Sunday, 6 June 2021

Taking Responsibility A Key Step to Minimizing Ransomware Successes

If You Don't Answer Your Phone, 
Calls are not "Overdue", They're Ignored

Saturday's FT "Big Read" The cyber threat to America's beef discussed expert reaction to the ransomware attack on JBS.

I'm going to use quotes from that article to outline two acceptances of responsibility that are necessary, but not necessarily sufficient, to fix the problem.

Step 1: Corporate acceptance of responsibility (a) for its past failures and (b) to fix the problem.

The first quote.

Beyond the political posturing, analysts and cyber security experts say companies, government and other entities must treat the hack as an overdue wake-up call to not only develop adequate defences but also to develop a unified approach to dealing with the soaring number of attacks.

Sorry this is neither “overdue” nor a “wake up call”.

Let’s call it precisely what it is.

It is a failure to heed numerous warnings given over more than several years.

Until corporate managements admit that fact and take responsibility to act responsibly, there will be no solution to the problem.

The CISA (Cybersecurity and Infrastructure Security Agency) was founded in November 2018 (roughly three years ago). They published an alert on a ransomware attack on a pipeline in February 2020 (let’s call that one year ago).

The National Protection and Programs Directorate (NPPD) was set up under the DHS’s umbrella in 2008 with the mission of protecting the USA’s critical physical and cyber infrastructure. (That would be thirteen years ago).

If you look at the CISA website here, you will find a list of resources, including alerts, tips, training and webinars.

Notice that the first “alert” dates from 2009. (That would be twelve years ago).

And then there is the FBI’s ic3 unit which has antecedents back to 2000. And has issued warnings on ransomware for many years. Here’s one example from 2019.

Or maybe this memo from the DOJ in 2015.

Overdue?

The only thing “overdue” is the response to the warnings.

CISA also offers a free checkup service (no “death panels” as far as I know) for governmental entities and private companies that operate critical infrastructure:

  1. Weekly vulnerability penetration scans

  2. Web application scanning

  3. Phishing campaign assessment

  4. Remote penetration testing

It would be interesting to know how many private sector firms operating critical infrastructure have availed themselves of this service. And if not, why not?

Beyond efforts by the USG to ring the tocsin of alarm, the media has reported on the risks of hacking and ransomware for some time.

NYT Feb 2020, NYT 2017.

Or Fox News 2018. (Port of San Diego) Fox News 2018. (City of Atlanta incident -note this was described as a wake-up call).

I’m not a computer or cyber security expert, but even I knew of the risks to national security from hacking before Solar Winds and JBS. Or reliance on foreign manufactured components in computers, telecommunication systems, etc.

That’s not to brag, any moderately sentient person who reads the news should be able to figure this out, even one like me who focuses primarily on matters financial.

Captains of industry might well be expected to have even greater sources of information as well as staff who might fill in any gaps in their attention spans.

Additionally there are the firms who make a living in this field who have weighed in on the risks. Here’s a link to one. They mention the first ransomware attack as taking place in 1989. (That would be thirty-two years ago).

Another quote from the FT article.

The alleged perpetrators of the JBS attack have long been known to cyber security experts. Since February alone, the Russia-linked REvil group has been connected to almost 100 targeted ransomware attacks, according to cyber security specialists ZeroFOX.

Step 2: Government acceptance of responsibility to impose rigorous standards on entities critical to national security and enforce penalties on them for failure.

The second quote.

"Once again the notion that ransomware is a national security threat is ringing true. We need a fundamentally different approach to security,” says Sanjay Aurora, Asia-Pacific managing director for UK AI company Darktrace.

Indeed a new approach is needed.

That fundamentally different approach to security would involve abandoning naive beliefs about market efficiency. The market hasn’t solved this problem and isn’t going to.

The simple reason?

Corporations don’t want to spend the money directly or indirectly (the time).

Governments need to impose comprehensive and rigorous security requirements with substantial monetary penalties for failures to implement them.

Legislation that was passed and regulations issued regarding Business Continuity or Disaster Plans can provide a precedent.

The cybersecurity laws should allow in extremis the replacement of management and the cancellation of licenses/permits to conduct critical infrastructure business.

Note the dual approach to achieve the goal by threatening the single most important priority of each of the two key parties

  • management’s retention of its sinecures and

  • the value of shareholders’ investments.

That doesn’t mean if a company critical to national security were successfully hacked that it would necessarily be fined, its management removed, or the business turned over to another party.

What it should mean is that if a company hadn’t taken reasonable precautions, say to protect the operating system of its pipeline, then the hammer would come down in line with the severity of its failures. ​

No comments: