There is growing frustration in Congress that ransomware and other types of cyber-attacks continue to wreak havoc in critical infrastructure owned and operated by the private sector with widespread societal and national security consequences.
Key questions posed by Congress:
Why are there so many vulnerabilities to exploit?
Are these cyber security threats unknown and unforeseeable problems?
Are these recent ransomware attacks somehow different?
Do we lack tools and methods to better defend the nations critical infrastructure and services?
Fair questions. Basically, their sentiment is that no stakeholder can claim to be surprised by ransomware and that the preparedness levels to protect systems and information, detect, defend, and respond to incidents appear to be sub-optimal.
Voluntary cyber security measures for the private sector were suggested to be proven ineffective and perhaps the time has arrived for verifiable standards imposed on the private sector. It was indicated that the US Chamber of Commerce should not bother this time to appear and lobby against mandatory measures.
Perhaps inspiration will be taken from the Cyber Security Maturity Model Certification (CMMC) framework that is being rolled out by the Department of Defense (DOD). CMMC, based on the NIST 800-171 standard with some additional controls, is a tiered mandatory cyber security framework for the Defense Industrial Base (DIB) community.
All CMMC documents, training manuals, processes etc. are currently being finalized and an echo-system containing an accreditation body and certified assessor companies is forming. DOD is determined to address cybersecurity vulnerabilities in the DIB.
By 2025 a company must be certified by a licensed CMMC third-party assessor if it wants to even bid on a DOD procurement opportunity. There are an estimated 300,000 companies in the DIB, which shows the effort of this undertaking. Basically, the CMMC push was caused by the conclusion that cyber security self-assessments by the private sector were not enough to protect sensitive information and programs.
The cost to reach the tiered CMMC controls for companies remain to be seen (estimates exist). However, it appears that cyber adversaries’ capabilities continue to grow more sophisticated, be better coordinated, and in increasingly larger numbers, while at the same time most societal stakeholders seem to have under invested in cyber security technology, processes, and people leaving society to suffer the consequences.
Recent testimony identified several threat accelerators of Ransomware:
Successes generates higher interest and causes more attacks by cyber criminals.
Improved coordination and more advanced division of labor among criminals have spurred Ransomware-as-a-Service (RaaS) operations that have lowered the barriers of entry.
The growing field of cryptocurrencies have given criminals methods of receiving concealed and difficult to trace payments.
Attacks on managed service providers (MSPs) amplifies attacks as one break-through can provide access to a vast number of networks with hundreds/thousands of potential victims.
Targets continue to have inadequate defenses.
Notifying the Government
The FBI believes that the number of ransomware attacks are dramatically rising. But it is difficult to quantify, or even assess, the totality as only 25-30% of all US ransomware attacks are thought to be reported to the government.
The FBI stated that private sector critical infrastructure entities should be required to notify the government upon detection of a ransomware attack, within some determined time frame. That should include other types of breaches that could impact delivery of critical societal services, allow unauthorized access to government systems, or threaten high-value trade secrets.
The FBI argues that in a ransomware attack it will be made known to the victim that their systems are compromised, in comparison to cyber espionage where stealth and undetected theft is a primary goal of perpetrators.
The Federal government sees under reporting of cyber security incidents as seriously hampering its ability for national situational awareness, e.g., is there a connection between incidents, is it the beginning of a more substantive nation-wide attack, and it removes an important opportunity to collect evidence and build cases against repeat offenders. It also obstructs any attempt to recover assets by the Government.
Going on the offensive
There is growing sentiment to go on the offensive and bring the fight to the criminals, as the defensive systems often prove to not be sufficiently strong. However, the private sector was strongly encouraged to not engage in any ‘Hack-back’ activities as it is a legal gray-zone (or no-go zone), it can disturb collection of evidence that would be allowable in court, it could interrupt international coordinated law enforcement actions, and could cause diplomatic disputes.
Russia, Iran, and China were identified as effectively harboring and shielding cyber criminals making it difficult to locate, shut down and extradite suspects. These nations allow cyber pirates to virtually pillage foreign lands. It was noted in DOD testimony that it often discovers malware designed to avoid infecting computers where Russian is the default language.
Basic cybersecurity hygiene
There was consensus that risk can be dramatically downsized by implementing and upholding even the most basic cybersecurity hygiene. Multi-factor authentication is of particular importance, “...Microsoft estimates that more than 99% of all cyberattacks would have been prevented if multi-factor authentication were deployed.” Other methods and processes highlighted were the concepts of least privileged access and adopting Zero Trust Principles.
There is no knowledge about the percentage of those attacked that end up paying a ransom. The FBI does not believe it would be beneficial to making it illegal to pay a ransom, as it could potentially provide another obstacle for timely reporting to the government, plus it could provide another blackmail opportunity for the cyber criminals.
More to follow.
Key current government activities
· Executive Order 14028 on “Improving the Nation's Cybersecurity”, involving for example defining what is ‘critical’ software, requiring SBOM’s (Software Bill of Materials”, and improving government cyber incident management through more structured processes and enhanced collaboration with the private sector. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
· National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, 28 July, 2021. https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems/
Recent Congressional Hearings on Ransomware:
· THE UNITED STATES SENATE Committee on the Judiciary, “America Under Cyber Siege: Preventing and Responding to Ransomware Attacks.” July 27, 2021 https://www.judiciary.senate.gov/meetings/america-under-cyber-siege-preventing-and-responding-to-ransomware-attacks
· Subcommittee on Oversight and Investigations of the Committee on Energy and Commerce "Stopping Digital Thieves: The Growing Threat of Ransomware." Tuesday, July 20, 2021https://energycommerce.house.gov/committee-activity/hearings/hearing-on-stopping-digital-thieves-the-growing-threat-of-ransomware
· Senate Committee on Armed Services, Subcommittee on Cyber, Testimony on Recent Ransomware Attacks. Wednesday, June 23, 2021. https://www.armed-services.senate.gov/hearings/to-receive-testimony-on-recent-ransomware-attacks-