Amid ransomware attacks, federal agencies say maintaining global partnerships are crucial to effectively protecting networks and data long term.
For the Department of Justice, this means emphasizing enforcement as a first goal. The agency wants to approach ransomware with the same sense of urgency as other national security threats, noted DOJ's Deputy Assistant Attorney General of National Security Division Adam Hickey.
“Our primary objective should be to prevent, disrupt or mitigate. That’s true generally for crimes when it comes to terrorism, espionage, or critical attacks on our infrastructure,” Hickey said at the Billington Cybersecurity Summit last week.
DOJ’s investigations also should support more than criminal charges, so the agency can use the information to disrupt malicious activity, Hickey added. And as a law enforcement agency, DOJ should collaborate across government and industry to create a unified approach to ransomware.
“We are really focused on working with all of our partners, and those include [National Security Agency], [U.S. Cyber Command], CISA, Department of Treasury, to take a whole-of-government approach to run joint sequenced operations to impose maximum risk and consequences on our cyber adversaries. We’re getting better at that and maturing within our agency in real time,” said FBI Cyber Division Assistant Director Bryan Vorndran at the event.
At CISA, Executive Assistant Director for Cybersecurity Eric Goldstein said his agency is focused on helping organizations reduce the impact and prevalence of ransomware intrusions. The agency does this by educating organizations on best practices and mitigating functional impacts of intrusions to reduce disruptions.
“We are diminishing the impact of these intrusions even as we also work to diminish their prevalence. Part of that, when an intrusion occurs, is working with the victims in concert with the FBI both to help the victim and also to learn everything we can about how the attack occurred that we can share rapidly to protect others,” Goldstein said at the event.
Agencies are also relying on international partners to drive a global approach to cyber defense, Vorndran said. Not only does that include partnering with foreign allies, but also with the private sector.
“From an FBI perspective, this reinforces the value of our legal attaché program,” Vorndran said. “We have offices and personnel in 70 countries throughout this world ... [The program] allows us to work seamlessly with them ... to bring the whole-world picture back together.”
Hickey added that adversaries cannot effectively use ransomware if they do not have access to the global infrastructure, which makes international partnerships critical.
Malicious tools are also evolving, like ransomware-as-a-service, which is a subscription-based model that enables affiliates to use already-developed ransomware tools to execute ransomware attacks. With these types of models, bad actors and adversaries do not have to be well versed in ransomware in order to use the tools for attacks.
“This is one of the reasons why we have seen a spike in prevalence in recent months, and it means that the barriers for entry for cybercriminals are getting lower,” Goldstein said. “It reiterates the point that all organizations here are certainly at risk and need to take steps in their own defense.”
Agencies are also trying to combat what Goldstein calls the “reporting gap.” Vorndran said that government only receives reports on approximately 25% of total cyber breaches, which limits understanding and response. DOJ and other federal agencies have been very forward-leaning advocates for mandatory breach notification legislation in order to have more information on the types, frequencies and effects of cyber intrusions.
“The more we know, the better positioned we are going to be as a U.S. government to inform that defense, to inform resiliency and to hold other actors accountable or to impose costs on them. Without seeing the totality of the data, we’re in a very, very weakened position,” Vorndran said.