In the wake of the highly publicized attacks on both gasoline and food infrastructures by Russian-based ransomware attackers, the Biden administration on June 3 issued an advisory to business leaders directing them to take action to harden their systems against ransomware and to be more resilient against similar attacks. It has also been reported that President Biden intends to discuss the issue of Russian-based cyber attacks on U.S. critical infrastructure when he meets later this month with President Vladimir Putin.
The ransomware memo, issued by Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger called upon private sector companies — particularly those in the critical infrastructure — to recognize and respond to the threats posed by ransomware attacks. Neuberger’s memo noted:
“All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location,” she wrote. “Much as our homes have locks and alarm systems and our office buildings have guards and security to meet the threat of theft, we urge you to take ransomware crime seriously and ensure your corporate cyber defenses match the threat.”
“To understand your risk, business executives should immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure you have the ability to continue or quickly restore operations.”
When it came to solutions — particularly solutions that the government might make available to the private sector, the memo seemed a bit more ephemeral. It recommended that companies harden their systems against phishing attacks, the principal vector for ransomware infiltration, and to implement multifactor authentication as part of their anti-phishing protocols. The memo also recommended strengthening and training the security staff on ransomware responses, having more robust data backup and restoration, and encrypting data at rest to prevent or deter extortionware. This is in addition to things like patch management, restricting access to files and networks.
Among the steps Neuberger said companies should take are implementing multi-factor authentication, bolstering security teams, regularly testing backups and updating patches, testing incident response plans and separating and limiting internet access to operational networks.
In other words – duh.
At the same time that the government is recommending that companies be prepared for the threat of ransomware and have robust systems to respond to ransomware attacks, it is also threatening to criminally prosecute not the ransomware attackers, but the companies that, either directly or through digital incident response or insurance companies, pay ransoms to get access to their data back. Late last year, both the Treasury Department and financial regulators issued warnings that the payment of ransom by victims may violate U.S. and international restrictions on conducting business with “prohibited entities,” and that a license from the Treasury Department’s Office of Foreign Asset Control might be needed to be permitted to pay the ransom — particularly in cryptocurrency. The government also warned entities paying ransom that they are subject to prosecution for violating the “know your customer,” “anti-money laundering” and “money transfer agent” statutes, if they pay or facilitate the payment of ransom. That’s public/private cooperation for you.
While Neuberger noted that “The U.S. Government is working with countries around the world to hold ransomware actors and the countries who harbor them accountable, but we cannot fight the threat posed by ransomware alone. The private sector has a distinct and key responsibility. The federal government stands ready to help you implement these best practices.” However, the memo did not commit the government — particularly the law enforcement or intelligence agencies — to sharing data about ransomware threat actors, their identity, their methodologies, or their networks with the private sector. It’s not clear that such robust information sharing would be successful in mitigating the threat of ransomware, but the government has certainly encouraged the private sector to report ransomware attacks and to share information with the government. It’s not clear that the government is committed to sharing this information the other way.
Moreover, while the government seems to see encryption of data as a partial solution to the problem of ransomware (actually, extortionware) the FBI and intelligence agencies have insisted that encryption technologies be developed and deployed that would allow the government (governments?) that would prevent “warrant-proof” encryption. In other words (and the government would disagree with this accurate assessment) backdoors to encryption.
The Neuberger memo also did not discuss whether the government could (or would) provide some kind of subsidy to companies that cannot afford the level of security that the government deems necessary, or provide resources (or tax breaks) to encourage the deployment of such security resources. It simply recommends that companies continue to have “good security hygiene” — you know, things we should be doing anyway. And even if every company did this, it’s not clear that this would prevent ransomware — just make it somewhat less pervasive, or make the attackers that much more clever.
It’s kind of like when you were a kid carrying a bunch of breakables, and your mom would say helpfully, “hey — don’t drop that…” Thanks, mom.
Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.