Matthew has a diverse background in M&A and other corporate transactional issues, with specific recent experience with technology transactions, cybersecurity issues, and critical infrastructure project development.

A new Cybersecurity & Infrastructure Security Agency (CISA) alert advises that, starting in late May, a well-known ransomware group called Clop compromised a widely used managed file transfer (MFT) platform called MOVEit Transfer, reportedly impacting hundreds of companies globally. 

MFT platforms are used to securely transfer files between parties, and Clop reportedly compromised MOVEit Transfer using a previously unknown (zero-day) vulnerability that allowed attackers to steal files from MOVEit’s underlying database. This vulnerability is now tracked as CVE-2023-34362.

Clop has previously targeted MFT platforms such as Accellion and has shown that it is prepared to follow through on threatened next steps.  In this case, Clop is threatening to identify victim companies on the Clop site as soon as June 14 and then, if a ransom is not paid, publish victims’ stolen data.  In prior attacks, Clop has also reportedly contacted victim companies directly with ransom demands, sometimes weeks or more after the attack.  We do not recommend that victims contact threat actors like Clop directly but instead work with experts to do so safely, if necessary. Continue Reading MOVEit Vulnerability: What to Know and What to Do

On March 2, 2023, the Biden Administration released the 35-page National Cybersecurity Strategy (the “Strategy”) with a goal “to secure the full benefits of a safe and secure digital ecosystem for all Americans.”

Summary and Analysis

The Strategy highlights the government’s commitment to investing in cybersecurity research and new technologies to protect the nation’s security and improve critical infrastructure defenses.  It outlines five pillars of action, each of which implicates critical infrastructure entities, from strengthening their cybersecurity processes, to receiving support from the federal government. For example, the Strategy highlights improving the security of Internet of Things (IoT) devices and expanding IoT cybersecurity labels, investing in quantum-resisting systems, developing a stronger cyber workforce, evolving privacy-enhancing platforms, and adopting security practices that are aligned with the National Institute of Standards and Technology (NIST) framework are some other suggested approaches that the private sector could take. Continue Reading Biden Administration Releases Comprehensive National Cybersecurity Strategy

In this episode, hosts Kate Growley and Evan Wolff talk with Matthew Welling about all things ransomware, including how to prepare for and respond to these kinds of incidents.  Crowell & Moring’s “Byte-Sized Q&A” podcast takes the complex world of government contracts cybersecurity and breaks it down into byte-sized pieces.

ListenCrowell.com | PodBean

As businesses continue to grapple with and progress through the challenges presented by the COVID-19 crisis, it is not too early to focus beyond the horizon on what the privacy and cybersecurity landscape might look like when the crisis finally passes. Crowell & Moring’s Privacy and Cybersecurity Group seeks to identify likely issues and new

As the COVID-19 pandemic continues and there is mounting pressure to ease business and social restrictions, governments, non-profits, and private corporations are all increasingly focused on solutions that would not only track and trace the movements of individuals to determine exposure to the virus and compliance with stay-at-home orders, but also potentially signal the person’s

Federal agencies (and their government contractors) are about to embark on a second generation of sustainability upgrades to federal government facilities, procurement and operations.  On March 19, 2015, President Obama released an executive order titled “Planning for Federal Sustainability in the Next Decade” (“EO”).  The EO establishes next generation greenhouse gas (GHG) reduction and sustainability targets and mandates that agencies develop plans to deploy clean energy and resource efficiency measures to improve resilience and environmental performance throughout their supply chains.  The EO mandates the establishment of a new Chief Sustainability Officer for each agency charged with overseeing implementation and compliance with EO.  The 7 largest federal procuring agencies will also be required to submit a plan to implement at least five new procurements each year that will include requirements considering government contractor GHG profiles and management practices.

Climate Risk Management.  Within 90 days of the EO (approximately June 16th), the head of each federal agency must propose agency-wide, 2025 GHG emission reduction plans for scope 1 (direct greenhouse gas emissions from sources owned controlled by the agency), scope 2 (direct greenhouse gas emissions resulting from the generation of electricity, heat, or steam purchased by the agency) and scope 3 (greenhouse gas emissions from sources not owned by the agency but related to agency activities, including vendor supply chains).  The targets will not include emissions from certain vehicles and equipment, and electric energy generation produced and sold commercially to other parties as the primary business of the agency.
Continue Reading Obama Administration Mandates New Federal Agency Sustainability Objectives

On October 17, 2014, the U.S. Defense Logistics Agency (DLA) issued a solicitation for the construction and operation of large-scale solar and wind projects at the Fort Hood military base. Fort Hood is the largest active military duty post in the U.S., located approximately 60 miles north of Austin, Texas.

The RFP, which is the