In response to the concerning amount of ransomware bombarding national critical infrastructure and federal agencies, the Cybersecurity and Infrastructure Security Agency (CISA) announced a host of solutions in an effort to tackle these threats head on.
CISA's new Vulnerability Disclosure Policy (VDP) Platform enables federal civilian agencies to report cyber breaches and vulnerabilities. The agency also launched a new website, StopRansomware.gov, to provide educational resources and practical advice for handling ransomware threats. Plus, a new Joint Cyber Planning Office aims to coordinate cybersecurity operations across the federal government.
The new VDP platform, which will also help federal civilian agencies “gain greater insights into potential vulnerabilities,” comes as federal cyber leaders claim ransomware is costing the U.S. economy hundreds of millions of dollars.
According to a new MeriTalk survey of 300 cyber leaders across federal, state and local government, 75% say their high-value assets have been breached in the past year, 50% believe a “Cyber 9/11” will occur within the next 10 years, and 83% operate on an “assume breach” cybersecurity model.
Despite the bleak outlook, 93% said they believe they can create “zero vulnerability” platforms, and 89% believe “prioritizing platform security is a key step toward breach prevention.” Ninety-one percent of respondents want to shift from an “assume breach” cybersecurity model to a more proactive, prevention-focused stance.
CISA’s new VDP platform could help federal civilian agencies keep abreast of cyber trends and common vulnerabilities in their IT infrastructure and also encourage agencies to adopt a more aggressive and dynamic attitude toward cybersecurity.
Federal cyber leaders also see ransomware as one of the biggest national security threats facing the U.S. The FBI's cyber division, for example, tracks more than 100 ransomware gang variants across the dark web.
“We have an interagency algorithm that prioritizes 1-101 the level of impact each variant has had on the U.S. economy,” said FBI's Cyber Division Assistant Directorr Bryan Vorndran during a Senate Judiciary Committee hearing on ransomware last week. “The largest one — their revenue from attacks exceeds $200 million. We see affiliates using the ransomware variants that are going to be most effective at compromising potentially vulnerable infrastructure.”
CISA Assistant Executive Director for Cybersecurity Eric Goldstein said information-sharing, cross-agency collaboration and cyber workforce development are vital components to the bulwark against ransomware.
“The [Joint Cyber Planning Office] will develop a comprehensive ransomware campaign plan that will unify efforts, synchronize activities, and identify strategic objectives to increase resilience and reduce the likelihood of a ransomware attack,” he said in his prepared testimony.
CISA also wants to foster the next generation of cyber defenders as early as kindergarten.
“First, how do we build cybersecurity and STEM education into our K-12 students today? At CISA, we have a grant program where we provide cybersecurity curriculum and training to K-12 teachers across the country, [but] we need to scale and do more,” Goldstein said during the hearing. “Second, how do we resource those leaving secondary education, trade schools, four-year universities, to make sure they have the programs turning out graduates able to take jobs at the Secret Service, CISA or the FBI?”
The Department of Justice and FBI see cryptocurrency as a ransomware facilitator but pushed back on senators’ desire to ban ransom payments.
“Cryptocurrency has unfortunately fueled this rise of crime,” said DOJ Deputy Assistant Attorney General for the Criminal Division Richard Downing. “It has two key aspects to it: often anonymous, and once it's passed, it's very difficult to claw back.”
But banning random payments would make it harder for officials to catch instigators, said Secret Service Assistant Director for the Office of Investigations Jeremy Sheridan. Law enforcement uses blockchain to trace cryptocurrency and ransom payments, so banning ransom payments would complicate efforts to find and catch cyber criminals.
“It would be our opinion if we banned ransom payments, you're putting U.S. companies in a position of facing another extortion, which is being blackmailed for not paying the ransom and sharing the information with authorities,” Vorndran added.
Like CISA, the FBI wants more information-sharing around cyber incidents. Vorndran called for mandatory incident reporting in his prepared testimony.
“Because far too many ransomware incidents go unreported, and because silence benefits ransomware actors the most, we wholeheartedly believe a federal standard is needed to mandate the reporting of certain cyber incidents, including most ransomware incidents,” Vorndran said. “The scope and severity of this threat has reached the point where we can no longer rely on voluntary reports alone to learn about incidents. We support a nationwide standard that establishes which ransomware incidents must be disclosed, when and to whom they must be reported, and what those reports must include.”