First, subscribe to my newsletter, The Wavelength, if you want all the content on my blog delivered to your inbox four times a week.
A few days before a ransomware attack caused a major oil pipeline operator to shut down, a committee examined policy options for fighting ransomware.
Has ransomware pushed Section 230, antitrust, and supply chain hacks from the fore in Washington?
A major ransomware attack on Colonial Pipeline put United States (U.S.) energy supplies in doubt. The Biden Administration, industry stakeholders, and international partners have been increasingly focused on the growing use of this type of malware. The U.S. government has been searching for ways to help state and local governments and businesses fight back. At the same time, Congress is again turning its attention to ransomware with its solution being more funding for state and local governments to secure their systems, a proposition that would only tangentially help the private sector.
The timing was perfect. A few days before the biggest ransomware attack in recent memory, a committee hosted the co-chairs of an effort to map out a U.S. strategy on combatting ransomware. The hearing seemed to be riding a surge of activity in the Biden Administration and internationally. Policymakers here and aboard have woken up to the threat ransomware can pose, and the Colonial Pipeline attack may well clear the way for legislation.
Last week, the House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, & Innovation Subcommittee held a hearing titled “Responding to Ransomware: Exploring Policy Solutions to a Cybersecurity Crisis.” The release of a major report on ransomware occasioned the hearing with two of the co-chairs of the entity that drafted and released the report testifying before the subcommittee.
However, a few days after the hearing, Colonial Pipeline revealed ransomware has infected its systems and explained “[i]n response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.” The company has claimed its pipelines supply 45% of the gasoline, diesel, jet fuel, and other fuels used by the east coast of the U.S. According to reports, the ransomware seized business systems, and the company shut down its networks to avoid infection of the operational systems that control its pipelines.
At a 10 May press briefing at the White House, Deputy National Security Advisor Dr. Elizabeth Sherwood-Randall stated:
- On Friday evening, May 7th, Colonial Pipeline reported that its pipeline system had been subject to a ransomware cyberattack. Colonial chose to shut down its pipeline operations as a precautionary measure and to ensure that the ransomware could not migrate from business computer systems to those that control and operate the pipeline. We’ve been in ongoing contact with Colonial, and the President continues to be regularly briefed on the incident and our work.
- Colonial is currently working with its private cybersecurity consultants to assess potential damage and to determine when it is safe to bring the pipeline back online. Thus far, Colonial has told us that it has not suffered damage and can be brought back online relatively quickly, but that safety is a priority given that it has never before taken the entire pipeline down.
- Beginning on Friday night, soon after we learned of the shutdown, the White House convened an interagency team that included the Department of Energy, which is the lead agency for incident response in this case; the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency — or “CISA”; the FBI; the Department of Transportation Pipeline Safety and Hazardous Materials Safety Administration; the Department of the Treasury; the Department of Defense; and other agencies.
- To give you a sense of what we’ve been doing together since that first meeting, we have met throughout the weekend. The Department of Energy’s Information — Energy Information Agency — or “EIA” — is in contact with state and local agencies to assess current supply and impacts due to the shutdown.
- DOE has also convened the oil and natural gas and electric sector utility partners to share details about the ransomware attack and discuss recommended measures to mitigate further incidents across the industry.
- DHS’s CISA is preparing a release to go to the broader critical infrastructure community to ensure it has visibility into the ransomware attack and it’s taking appropriate measures to protect its networks.
At the same briefing, Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger declined to say whether Colonial paid the ransom. She stated “Colonial is a private company, and we’ll defer information regarding their decision on paying a ransom to them.” Neuberger added:
that is a private-sector decision, and the administration has not offered further advice at this time. Given the rise in ransomware, that is one area we’re definitely looking at now to say, “What should be the government’s approach to ransomware actors and to ransoms overall?”
On 11 May, the Biden Administration detailed its “All-of-Government Effort to Address Colonial Pipeline Incident,” providing some insight into the entities involved in the response to the attack, much of which is focused on the U.S. fuel situation:
Established an interagency response group to monitor and address the situation as swiftly as possible and ensure a continuing flow of fuel to affected communities. In response to the Colonial Pipeline cyberattack, the White House has convened an interagency response group consisting of the Department of Justice (including the FBI), the Department of Homeland Security (DHS) including the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Energy (DOE), the Department of Defense (DOD), the Department of Transportation (DOT), the Department of the Treasury, the Federal Energy Regulatory Commission, the Environmental Protection Agency (EPA), and the White House Office of Management and Budget. The group regularly meets to assess the attack’s impacts on fuel supply and U.S. energy markets, and assess policy options. As part of the working group, and at the White House’s request, DOE’s Office of Cybersecurity, Energy Security, and Emergency Response and the U.S. Energy Information Administration have conducted thorough analysis of potential impacts of the shutdown and assessed various options for mitigating those effects, including moving supplies by trucks or marine vessels. DOE, the FBI, and other working group members are working directly with the pipeline operator to provide any assistance they need to safely restart operation.
As mentioned, the hearing was prompted, in part, by the Institute for Security & Technology’s (IST) Ransomware Task Force (RTF) report “Combating Ransomware: A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force.” The RTF consists of United States (U.S.) government agencies, industry groups, companies, and others. The RTF set the following goals and made the following recommendations:
|GOAL #1: Deter ransomware attacks through a nationally and internationally coordinated, comprehensive strategy|
|Objective 1.1: Signal that ransomware is an international diplomatic and enforcement priority|
|Action 1.1.1: Issue declarative policy through coordinated international diplomatic declarations that ransomware is an enforcement priority|
|Action 1.1.2: Establish an international coalition to combat ransomware criminals|
|Action 1.1.3: Create a global network of ransomware investigation hubs|
|Action 1.1.4: Convey the international priority of collective action on ransomware via sustained communications by national-leaders|
|Objective 1.2: Advance a comprehensive, whole-of-U.S. government strategy for reducing ransomware attacks, led by the White House|
|Action 1.2.1: Establish an Interagency Working Group for ransomware|
|Action 1.2.2: Establish an operationally focused U.S. Government Joint Ransomware Task Force (JRTF) to collaborate with a private-sector Ransomware Threat Focus Hub|
|Action 1.2.3: Conduct a sustained, aggressive, public-private collaborative anti-ransomware campaign|
|Action 1.2.4: Make ransomware attacks an investigation and prosecution priority, and communicate this directive internally and to the public|
|Action 1.2.5: Raise the priority of ransomware within the U.S. Intelligence Community, and designate it as a national security threat|
|Action 1.2.6: Develop an international-version of an Intelligence Community Assessment (ICA) on ransomware actors to support international collaborative anti-ransomware campaigns|
|Objective 1.3: Substantially reduce safe havens where ransomware actors currently operate with impunity|
|Action 1.3.1: Exert pressure on nations that are complicit or refuse to take action|
|Action 1.3.2: Incentivize cooperation and proactive action in resource-constrained countries|
|GOAL #2: Disrupt the ransomware business model and decrease criminal profits|
|Objective 2.1: Disrupt the system that facilitates the payment of ransoms|
|Action 2.1.1: Develop new levers for voluntary sharing of cryptocurrency payment indicators|
|Action 2.1.2: Require cryptocurrency exchanges, crypto kiosks, and over-the-counter (OTC) trading “desks” to comply with existing laws|
|Action 2.1.3: Incentivize voluntary information sharing between cryptocurrency entities and law enforcement|
|Action 2.1.4: Centralize expertise in cryptocurrency seizure, and scale criminal seizure processes|
|Action 2.1.5: Improve civil recovery and asset forfeiture processes by kickstarting insurer subrogation|
|Action 2.1.6: Launch a public campaign tying ransomware tips to existing anti-money laundering whistleblower award programs|
|Action 2.1.7: Establish an insurance-sector consortium to share ransomware loss data and accelerate best practices around insurance underwriting and risk management|
|Objective 2.2: Target the infrastructure used by ransomware criminals|
|Action 2.2.1: Leverage the global network of ransomware investigation hubs|
|Action 2.2.2: Clarify lawful defensive measures that private-sector actors can take when countering ransomware|
|Objective 2.3: Disrupt the threat actors, including ransomware developers, criminal affiliates, and ransomware variants|
|Action 2.3.1: Increase government sharing of ransomware intelligence|
|Action 2.3.2: Create target decks of ransomware developers, criminal affiliates, and ransomware variants|
|Action 2.3.3: Apply strategies for combating organized crime syndicates to counter ransomware developers, criminal affiliates, and supporting payment distribution infrastructure|
|GOAL #3: Help organizations prepare for ransomware attacks|
|Objective 3.1: Support organizations with developing practical operational capabilities|
|Action 3.1.1: Develop a clear, actionable framework for ransomware mitigation, response, and recovery|
|Action 3.1.2: Develop complementary materials to support widespread adoption of the Ransomware Framework|
|Action 3.1.3: Highlight available internet resources to decrease confusion and complexity|
|Objective 3.2: Increase knowledge and prioritization among organizational leaders|
|Action 3.2.1: Develop business-level materials oriented toward organizational leaders|
|Action 3.2.2: Run nation-wide, government-backed awareness campaigns and tabletop exercises|
|Objective 3.3: Update existing, or introduce new, cybersecurity regulations to address ransomware|
|Action 3.3.1: Update cyber hygiene regulations and standards|
|Action 3.3.2: Require local governments to adopt limited baseline security measures|
|Action 3.3.3: Require managed service providers to adopt and provide baseline security measures|
|Objective 3.4: Financially incentivize adoption of ransomware mitigations|
|Action 3.4.1: Highlight ransomware as a priority in existing funding provisions|
|Action 3.4.2: Expand Homeland Security Preparedness grants to encompass cybersecurity threats|
|Action 3.4.3: Offer local governments, SLTTs, and critical NGOs conditional access to grant funding for compliance with the Ransomware Framework|
|Action 3.4.4: Alleviate fines for critical infrastructure entities that align with the Ransomware Framework|
|Action 3.4.5: Investigate tax breaks as an incentive for organizations to adopt secure IT services|
At the public rollout of the report, United States Secretary of Homeland Security Alejandro Mayorkas said his agency would work with RTF to implement recommendations, but Mayorkas’ announcement was just the most recent U.S. government action on ransomware.
In early April, the U.S., Australia, Canada, New Zealand, and United Kingdom issued a “Five Country Ministerial Statement Regarding the Threat of Ransomware” and the nations explained “[t]o more effectively address this threat, we will work closer together to counter cyber security threats and improve public awareness measures…[and] [w]ith this in mind, we agreed to:
- Work collaboratively to address ransomware by actively sharing lessons learned and, as appropriate, more closely aligning our policies, activities, public messaging, and industry engagement.
- Better understand and address the underlying factors that lead to ransomware payments—including how we can reduce the public’s risk of exposure to ransomware.
- Ensure efforts to fight cyber threats, including ransomware, are responsive to pandemic-inspired malicious cyber activity.
- Continue to share information on the evolving ransomware threat landscape to enhance our collective understanding of, and responses to, ransomware activity.”
Late last month, the U.S. Department of Justice (DOJ) issued an internal memorandum announcing the formation of a ransomware task force that would coordinate action across the agency, including the Federal Bureau of Investigation (FBI), including new and creative uses of existing authority.
On the same day as the hearing, Mayorkas unveiled “the next phase of the Department’s 60-day Cybersecurity Sprints that were launched in March.” He “urged small businesses to proactively guard against the growing threat of ransomware.” The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) made available ransomware resources for businesses and other entities, including recommendations from October 2020. In a late March speech, Mayorkas discussed the first phase of the Cybersecurity Sprint: ransomware. He stated:
- The first sprint will focus on the fight against ransomware, a particularly egregious type of malicious cyber activity that usually does not discriminate whom it targets. It is malicious code that infects and paralyzes computer systems until a ransom has been paid. Individuals, companies, schools, even hospitals and other critical infrastructure have been among the victims.
- Let me be clear: ransomware now poses a national security threat.
- Last fall, CISA and its government partners issued a joint alert warning of increased ransomware attacks that could paralyze hospitals and other health care facilities. There are actors out there who maliciously use ransomware during an unprecedented and ongoing global pandemic, disrupting hospitals as hundreds of thousands die. This should shock everyone’s conscience.
- Those behind these malicious activities should be held accountable for their actions. That includes governments that do not use the full extent of their authority to stop the culprits. We must condemn them for it and remind them that any responsible government must take steps to prevent or stop such activity.
- We will do everything we can to prevent and respond to these horrendous acts. And we call on others around the world to do the same.
- In the coming weeks, the Department will step up our efforts to tackle ransomware on both ends of the equation. With respect to preventing ransomware incidents, we will take action to minimize the risk of becoming a victim in the first place. We will launch an awareness campaign and engage with industry and key partners, like insurance companies. With respect to responding to ransomware attacks, we will strengthen our capabilities to disrupt those who launch them and the marketplaces that enable them.
And so, against this backdrop, the subcommittee met, and the development they lauded to aid in the fight against ransomware was the reintroduction of legislation to provide grants to state and local governments: the “State and Local Cybersecurity Improvement Act.” Last October, the House passed a different version of the bill summarized thusly in the committee report:
H.R. 5823, the ‘‘State and Local Cybersecurity Improvement Act’’ seeks to foster a stronger partnership between the Federal government and State and local governments to defend their State and local networks against the cyberattacks from sophisticated foreign adversaries or cyber criminals. One critical provision would authorize a new Department of Homeland Security (DHS) grant program to address cybersecurity vulnerabilities on State and local government networks. The new grant program would be authorized at $400 million with a graduating cost-share that incentivizes States to increase funding for cybersecurity in their budgets. Under the bill, State, tribal, and territorial governments would be required to develop comprehensive cybersecurity plans to guide the use of grant funds. The bill also requires the Cybersecurity and Infra-structure Security Agency (CISA) to develop a strategy to improve the cybersecurity of State, local, Tribal, and territorial governments, set baseline objectives for State and local cybersecurity efforts, and, among other things, identify Federal resources that could be made available to State and local governments for cybersecurity purposes. CISA would also be required to assess the feasibility of implementing a short-term rotational program for the de-tail of approved State, local, Tribal, and territorial government employees in cyber workforce positions at CISA. Lastly, the bill establishes a State and Local Cybersecurity Resiliency Committee comprised of representatives from State, local, Tribal, and territorial governments to advise and provide situational awareness to CISA regarding the cybersecurity needs of such governments.
The committee report reflects Congress’ knowledge that ransomware was a growing issue:
At the same time, many local governments are not well prepared to recover from a ransomware attack, detect or prevent exfiltration, prefect and recover from breaches, or detect attacks.
Moreover, many local officials and staff are not sufficiently aware of the need for cybersecurity. In 2018, devastating ransomware attacks crippled Atlanta, Georgia. The following year, State and local agencies in Louisiana, the City of Baltimore, MD, 22 towns in Texas, a school district in Syracuse, NY and many other communities scattered across the country were impacted by disruptive ransomware attacks. One DHS official described the ransomware attack in Atlanta as ‘‘one of those red blinking lights that people talk about—it’s a warning bell,’’ and observed that ‘‘the attack surface is expanding faster . . . than we are fixing the legacy IT landscape.’’ These attacks can be extremely disruptive to vital government services and recovery is often far costlier than anticipated—to the tune of nearly $20 million, in some cases.
Moreover, throughout the COVID-19 pandemic, cybersecurity and law enforcement agencies warned healthcare providers of more frequent and targeted ransomware attacks:
- CISA, the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS)
- The Australian Cyber Security Centre (ACSC)
- The UK’s National Cyber Security Centre
- In the coming days, I will introduce the State and Local Cybersecurity Improvement Act, which would authorize $500 million in annual grants to state, local, territorial, and Tribal governments to strengthen their cybersecurity. As the ever-increasing number of ransomware attacks on state and local governments demonstrates, adequate investment in cybersecurity has been lacking, and more resources are needed. Just last week, we saw ransomware attacks that released sensitive law enforcement information from police departments in Washington, DC and Presque Isle, Maine, showing that cities large and small are vulnerable to this kind of cybercrime. This legislation would ensure funding is available, while insisting state and local governments step up to prioritize cybersecurity in their own budgets.
- The Ransomware Task Force Report released last week provided 48 recommendations on what government and industry can do to address this crisis in the coming months and years. I am excited to have two of the co-chairs of the Task Force here today to share more information on the recommendations. As Secretary Mayorkas has made clear in announcing that addressing ransomware would be the first of DHS’s 60-day sprints on pressing cybersecurity challenges, responding to ransomware is a priority for this administration. And it is definitely a priority for this Committee and many in Congress. So, I hope that this hearing will help further the conversation on how the private sector, Congress, the executive branch, and state and local governments can collaborate to address this crisis.
- In particular, I am interested to learn how other Committee priorities – including developing a cyber incident reporting framework – could improve our understanding of ransomware trends and how to defend against such attacks. Relatedly, I am interested to hear how CISA can play an important role in information sharing and coordinating this response. As the agency that works closely with governments at all levels and the private sector on cybersecurity matters, I know it will have a significant role on this issue going forward.
Chair Bennie Thompson (D-MS) (read his full written remarks) said:
- I am proud to be a cosponsor of this important legislation and look forward to working with Chairwoman Clarke and the bill’s bipartisan group of supporters to get it enacted into law. We cannot afford to wait any longer to provide the funding necessary to protect our state and local governments. Fortunately, it is clear that the Biden Administration has made addressing ransomware a priority.
- From Secretary Mayorkas announcing DHS’s 60-day sprint on ransomware to the Justice Department’s new task force, the executive branch is now demonstrating the coordinated approach that reflects the gravity of this threat. This Committee stands ready to work with them to ensure the resources and authorities are there to fulfill this critical mission. The recently released Ransomware Task Force report provides numerous recommendations on how we can develop a cohesive approach to combatting ransomware.
- I appreciate the hard work of the members of the Task Force in putting together this comprehensive document in just the last three months, reflecting the urgency of this growing crisis. The report makes clear that despite the many challenges presented by cryptocurrencies and foreign adversaries that help disguise and protect ransomware criminals, there are important steps the government can take to enhance defenses, improve information sharing, and collaborate with partners in the private sector and internationally to tack this problem. These proposals have given Congress much to consider, and we are committed to ensuring that this issue remain a priority for Congress, so we can take meaningful action.
- I believe it is now more important than ever to work with agencies like CISA, the Secret Service, and the Treasury Department to combat malicious cyber actors from targeting our struggling small businesses, healthcare institutions, and state and local governments.
- We must think of new innovative ways to interrupt cyber criminals’ ability to see this as financially viable way of doing business.
- It should come as a surprise to no one in this hearing that these ransomware attacks have devastating real-world consequences for Americans. Every minute that a hospital goes down is a minute of missed critical care. The same goes for almost every industry.
- We must work to put a stop to this.
- We need to double down on ensuring state and local entities and small businesses are prepared and adopt basic cybersecurity best practices to mitigate cyber risks. These practices can include: 2 factor authentication, strong passwords, retaining backups, developing a response plan, and updating software.
- CISA, in partnership with the Multi-State Information Sharing and Analysis Center (MS-ISAC), also offers several no cost services across the nation that should be leveraged by state and locals and the private sector. This includes the Joint Ransomware Guide, developed by both CISA and the MS-ISAC that includes industry best practices and serves as a consolidated resource for SLTT and the private sector.
- I am a proud original cosponsor of the Chairwoman’s State and Local Cybersecurity Improvement Act. While we all can agree more resources for our state and local governments are necessary, we must also ensure these funds are spent responsibly, and effectuate meaningful impacts on risk reduction. This important bill is a tremendous step forward in our fight, but we can’t stop there.
- While somewhere near only 2% of all cryptocurrency payments are nefarious, we know that most, if not all ransomware payments utilize the anonymity of cryptocurrencies.
- We must adopt an “all of the above” approach to dealing with this scourge. There is no single silver bullet.
- I cannot emphasize this strongly enough: State and local governments and small businesses should leverage the free services the Cybersecurity and Infrastructure Security Agency (CISA) offers to help prevent and mitigate the scourge of ransomware attacks. CISA’s guidance and services can help SLTT, and small businesses take meaningful steps to increase the cybersecurity posture of their networks. These left-of-attack preventative actions can make the difference between a devastating cyber event and business as usual.
- We also must ensure CISA has the resources and capabilities to go toe to toe with sophisticated cyber criminals. CISA has made strides to keep pace with the evolving threat, but there’s more to be done. The Fiscal Year 2021 National Defense Authorization Act provided important authorities that I advocated for that will ultimately allow CISA to rise to the challenge, but these must be met with resources to implement them. As I have continued to say, Congress needs to put CISA on a path to being a $5 billion agency.
- I have been pleased to see CISA leveraging some of its newly established authorities including state cybersecurity coordinators. These coordinators will be CISA’s main point of contact embedded in each state government and be critically important to ensuring it has a strong understanding of the needs of our state and local governments. Additionally, I am happy to see CISA is fully leveraging its new authority provided by the DOTGOV Act to administer the top-level domain to provide secure and trustworthy .gov domains to state and local governments at no cost. CISA should also be doubling down on its efforts to stand up the Joint Cyber Planning Office to widen and streamline channels of communication between the federal government and industry.
- We must think outside the box when it comes to slowing the rapid expansion of ransomware. Equipping state and local governments with the resources to bolster their defenses is an important step, and I’m looking forward to working with Subcommittee Chairwoman Clarke and Chairman Thompson on the State and Local Cybersecurity Improvement Act to achieve that goal. But we can’t stop there. I look forward to hearing testimony from our witnesses on the innovative approaches that Congress should consider as we strive to tackle this problem once and for all. The recommendations from the Ransomware Task Force are a great place to start, but let’s keep the pedal to the metal.
- While I will highlight just a few of the report’s key recommendations, I believe that the recommendations in the report should be viewed as a set of collective actions that should be applied with continuous, coordinated and overwhelming pressure. Some of these recommendations can immediately be pursued. Some will require creative policy solutions, including new legislation.
- RTF Report Recommendation: The United States should lead by example and execute a sustained, aggressive, whole of government, intelligence-driven anti-ransomware campaign, coordinated by the White House.
- A foundational step is recognizing that the nature of the ransomware challenge will require a massive effort to sustainably shift the trajectory. While I am a retired Army General, I will borrow a phrase from my Naval comrades to say that our report calls for an “all hands on deck” approach. No single organization, public or private, has all of the capabilities, capacities, skills, experience, resources or authorities to act effectively in isolation.
- It will take a team approach across government, industry, academia, nonprofits and the international community. This effort and our recommendations must be embraced at the highest levels of government and industry as a policy priority and given sufficient resources. To this end, we are heartened to see recent actions at the senior levels of the Department of Homeland Security and Department of Justice that signal the elevated prioritization of addressing this issue on a national and international level. But much more can and must be done to elevate this to even higher organizational levels within the Administration.
- RTF Report Recommendation: Develop a clear, actionable framework for ransomware mitigation, response and recovery.
- In addition to the need for greater strategic attention and coordination at the national policy levels, we also saw a core responsibility to help all organizations–states and localities, schools and critical infrastructure like hospital systems– better prepare operationally for the threat of ransomware attacks.
- Within the RTF, I was a co-chair of the Prepare Working Group. Improving the ability to prepare for and even prevent most ransomware events from happening in the first place is the single most important function in reducing this threat to a manageable level. Building on best practices that have proven to be successful, clarifying and consolidating them, and making them easily accessible at appropriate levels is one of the most powerful tools we can employ. The adage “an ounce of prevention is worth a pound of cure” is especially true in the case of ransomware because, once you have been hit, you have already lost the battle and can only play catch up.
- Most organizations, regardless of size or security acumen, are aware of the threat of ransomware. But most are not similarly empowered with adequate knowledge to quantify how finite resources can be applied to reduce their risk to ransomware threats specifically. We need to bridge the communications gap between IT and security professionals and senior organizational leadership. We need organizations to stop thinking about ransomware as a niche cybersecurity issue but instead as a core business continuity risk that must be managed in the same way as other physical disruptions.
- The RTF saw the current state of awareness around ransomware as similar to the environment prior to 2014, when no authoritative compilation of best practices existed for cybersecurity generally. NIST responded by leading a multi-stakeholder process to create the Framework for Improving Critical Infrastructure Cybersecurity. In a similar way, the single most impactful measure we can take to help organizations is the creation of an internationally accepted framework that establishes clear actionable steps to prevent ransomware, and recover from it if prevention is not successful.
- An International, Collaborative Effort Must Form to Reduce the Ransomware Threat
- The Ransomware Task Force convened to address this growing international challenge. The breadth of the challenge informed the Task Force’s first priority recommendation. Specifically, coordinated international diplomatic and enforcement efforts must make clear that ransomware is an international national security and law enforcement priority and that an international coalition should be developed to combat it. Governments should also develop a comprehensive, resourced strategy that uses both carrots and sticks to reduce the number of countries providing safe havens. In doing so, governments can build on the 2020 G7 finance minister’s statement in further signaling publicly the urgency of this threat. But as the Task Force’s other recommendations make clear, governments must also work collaboratively among themselves and with the private sector to share information, jointly investigate, and bring these actors to justice or otherwise eliminate their ability to operate with impunity.
- For the United States, the Task Force recommends that this collective and collaborative action be driven by a whole-of-government strategy, led by the White House. Such a strategy should also include a Joint Ransomware Task Force to coordinate an ongoing, nationwide campaign against ransomware and identify and pursue opportunities for international cooperation. This joint interagency task force should be empowered at the appropriate levels to use all instruments of national power, and it should prioritize ransomware threats to critical infrastructure. In conducting its work, the interagency task force should also collaborate closely with relevant private-sector organizations that can help defend against and disrupt ransomware operations, such as security vendors, platform providers, information sharing and analysis organizations, and cybersecurity nonprofits.
- The Task Force further recommends the development of a Ransomware Threat Focus Hub that can also support existing, informal efforts. The Hub can serve as a central, organizing node for informal networks and collaboration of a sustained public-private anti-ransomware campaign. In addition, to support the Hub’s and its participants’ ability to disrupt the ransomware lifecycle, the Task Force also recommends that the Departments of Justice and Homeland Security provide further clarity on the scope of defensive measures entities may undertake pursuant to the Cybersecurity Information Sharing Act of 2015.
- The Scope and Quality of Information About Ransomware Must Improve
- In order to develop and support this international strategy and its domestic elements, and through such a strategy eliminate safe havens, members of the Task Force believe that better information is necessary to enable this collective action. It is important to emphasize that this is not just more information sharing of cyber threat indicators, or indicators of compromise (IOCs), as they are also called. Both the scope and quality of information must improve. For example, IOCs should be tied to ransomware incidents, and this information must get into the hands of those who can use it – within the government as well as outside it. IOCs also need to be supplemented with additional information about ransomware incidents, including payments.
- Due to the limited and inconsistent nature of information about ransomware incidents, the Ransomware Task Force also recommends that national governments encourage organizations that experience a ransomware attack to voluntarily report the incident. Furthermore, the Task Force recommends that should a victim elect to pay the ransom they be required to share details with the government in advance of such payment. At a minimum, the notification should include the ransom date, demand amount, and payment instructions (e.g., wallet number and transaction hashes). Gathering and analyzing this information is essential not just for law enforcement but also for incident responders and insurers, who can deploy additional analytic tools that may help cybersecurity firms prevent the next incident as well as allow insurers to pursue payment recovery, including through subrogation.
- This information is necessary but insufficient to fully combat this threat. Organizations, both their leadership as well as those in operational roles, need to better understand that ransomware is a real and relevant threat and have better guidance on how to prioritize mitigation efforts given limited resources. To address this knowledge gap, the Task Force recommends that a framework be developed to help organizations better prepare for and respond to ransomware attacks, together with materials to support framework implementation such as toolkits and other how-to resources. Importantly, this framework should include customized recommendations based on each organization’s current capacity to implement the recommendations. Following the success of the Cybersecurity Framework, the Task Force recommends that the National Institute of Standards and Technology convene an effort to develop this ransomware framework, in collaboration with international counterparts. The development of toolkits and other how-to materials are a necessary complement to ensure widespread adoption of the ransomware framework. GCA (and other organizations, I am sure) is ready to add such guidance to our existing resources to assist organizations in reducing their ransomware risk.
- Establishing Response and Recovery Funds and Expanding Grant Availability Can Support Victims and Disrupt the Ransomware Business Model
- Resources for implementation are essential to the success of the ransomware framework and through it the disruption of the ransomware business model. To address this need, the Task Force recommends that governments establish Response and Recovery Funds. These funds should cover the cost, for example, of restoring systems for victims that serve essential functions including local governments as well as critical national functions. The Task Force believes that the availability of these funds will help reduce the number of victims electing to pay the ransom demand. As an incentive for organizations to invest in cybersecurity, governments could consider requirements to access the fund, such as demonstrating use of the ransomware framework to ensure a commitment to a baseline level of cybersecurity.
- In addition, the Task Force recommends that more grant funding be available to use for cybersecurity. For example, Homeland Security Preparedness Grants could be expanded to address cybersecurity threats. Additional grants, along the lines established by the Help America Vote Act, could also be made available to states through which they could manage delivery of funds to municipalities. Not only would these investments reduce cybersecurity risks, they will also enhance state, local, tribal, and territorial resilience as upgrading software and hardware are often the most cost-effective security investments organizations can make. As with Response and Recovery Funds, access to these grants could be conditioned upon demonstrated alignment with the ransomware framework following its development. Elements of the State and Local Cybersecurity Improvements Act, which passed the House of Representatives last session, could serve as a baseline effort to address these recommendations.
New Hampshire Department of Information Technology Commissioner Denis Goulet (testifying on behalf of the National Association of State Chief Information Officers) (watch his opening statement or read his full written remarks) stated:
- I would again like to reiterate my appreciation to this subcommittee for its attention to cybersecurity issues impacting state and local governments. The 116th Congress focused significantly on these issues and introduced numerous pieces of legislation endorsed by NASCIO. In particular, I look forward to continuing to work with the members of this subcommittee to ensure the passage of a state and local cybersecurity grant program.
- Currently, cybersecurity spending within existing federal grant programs, including the Homeland Security Grant Program, has proven challenging in the face of declining federal allocations, increased allowable uses and a strong desire to maintain existing capabilities that states have spent years building. In fact, less than four percent of all Homeland Security Grant Program funding has been allocated to cybersecurity over the last decade.
- NASCIO urges the reintroduction and passage of the bipartisan State and Local Cybersecurity Improvement Act, a $400 million annual grant program for state and local governments to strengthen their cybersecurity posture. This legislation would require grant recipients to have comprehensive cybersecurity plans and emphasizes significant collaboration between CISA and state and local governments. The legislation would also allow state and local governments to make investments in fraud detection technologies, identity and access management technologies and implement advanced cybersecurity frameworks like zero trust. We would also be able to invest in cloud-based security services that continuously monitor vulnerabilities of servers, networks and physical networking devices.
- Passage of the State and Local Cybersecurity Improvement Act would provide vital resources for state IT agencies, meaning my fellow CIOs and I would not have to compete against other agencies and states. Ultimately, a specific cybersecurity grant program would allow us to better assist our local government partners and address threats from well-funded nation-states and criminal actors that continue to grow in sophistication. As I mentioned earlier in my testimony, NASCIO also supports provisions within this legislation that would ensure state governments are budgeting for cybersecurity.
- We also greatly appreciate the recent passage of the American Rescue Plan Act (ARP), which includes $350 billion in flexible aid to state and local governments. While we await guidance from the Department of the Treasury on allowable expenditures, I believe the ARP will create significant resources for states to invest in legacy modernization, cybersecurity improvements and broadband expansion over the next three years.
- Similarly, the counter ransomware “triplet” includes improving cyber defenses, disrupting the criminals’ business model, and increased coordinated action against ransomware gangs and their enablers. This strategy will require government and the private sector to contribute and commit to partnering together to break the ransomware cycle.
- Improving Defenses
- First, we must improve defenses of our businesses and agencies across all levels of government. Ubiquitous use of multifactor authentication (MFA) for access to networks can limit credential abuse, updated and patched systems can prevent actors from exploiting known vulnerabilities, and a well-practiced incident response plan accompanied by backed up and offline systems can enable rapid reaction and restoration. In many cases, even these straightforward steps are beyond the reach of many companies or state or local agencies. We need to rethink both our approach to technology deployment, including MFA by default, and the Federal government should consider increasing technology upgrade grants to states and localities to retire legacy systems and join the digital transformation.
- Disrupting the Ransomware Business Model
- Second, we must break the business model of ransomware. Simply put, ransomware is a business, and business is good. The criminals do the crimes and their victims pay the ransom. Often it seems easier (and seemingly the right thing to do from a fiduciary duty to shareholders perspective) to pay and get the decryption key rather than rebuild the network. There are three problems with this logic: (1) you are doing business with a criminal and expecting them to live up to their side of the bargain. It is not unusual for the decryption key to not work. (2) There is no honor amongst thieves and no guarantee that the actor will not remain embedded in the victim’s network for a return visit later, after all the victim has already painted themselves an easy mark. (3) By paying the ransom, the victim is validating the business model and essentially making a capital contribution to the criminal, allowing them to hire more developers, more customer service, and upgrade delivery infrastructure. And, most worrisome, go on to the next victim.
- We must address the ransomware business model head on and disrupt the ability of victims to pay ransom. We need to prioritize countering ransomware as a nation. That includes appropriately investing in our government agencies and their ability to investigate, disrupt, and apprehend criminals. We need to do more to understand the ransomware economy and the various players in the market. And at the points where cryptocurrency intersects with the traditional economy, we need to take action to provide more information, more transparency, and comply with the laws that are already on the books. This includes Kiosks, Over the Counter trading desks, and cryptocurrency. Lastly, we don’t know enough about the ransomware economy, as it operates in the shadows. We lack a clear understanding of the scale of the problem, including the number of victims of ransomware – the denominator we are trying to improve against.
- There are different ways to do gain better insight into the ransomware economy, including requiring anyone paying a ransom (as a last resort, of course) to notify the government and provide specific details. There is an alternate model, where to make a payment to an identified (in this case an officially sanctioned organization) victims or their agents must seek a license or similar permission from the government prior to making that payment. The Department of Treasury Office of Foreign Asset Control (OFAC) began down this track last year, declaring ransom payments to identified entities may be a violation of economic sanctions laws. Because the identity of the ransomware actor is not always obvious, the OFAC advisory may have an overall chilling effect on ransom payments.
- More Aggressive Action Against Ransomware Actors
- Third, we need more coordinated action against ransomware actors using the range of authorities available to federal agencies, as well as capabilities and rights resident in the private sector. To be clear, I am not suggesting extrajudicial kinetic actions against ransomware gangs. However, other authorities available to law enforcement and military should be on the table, with great care taken not to blur the lines between the two. Traditional approaches have clearly not been sufficient to prevent the outbreak of ransomware. More aggressive and repeated disruption of malware command and control infrastructure, like the action earlier this year against Emotet, is a good start. Where there are clear ties between ransomware actors and state actors or a potential imminent threat to an event or infrastructure of significance like a national election, action should be on the table. The private sector also has options available, as demonstrated by Microsoft’s aggressive policing the abuse of its trademark and source code, including last fall’s operation against Trickbot4. When coordinated and jointly conducted, private and public sector can make the internet an inhospitable place for cybercriminals.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.