Ransomware attacks are an “urgent” and “dramatically increasing” national security issue that requires a “whole-of-government” approach, to include robust international cooperation.
“One thing is clear: Ransomware is a national security threat,” DHS Secretary Alejandro Mayorkas said today in prepared remarks. He pledged that his department will implement many of the recommendations contained in a major report released today.
“Ransomware has risen to be a national security threat,” Philip Reiner, CEO of the Institute for Security and Technology, said today during a virtual event. IST spearheaded and coordinated the Ransomware Task Force (RTF) and its report, Combating Ransomware: A Comprehensive Framework for Action. It includes the work of people from 60 organizations across the public and private sectors and took four months to produce. Reiner pointed to the “need for a greater level of intentional focus” on ransomware.
“Ransomware has crossed a very dangerous threshold,” said John Davis, a retired US Army general, RTF co-chair, and VP at Palo Alto Networks.
As part of the RTF’s proposed whole-of-government effort, the report recommends establishing several new entities to include:
- An Interagency Working Group led by the National Security Council in coordination with the National Cyber Director;
- An internal U.S. Government Joint Ransomware Task Force; and
- A collaborative, private industry-led informal Ransomware Threat Focus Hub.
Raising ransomware to the level of the NSC and newly created NCD signifies a major elevation in priority.
One reason for this recommendation: Reiner noted that threat actors have figured out how to exploit US bureaucratic gaps and inefficiencies to circumvent mitigation and responses. Mitigation is further complicated because many of these threat actors operate in international safe havens — countries in which they are not pursued nor punished for such crimes.
The report details how these new entities would work independently and in coordination with each other, as well as with international partners. For instance, the proposed Joint Ransomware Task Force alone would consist of representatives from CISA, FBI, Secret Service, the Intelligence Community, Cyber Command, the Office of the National Cyber Director, the Departments of Treasury, Justice, and State, and other departments and agencies as appropriate.
Today’s report is unique in that it emphasizes the national security threats and risks of ransomware — from critical infrastructure and public health to the loss of data and privacy. Ransomware has traditionally been viewed as a cybercrime carried out primarily for profit motive, and while that’s still largely true, the evolution of these cyberattacks — specifically, the types of targets — is changing expert perceptions.
Ransomware entails threat actors encrypting the data of victims and then requiring a ransom to decrypt. When executed properly, the encryption is mathematically impossible to crack. Without the proper safeguards in place in advance — such as comprehensive data backups — these attacks force victims into what Mayorkas called an “impossible choice:” Pay criminals the ransom for the decryption key or face organizationally crippling consequences.
Just how urgent, prevalent, and dangerous is the threat? The report notes that 2,400 US-based public-sector entities — from governments to hospitals and schools — were affected in 2020, with payments totaling $350 million, a 311 percent increase from 2019. In some cases, ransomware attacks on hospitals are alleged to have caused or contributed to patient deaths.
The report proposes a framework to achieve four goals:
- Deter ransomware attacks;
- Disrupt the ransomware business model;
- Help organizations prepare; and
- Respond to ransomware attacks more effectively.
The report provides 48 recommendations, perhaps the most comprehensive attempt to address this type of cyberattack to date. Five are highlighted as “priority:”
- Develop coordinated, international diplomatic and law enforcement efforts.
- Execute a sustained, aggressive, whole of government, intelligence-driven anti-ransomware campaign, which the US should lead.
- Establish Cyber Response and Recovery Funds, mandate ransomware reporting, and require organizations to consider alternatives to paying.
- Develop a framework to help organizations prepare for and respond to ransomware attacks.
- Regulate cryptocurrencies, which are often how cybercriminals receive ransom payments anonymously.
The recommendation to mandate ransomware reporting aligns with Senate Select Intelligence Committee Chair Mark Warner’s suggestion this week that voluntary reporting of cyber incidents, broadly, is no longer effective. Warner is working on new legislation that could mandate cyber incident reporting.
The RTF’s report comes as the DoJ announced just last week it’s also launching a task force to tackle ransomware and after Mayorkas said in March that DHS is performing a series of 60-day sprints, each focused on a pressing homeland security issue. The first DHS sprint is looking at ransomware.