Teri Robinson | Securityboulevard.com »
The White House put the private sector on notice Thursday, June 3, 2021, demanding that organizations bolster security to meet increasingly aggressive and disruptive cybersecurity threats and urged them to “immediately convene their leadership teams” to “review corporate security posture and business continuity plans.”
“All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location,” Anne Neuberger, deputy national security advisor for cyber and emerging technology in the Biden administration wrote in an open letter to corporate executives and business leaders. “We urge you to take ransomware crime seriously and ensure your corporate cyber defenses match the threat.”
The letter, which encouraged enterprises to follow recommendations detailed in an executive order signed by President Biden in May, comes after a rash of troubling ransomware attacks, one that led to the shutdown of a major U.S. gas pipeline and another that shuttered five meatpacking plants around the country.
“The most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German and other organizations around the world is that companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively,” Neuberger wrote, noting “the federal government stands ready to help you implement these best practices.”
Much of the private sector already does give ransomware the serious consideration it deserves, Vectra President and CEO Hitesh Sheth explained. But, still, “it’s good to see the White House underscore the urgency of the ransomware threat” that has plagued cyberspace for nearly two decades, he said. “The difference in 2021 is the more ambitious choice of targets: critical food and fuel supply lines and transport systems,” said Sheth. “When our enemies set their sights higher, so must we.”
That’s exactly what the White House seems determined to do–make cybersecurity a priority through use of a number of actions, including Biden’s EO, Neuberger’s charge to the private sector and, hours later, a Justice Department announcement that it would give ransomware cases similar priority to terrorism cases. While Illia Kolochenko, founder of ImmuniWeb and a member of Europol Data Protection Experts Network, praised the Justice Department’s decision as “timely,” he added, “merely prosecuting the criminals with more force,” will not address the central problem that “most of the ransomware victims of all sizes neglected even the basics of data protection,” which made them easy targets.
Even with government support, the ransomware problem isn’t one that will be “fixed” overnight. “If this was an easy problem to solve, business leaders would have already solved it,” said John Bambenek, threat intelligence advisor at Netenrich. “More than any other threat, non-technical executives are familiar with ransomware by name and are already looking for solutions … a letter from a White House official isn’t going to change the game in the slightest.”
Bambenek said the government can help by “pressuring governments that harbor and turn a blind eye to ransomware, and to find ways to extract consequences from those who engage in such activity,” something the Biden administration is already starting to do. The president is planning to press Russian president Vladmir Putin on the topic at an upcoming meeting. “Government needs to focus on their pieces of the solution and the things only they can do,” Bambenek said.
In addition to cybercriminals being closely tied to Russia and other countries’ governments, the ransomware conundrum is further complicated because virtually anyone can plan and execute these attacks. “There has been a trickle-down effect where advanced malware campaigns are available off-the-shelf to even relatively inexperienced attackers,” says Jim Dolce, CEO at Lookout. “This has primarily taken shape as malware-as-a-service, which provides pre-built and easily customizable malware at a relatively low cost. This includes advanced phishing kits that can be purchased for as little as $5.”
The Neuberger memo puts the emphasis on ensuring basic security fundamentals like MFA, backups and EDR, said Setu Kulkarni, vice president, strategy at WhiteHat Security, but falls short, as did the Executive Order, by not creating “an environment of incentives and disincentives for organizations to double down on these security fundamentals.”
One of the memo’s asks–the call for a skilled security team–illuminates “where the gap is the largest between aspiration and reality,” said Kulkarni. “There are just not enough security personnel in the world to staff security teams in organizations today,” he said. “What is needed is a combinatorial approach: accelerated and scaled-up security training in the country for security professionals plus training the general population about avoiding risky online behavior.”
Chris Grove, technology evangelist at Nozomi Networks, says to minimize the damage from attacks, “companies should move to a post-breach mindset” that assumes an eventual breach “and prepares for that situation before it happens.” That mindset will build a “strong cybersecurity culture,” he said.
Likewise a “proactive approach,” missing from the White House recommendations, “can reduce the attack surface and detect ransomware attacks in real-time, not just prepare for quickly resuming operations after a ransomware attack,” said Saryu Nayyar, CEO at Gurucul.
Security leaders should use the White House push “to move their security agenda forward,” said Rick Holland, CISO, vice president, at Digital Shadows. “The extortion threat is a clear and present danger, and despite internal efforts, often, it takes external guidance to help justify budget and resources.”
External Link: White House Pushes Private Sector to Address Ransomware