It’s been one year since the ransomware attack against Colonial Pipeline sent drivers panic buying gas, one year since President Joe Biden issued an executive order to improve the nation’s cybersecurity and one year since the Institute for Security and Technology (IST)-coordinated Ransomware Task Force released a comprehensive report recommending how to turn the tide.
Thus far, the federal government and private industry have heeded much of the Ransomware Task Force’s ideas, said IST CEO Phil Reiner during a May 20 event.
“We’re excited to say that 88 percent of the recommendations that were in the report have seen some implementation. We have also seen about 25 percent of significant progress on those recommendations,” Reiner said. The event focused on ransomware trends and the impact of the IST Ransomware Task Force’s recommendations during the past year.
The last year saw President Biden recognize cybersecurity as a national priority. The White House marshaled various efforts against the challenge, including international discussions, new collaborations like a Joint Ransomware Task Force and enforcement efforts that arrested several perpetrators.
But work remains to tip the playing field against ransomware attackers.
“Despite these efforts, however, ransomware attacks continue to persist, and in some estimates have actually continued to increase in volume,” Reiner said.
Cyber attackers have embraced ransomware especially because it tends to be a “low cost, high profit” pursuit, said Kemba Walden, who is a co-chair of the IST Ransomware Task Force as well as principal deputy national cyber director and a member of the Cyber Safety Review Board.
The U.S. has been striving to change this calculus, however, and has marked some successes in going after and impeding cyber extortionists. The past year has seen several instances of extraditing and arresting perpetrators, the retrieval of some of the extortion paid by Colonial Pipeline and deepened interest in penalizing cryptocurrency entities that facilitate ransom payments.
The past year’s efforts against ransomware and other cyber attacks has been promising, but the U.S. has yet to fully embrace the kind of strategy that would win the battle against cyber threats — not just “lose more slowly,” said National Cyber Director Chris Inglis.
“We’ve made great progress — insufficient progress, but great progress all the same,” Inglis said during the summit.
The U.S.’ cyber strategy has traditionally focused on reacting quickly to each new cyber emergency rather than on getting ahead of the attacks, Inglis said.
He called for organizations across public and private sectors to collaborate more deeply on defending against mutual threats and to recognize that cybersecurity is everyone’s problem. That means no longer holding to strict divisions of responsibility that leave each party to defend itself alone.
“Where do we realize that we’re in the same boat, and I should no longer be saying, ‘Hey, the hole’s in your side of the boat, good luck with that?’” Inglis said.
Shifting the nation onto stronger cyber footing also requires designing systems and products to be secure by default and making sure to provide supports to those trying to defend systems while punishing those perpetrating attacks, Inglis said.
Continuing with the same strategy as always means “we’ll continue to go down the road that we’ve been on, which is that we will experience one horrific threat after another, in a way that I think is borderline existential,” Inglis said.
The other choice? Re-evaluating how the nation thinks about and approaches cybersecurity threats such as in the ways envisioned in the IST report and bringing people, investments and technology to bear on achieving that, he said.
JOINT RANSOMWARE TASK FORCE
Amid other efforts, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly announced during the event that her agency was kicking off the Joint Ransomware Task Force — something recommended by the IST report.
The IST report said such a task force should comprise government members who “coordinate an ongoing, nationwide campaign against ransomware, and identify and pursue opportunities for international cooperation … identify targets for disruption and takedown, and clearly designate roles and responsibilities for each.”
Easterly added that the new entity’s scope includes aiming to disrupt ransomware actors’ infrastructure, financing and other aspects of their operations.
The Joint Ransomware Task Force should also connect with the private sector, the IST report said. It recommended a nonprofit organization create an informal, private sector-led “Ransomware Threat Focus Hub” through which cybersecurity firms and related players could collaborate with the government Joint Ransomware Task Force against ransomware.
Easterly said the new task force builds off CISA’s Joint Cyber Defense Collaborative (JCDC), which launched in August 2021. The JCDC is charged with creating whole-of-nation cyber defense plans and collaborating with private entities and, eventually, all levels of government agencies on defending against, and responding to, cyber incidents.
“This [Joint Ransomware Task Force] will actually build really nicely on the infrastructure in the scaffolding that we’ve developed with the JCDC,” Easterly said.
POLICY AND SUPPORT
Turning the tide on ransomware requires those in charge to understand the threat, and one victory from the past year has been the passage of a federal law that, when implemented, will require critical infrastructure firms to report significant cyber incidents to CISA and require a broader array of firms to report ransomware payments.
Efforts are also aimed at better supporting potential victims in recovering from, and preventing, attacks.
For one, federal officials took up IST’s proposal for a Cyber Response and Recovery Fund that can be tapped into to help government and private entities in the wake of significant cyber attacks. U.S. government has also worked to make advice and resources easier to find, including by launching CISA’s Shields Up and DHS and DOJ’s StopRansomware.gov websites.