It is an open secret that cyberwars have been going on for quite some time. To most of us, it is an unseen war – carried out by nations and nation-state actors against other countries. Consequently, the “civilian” populations of the nations at war were – for the most part – unaffected.
No more.
Criminal enterprises supported by nations have greatly increased cyberwar attacks on commercial companies and other non-governmental organizations. The SolarWinds hack, the Colonial Pipeline and JBS ransomware attacks, and others are just the beginning.
In reaction to President Biden’s warning to President Putin, Russian cybercriminals launched multiple attacks on multiple companies – over Independence Day weekend – and demanded $70 million in ransom. The US and other governments formally accused the Chinese government of being behind the Microsoft Exchange hack. And if you believe the Russians – or the Chinese, Iranians, North Koreans, or others – will be cowed by a cyber “red line,” you have not been paying attention.
But others have. While the US government and defense apparatus are issuing “strong condemnations,” the private sector is starting to realize that that cavalry will not be coming to save them. They are responding. This is not to say that the US and international governments do not play a major role, but responding effectively to cybercrime requires a level of speed, agility, and focus unknown in the workings of government.
In this multipart series, we will begin to look at the current landscape of action against cyber criminals and what the future holds.
- In Part 1, below, we will discuss the recent, dramatic changes in cyber insurance and how the private sector is collectively reacting to ransomware.
- In Part 2, we will discuss the ways – constructive and not – state and federal governments are starting to address the tricky political and commercial problem of nation- and state-sponsored companies attacking private enterprise.
- In Part 3, we will address the current best practices approach to prevent and react to ransomware attacks.
- In Part 4, we will offer our own suggestions and predictions as to what the future holds.
The title of this blog is meant to convey optimism. It is reported that Japanese Admiral Yamamoto, who planned the attack on Pearl Harbor, wrote in his diary afterward, “I fear all we have done is to awaken a sleeping giant and fill him with a terrible resolve.” While I am not sure we are fully awake, we are stirring from our slumber and are quite displeased.
Ransomware: The B2B model of Cyberwarfare
Ransomware is not new malware; it is a new twist to an old story. Ransomware is simply a more efficient way to monetize a certain type of malware attack. The best analogy to think about is kidnapping – a ransomware attack “kidnaps” your data and systems by using malware to encrypt your data, denying you the ability to carry out normal business operations. The criminals want you to pay the ransom to free the data and unlock access. In a “clean” ransomware attack, the data is not exfiltrated – that is, removed from the premises – only encrypted. Unfortunately, we are seeing more ransomware attacks that involve stealing data as well.
Keep in mind that there are multiple business models in cybercrime. When credit card or other personal information is stolen, this data is sold for a few dollars on the dark web. These purchasers will then use this information to make personal purchases or engage in other financial transactions. These actions may cause a tremendous amount of personal trouble, but they usually involve smaller dollar amounts spread over many victims. This data theft is the B2C model of cybercrime.
Ransomware represents the B2B model. The data itself often is of little value, but the business interruption is costly. The longer the business is interrupted, the more likely the ransomware payment will be made, and the more likely the amount paid will be higher.
Ransomware As a Cyberwar Strategy: Do Not Expect Justice
The first thing to clarify is that there is currently no consistently effective mechanism to bring cybercriminals to justice.
Read that sentence again. Unfortunately, it is true. Since foreign hackers are encouraged by their governments to attack US targets, their actions are not considered criminal by the supporting nation. And frankly, without a motivated host government, extraditing the hackers for prosecution is very unlikely. And while a Hollywood approach – Jason Bourne or Ethan Hunt sneaking in to mete justice to the criminals – is nice to think about, no US administration to date has exhibited the intestinal fortitude to engage in such an effort.
(As a side note: the US does have at least two methods to engage private actors. The US Constitution explicitly provides for “Letters of Marque and Reprisal,” which allows private vessels (“privateers”) to engage and capture enemy ships at sea. Historically, this practice has been limited to maritime activities and, to date, the US has followed the Paris Declaration Respecting Maritime Law of 1856, which outlawed the practice. In addition, bounty hunting is a recognized professional activity. In modern times, bounty hunters have been associated with bail bond agents; there is no reason that bounty hunters could not be used to bring wanted cybercriminals to justice and receive a reward.)
Further, to be blunt, to people in the know, the cyberwars are a front in a cold war among the belligerents. Much like the proxy wars or other asymmetrical warfare of the last 70 years, the offending nations cannot hope to beat the United States in a straight-up hot war. So they have taken asymmetric warfare to the next level – civilians against civilians. I use the term “war” not to alarm people but to awaken them to how the perpetrators see this effort. It does us no good to deny reality.
Enabling a Coordinated Ransomware Defense
With James Bond otherwise occupied, the first step in foiling the cybercriminals is an effective, coordinated defense. The Institute for Security and Technology recently issued recommendations from a Ransomware Task Force focused on four areas:
- Effective national and international government response,
- Disruption of the hacker business model,
- Organizational preparedness, and
- Effective response in the event of a ransomware attack.
These all make sense, but practically, it is the third item – organizational preparedness – that we can most directly influence. Currently, cybersecurity readiness is a bit of a hodgepodge of approaches and standards. In the US, the National Institute of Standards and Technology (NIST) has at least two standards – the Cybersecurity Framework (CSF) and Special Publication 800-171 – depending on the type of information you possess or the type of organization.
Further, The Department of Defense is now introducing the Cybersecurity Maturity Model Certification (CMMC), based on NIST 800-171, for DoD contractors. International organizations are often certificated under International Organization for Standardization (ISO) 27001. Add in the Defense Federal Acquisition Regulation Supplement (DFARS), System and Organization Controls (SOC) 2, and various regulatory standards applying to financial information or data privacy. Then, you have quite the assembly of closely related, but not quite identical, frameworks and standards. The net result is plenty of cost and confusion.
It is costly and painful but manageable for large organizations with the staff and internal expertise to comply with these standards. For SMBs and middle market companies, the circumstances are very different. With hackers on one side and an array of consultants and vendors on the other – each trying to separate the company from its money in their own way – it is easy to understand the difficulty companies are balancing the risk of a breach against the cost of compliance. Companies are looking for is clarity – clarity for what needs to be done (including tasks as detailed as mitigating cyber insecurity created by their vendors) and clarity of costs.
A few state governments are moving toward clarifying both sides of this problem. Ohio, Utah, and Connecticut have passed legislation to provide breach litigation safe harbor protection. These laws incentivize businesses to protect data and personal information by adopting industry-recognized cybersecurity frameworks. While not protecting companies against ransomware, the legislation does provide protection for tort claims by directing that the “Court shall not assess punitive damages against a covered entity if such entity created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry-recognized cybersecurity framework.” (Connecticut Public Act No. 21-119, An Act Incentivizing the Adoption of Cybersecurity Standards for Business.)
It is no surprise that one of the groups seeking some clarity on the ransomware issue is the one with the most considerable potential monetary loss – insurers. Recently, several large insurers, such as AIG, AXIS, Beazley, Chubb, The Hartford, Liberty Mutual Insurance, and Travelers, formed CyberAcuView. One of CyberAcuView’s stated goals is to “provid[e] industry best-practices to improve resilience to cyber risk.”
And while CyberAcuView is clearly focused on coordinating with governments and agencies, “improving cyber resilience” enhances the ability of the insurance industry and its policyholders to address cybersecurity posture to prevent attacks. The insurance industry is in a difficult position. Cyber insurance creates a textbook case of moral hazard – especially since prevention seems both expensive and esoteric. Further, it is not clear if paying ransom to hackers is legal. It is certainly discouraged.
In part two of our series, we will discuss the ways state and federal governments are starting to address the current cyberwar situation and how government entities could deal more effectively with the current situation. While there has been a traditional separation of public and private enterprise in the US, the enemy gets a vote. So, the guerilla tactics employed by cybercriminals require a new approach.
Stay tuned.
Looking to enhance your information security program and wondering which resources you need and whether (or not) you need a fulltime CISO? Start with our blog post: To CISO or Not to CISO.
EXTEND Resources helps organizations like yours secure their assets, create a robust security program, become certified for information security compliance, and continually improve their program to protect against evolving threats — including law firm and vendor risk. Contact us to learn more.
Steve Henn
shenn@extendresources.com
203.803.2127