Ransomware response: What CISOs really want from the federal government

What should the federal government's role and responsibility be regarding ransomware? Security leaders weigh in.

The May ransomware attack on Colonial Pipeline exposed the country’s significant vulnerability to cyberthreats.

The attack triggered lines at gas stations, higher prices at the pump, and even some hoarding. It prompted new federal cybersecurity regulations for the pipeline industry and a presidential executive order on cyber defenses. And it brought calls for tougher defenses against such attacks.

“Clearly our path to date hasn’t been good, because of how many companies are dealing with ransomware or data breaches,” says Matt Stamper, CISO and an executive advisor at Evotek and a leader at the IT governance association ISACA.

Many security leaders concur.

They’re concerned about the rapidly rising number of ransomware attacks and the growing sophistication of adversaries supported indirectly or directly by nation-states—support that gives them and the burgeoning ransomware-as-a-service business model better odds at doing substantial damage.

Those concerns have security leaders looking to the U.S. government to step up countermeasures to help thwart the volume, velocity, and resulting losses of these foreign-backed attacks.

“We are at a turning point; you might even say we’re overdue for a collective response from federal government. Cybercriminals are now acting with impunity. We need to find a way to disrupt and deter those activities, whether it’s intellectual property theft or ransomware attacks. And we need to put pressure on those supporting cybercriminals,” says longtime security leader John Parlee, who now serves as CISO at Park Place Technologies.

What that collective response entails is up for debate.

Finding the appropriate balance

Security experts acknowledge that there’s no consensus on what exact steps the government should take and under what circumstances.

Lamont Orange, CISO, Netskope Netskope

Lamont Orange, CISO, Netskope

Still, they seem to agree that the government has a role to play, especially when attacks involve foreign hackers and particularly when they come from hackers backed by nation-states.

As Shawn Bowen, CISO at World Fuel Services, says: It’s not entirely the federal government’s responsibility, but it is more than an individual organization’s problem to solve. “There should be a partnership here,” he adds.

Others agree. “I am not certain the government can stop ransomware attacks, but they can be part of the solution for curbing the attacks,” says Lamont Orange, CISO at Netskope.

At the same time, some security leaders say they neither want or expect the government to respond to every attack.

“I’m not so sure that’s appropriate, and I’m not so sure that’s their mission at the end of the day,” says John Burger, a retired U.S. Army colonel who had served as both CISO and Joint Cyber Center chief at the U.S. Central Command and is now the CISO at ReliaQuest.

“We have to decide when to use our influence, and when to use our cyberforce. Our cyberforce isn’t endless. It’s not like you have a magazine of bullets to keep firing. You have one round, because as soon as you fire that round, the bad guys know you have the capability and they’ll then work around it.”

Threats, consequences escalating

The United States ramped up its collective response following the string of attacks in May and June.

Deputy National Security Advisor for Cyber Anne Neuberger on June 3 released an open memo to corporate executives and business leaders pushing them to take immediate steps to address the threat of ransomware.

“The most important takeaway from the recent spate of ransomware attacks on the United States, Ireland and Germany, and other organizations around the world, is that companies that view ransomware as a threat to their core business operations, rather than a simple risk of data theft, will react and recover more effectively,” White House press secretary Jen Psaki said during a press briefing following the letter’s release.

The same day the Justice Department announced that it will give the same priority to ransomware investigations as it does to terrorism cases, and it will require federal prosecutors to more closely track ransomware cases and to brief department leaders on key developments in such cases.

Despite these recent elevated responses, ransomware is not a new problem. This attack type dates back to 1989, when the first known attack featured malicious code delivered via floppy disc.

But the number and complexity of these attacks have escalated since then, with the consequences of successful ransomware attacks rising, too, as criminal syndicates and nation-states got in on the action.

John Parlee, CISO, Park Place Technologies Park Place Technologies

John Parlee, CISO, Park Place Technologies

As a result, CISOs must now defend against adversaries who are sometimes well-resourced, highly skilled and deeply motivated.

The spate of incidents this spring highlights the extent of the challenges.

First there was the Colonial Pipeline attack, which the FBI blamed on a Russia-backed criminal group named DarkSide.

Then on June 1, the world’s largest meat supplier JBS was hit, forcing the closure of multiple meat-processing plants in North American and Australia. The FBI blamed REvil Group, believed to be based in a former Soviet state, for that attack.

A day later, on June 2, New York’s Metropolitan Transportation Authority revealed that it had been hacked in April by a group with suspected ties to China.

Those are just the highest-profile incidents. In 2020 nearly 2,400 U.S.-based governments, healthcare facilities and schools were victims of ransomware, according to the 2021 Combatting Ransomware report from the Ransomware Task Force. According to U.S. officials, there are more than 4,000 ransomware attack attempts each day.

The consequences and costs of such attacks have spiked, too: The cybersecurity services firm PurpleSec estimated the total global damage from ransomware attacks for 2020 to be $20 billion, up from $11.5 billion in 2019 and $8 billion in 2018.

Actions taken in response

The security community, of course, has been responding to the rising level of cyberattacks.

The typical enterprise CISO has been implementing both more and more advanced controls to guard against all manner of attacks. And the typical CISO is now getting more support for such measures from the other C-suite executives and board members. A 2021 ISACA study found that 80% of respondents say their organization is more prepared for a ransomware incident than it was four years ago.

The U.S. government has responded, too.

President Biden in May signed an executive order aiming to boost the country’s cyber defenses. (The White House released the order following the Colonial Pipeline attack, but the administration had been working on it for months.) The order puts forth a number of initiatives, including new security standards for commercial software and new security requirements for companies doing business with the federal government—something that the administration hopes will translate into higher security standards for the private sector as well.

White House officials in early June also indicated more action could be in the works, saying that they’re studying options that could include retaliation.

There’s speculation that the United States already took such steps: DarkSide in May claimed that its servers and its cryptocurrency balances are gone, disappearances that some attribute to covert retaliatory actions.

CISOs call for further government action

Security leaders say they support the federal actions taken so far. Many say they specifically support the plans outlined in President Biden’s executive order as well as the plans to create a cybersecurity review board to report on cyber incidents.

Matt Stamper, CISO and executive advisor, Evotek Evotek

Matt Stamper, CISO and executive advisor, Evotek

“You talk to CISOs across the country and we think this is a very commonsense [direction] and we agree, yes, let’s start enacting these things,” Stamper says.

But some also say they think the federal government can and should do more.

“The federal government needs to do more than just take the police report after everything has been stolen out of the house. They need to take more offensive actions,” says Brian Johnson, now CSO for Armorblox and the former CISO for Upwork, Lending Club, and Netflix.

He points out that some attacks are now impacting more than just a single organization; they’re impacting everyday Americans and the U.S. economy.

“We have to stop treating these incidents as one-company problems,” he adds.

Brian Johnson, CSO, Armorblox Armorblox

Brian Johnson, CSO, Armorblox

To do that, though, security experts say the government must develop more effective strategies to go after foreign-based hackers and in particular those operating in countries providing safe harbor.

“This is rogue, criminal activity that needs to be sanctioned, and the countries that are supporting this activity need to be held to account,” Stamper says, noting, too, that the government is undoubtedly already taking behind-the-scenes actions in response to the ongoing hacking activities.

Others say the government could incentivize or even require organizations to report whether they’ve been hit by attacks and then share such details as part of an expanded information-sharing operation that would better equip CISOs to defend their organizations.

“We need to make sure that when we do detect ransomware activity, both the federal government and the private sector are better at sharing information. People want to know: Where did an attack come from, who was behind it, how was it delivered,” says Gregory Touhill, ISACA’s incoming board chair, director of the CERT Division at the Software Engineering Institute at Carnegie Mellon University and the federal CISO appointed by President Obama.

Gregory Touhill, Director, CERT Division at the Software Engineering Institute ISACA

Gregory Touhill, Director, CERT Division at the Software Engineering Institute

At the same time, the government could more closely regulate cryptocurrency to reduce the chances of attackers escaping with ransoms, says Wendy Nather, head of Advisory CISOs at Cisco.

Furthermore, security leaders say the government needs to continue its work with other countries to create a framework for international coordination in the cyberspace, one that defines acceptable and criminal behaviors as well as establishes punitive consequences for attacks.

SailPoint CISO Heather Gantt-Evans, a veteran who served six years in the U.S. Army Reserves as an all-source threat intelligence analyst and supported Air Force Cyber Command for three years, supports such action, citing in particular the following recommendation from the Ransomware Task Force report

Coordinated, international diplomatic and law enforcement efforts must proactively prioritize ransomware through a comprehensive, resourced strategy, including using a carrot-and-stick approach to direct nation-states away from providing safe havens to ransomware criminals.
Heather Gantt-Evans, CISO, SailPoint SailPoint

Heather Gantt-Evans, CISO, SailPoint

Gantt-Evans also cites support for additional report recommendations, including that '[t]he United States should lead by example and execute a sustained, aggressive, whole of government, intelligence-driven anti-ransomware campaign, coordinated by the White House”; that governments “establish Cyber Response and Recovery Funds to support ransomware response and other cybersecurity activities” along with mandates to report ransom payments; and an internationally coordinated effort to "develop a clear, accessible, and broadly adopted framework to help organizations prepare for, and respond to, ransomware attacks."

The security community has floated other measures for the government to take, although they don’t all enjoy widespread support.

Some, for example, say that government-issued comprehensive cybersecurity standards similar to the accounting profession’s generally accepted accounting principles (GAAP) could be helpful. But others say such standards would be useful for only certain critical industries. And still others push back on the need for more regulations and uniform standards, noting that NIST and other similar frameworks already achieve that objective.

Moving towards implementation

On the other hand, the security community seems to generally support the steps outlined in the president’s executive order as well as the Ransomware Task Force report.

As such, security leaders are advising the government to move forward with implementing those ideas.

Wendy Nather, head of Advisory CISOs, Cisco Cisco

Wendy Nather, head of Advisory CISOs, Cisco

“Many [CISOs] say they thought that those recommendations are a great start, and the next step is to implement them. And I’d encourage CISOs to band together where they can to push for these,” Nather says.

Yet at the same time security experts stress the need for CISOs to remain mindful of the limits of government cyber defense efforts and to continue their focus on beefing up each individual organization’s own capabilities.

“I do not believe it is the government's place to take active actions on behalf of companies to help them guard or respond. I don’t believe the capabilities are in a place where they can be extended from the protection of government digital assets to public/private industry assets,” Orange says. “We are focusing a lot on the concept of ransomware but we also need to not forget that this is a challenge to our cybersecurity posture and controls.”

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline