Signaling greater U.S. government involvement in cybersecurity, President Biden in his first State of the Union address last night mentioned bolstering cybersecurity through such measures as making security jobs accessible, combating cyber interference from Russia, and mitigating nation-state threats.
Biden’s address comes as both the federal government and industry ramp up efforts to take on ransomware.
In an internal memo sent to DOJ staff last week, Acting Deputy Attorney General John Carlin detailed the precarious position citizens, companies, and even government agencies have been put in due to advanced extortion attempts using ransomware:
“By any measure, 2020 was the worst year ever when it comes to ransomware and related extortion events…And if we don’t break the back of this cycle, a problem that’s already bad is going to get worse.”
So what can we expect from a more active federal presence in ransomware and cybersecurity?
Also Read: Ransomware Protection in 2021
Task forces in the works
Though yet to be officially announced, last week the Wall Street Journal reported on Carlin’s memo discussing the start of a multi-pronged task force committed to deterring cybercriminal activity. The working group will initially consist of criminal, national security, and civil divisions of the DOJ and FBI before incorporating leadership from the private sector and international partners.
The public ransomware task force’s strategy is to target the cyber criminal ecosystem by:
- Disrupting ongoing attacks
- Prosecuting malicious actors
- Shutting down threat actor resource networks
Cybersecurity leaders applauded the announcement of the task force. A private sector equivalent announced in December 2020 includes Citrix, the Cyber Threat Alliance, Cybereason, the Global Cyber Alliance, McAfee, Microsoft, Palo Alto Networks, Rapid7, and more.
Private Ransomware Task Force Kicks Off
On Thursday, April 29th, the private sector’s Ransomware Task Force (RTF) published a Comprehensive Framework for Action in combating ransomware. The 81-page guide for government and industry leaders details 48 actions that can mitigate the impact of ransomware. Goals outlined include:
- Deter ransomware attacks through a nationally and internationally coordinated, comprehensive strategy
- Disrupt the ransomware business model and decrease criminal profits
- Help organizations prepare for ransomware attacks
- Respond to ransomware attacks more effectively
DOJ-Microsoft Exchange: Template for the future?
A recent example of DOJ action that could be replicated during the ransomware initiative was the FBI’s entry into the Microsoft Exchange software network. As one of the most popular enterprise-level email services, Microsoft Exchange is a consistent target for hackers. In January, an advanced persistent threat (APT) was found exploiting zero-day vulnerabilities where malicious web shells created continued, remote access for threat actors.
Though Microsoft released guidance and patches, hundreds of malicious web shells remained on U.S.-based computers. Fast forward to early April, and the FBI received a court-authorized search warrant to take action against the known vulnerabilities. The FBI appeared to be successful in removing the web shells without harm to the victim servers. The action begs the question of whether government activism in the cybersecurity space is here to stay.
The new federal role
For the bulk of the new century, private firms have led the charge in developing the technology needed to detect, analyze, and thwart malware for enterprises and consumers. To date, the government’s presence in cybersecurity has been more of compliance enforcer than partner in protection.
As in the case of Microsoft Exchange, questions of privacy and the extent of information-sharing will arise but likely won’t interfere with cooperation that mitigates cyber crime.
Cyber Criminal Cartels
While the days of zoot suit gangsters are long gone, organized crime hidden from the eyes of regulatory and justice agencies is as serious as ever. Just as agencies have targeted specific components of cartels to affect the collective operation, the same is true for targeting cyber criminals.
From online forums to hosting services and deep web activity, rooting out the sources of criminal behavior will be a years-long endeavor. In the meantime, public and private organizations hunt for threat actor vulnerabilities that offer insight into cybercriminal players, technologies, and their supply chain.
At the intersection of international relations and cybersecurity lies a massive quandary regarding the attribution of attacks. Just as countries and political activists in decades past used covert methods to conduct business or attacks on other nations, the same is true today online. Government actors worldwide are using technology to disrupt, hurt, assist, and protect other countries or organizations.
From Russian efforts to interfere in the 2016 and 2020 elections to a multinational APT attack on the SolarWinds enterprise network, previous administrations did little to combat or penalize–let alone attribute–nation-state attacks. With new leadership, U.S. federal agencies seem to be taking a more active approach in addressing malware.
Where this gets even stickier is when cybercriminals appear connected or related to governments. Besides pointing fingers and declaring sanctions, the current cyber attack attribution system needs discussion and enumeration.
Also Read: Ransomware Is on a Roll and How to Stop It
Preventing Online Sales of Malware
Zero-day threats pose a unique risk to organizations because they’re previously unknown vulnerabilities. The recent craze surrounding NFTs, one of the virtual assets posted for sale and promptly removed from the OpenSea platform, was a zero-day vulnerability. To the highest bidder, an opportunity to test an organization’s vulnerability awaits. The idea of a market for cyber criminals isn’t so farfetched, and the task forces will likely move to minimize or eliminate such marketplaces.
Prohibition of Ransom Payment Coming?
While not in the purview of the DOJ at this time, discussion about legislation to prevent ransomware victims from paying is gaining steam. No victim organization wants to pay malicious actors, but often it is the only option to regain stolen records. Considering this situation and his experience with companies that have paid, Carlin noted that permanently losing virtual assets can easily cost hundreds of millions in damages and be 10 to 20 times more damaging than paying the ransom.
Paying threat actors in ransomware attacks empowers cyber criminals. While research shows organizations receive their assets back at a high rate, there is no guarantee. Possibly more daunting is the reality that cyber criminals have more significant financial resources to develop more powerful attacks and target other organizations.
Ransomware Task Force: TBD
Cybersecurity is an ever-evolving battle thanks to the innovation of both hackers and organizations, who develop the most advanced attacks and defenses imaginable in what’s been called a cybersecurity arms race.
As cyber attacks have ramped up in frequency and the asking price for ransoms has risen, the U.S. federal government has played a passive role for the last several years. Now it appears they’re ready to play a prominent role in combating ransomware and cybercrime. With the sheer value of online assets, including those owned or essential to the government, it is no surprise to see this increased action. The question yet to be answered is whether the federal government partnering with private industry can tip the scales in the cyber battle.