6 minute read
Early Warning to Businesses - Act Now on Ransomware Defenses
Early Warning to Businesses - White House Warns Companies to Act Now on Ransomware Defenses
By David E. Sanger and Nicole Perlroth
THE WHITE HOUSE WARNED American businesses on Thursday, June 3, 2021 to take
urgent security measures to protect against
ransomware attacks, as hackers shift their
tactics from stealing data to disrupting critical
infrastructure.
The bluntly worded open letter followed a string of escalating ransomware attacks that stopped gasoline and jet fuel from fl owing up the East Coast and closed off beef and pork production from one of the country’s leading food suppliers.
Anne Neuberger, the deputy national security adviser for cyber and emerging technologies, wrote that the Biden administration was working with partners “to disrupt and deter” attacks that deployed ransomware, a form of malware that encrypts data until the victim pays.
But she urged companies to adopt many of
the same defensive steps that it has recently required of federal agencies and companies
that do business with the government.
The message amounted to a rush eff ort to construct the kind of defensive infrastructure for cyberattacks on the United States that has been broadly discussed for years — but that companies have been slow to adapt, because either the threat seemed distant or the cost far too high. The recent attacks have propelled
ransomware to the top of President
Biden’s national security agenda. It is expected to be part of his discussions next week in Europe, during meetings with allies, and in his summit with President Vladimir V. Putin of Russia. The administration accuses Russia of both launching cyberattacks against the United States and harboring ransomware hackers. Ms. Neuberger noted “a recent shift in ransomware attacks — from stealing data to disrupting operations.” She urged fi rms to make sure that their “corporate business functions and manufacturing/ production operation are separated,” so that an attack on business records,
such as emails or billing operations, does not cut off critical production and
supply lines. The past month has shown that
companies often do not understand the linkages between those two in their own systems — even if they previously insisted the functions were already separated. When Colonial Pipeline was hit with a ransomware attack last month, the attackers — a criminal group, DarkSide, with substantial operations in Russia — froze the business records side of the business, not the operational controls over the pipeline.
But Colonial, a privately held fi rm that supplies nearly half of the gas, jet fuel and diesel to the East Coast, took the added step of shutting the pipeline down because it could not get access to its billing systems or monitor the fl ow of petroleum to specifi c locations. And with billing systems out of reach, the company had no way to charge customers for deliveries.
The eff ects were immediate: Lines appeared at gasoline stations because of panic buying, airlines ran short of jet fuel and had to make stops on what were advertised as nonstop fl ights, and prices surged. Colonial failed to communicate eff ectively with government offi cials, and ultimately paid a $4.4 million ransom — against the usual advice of the F.B.I.
Ms. Neuberger’s letter noted that the Biden administration was working to develop “cohesive and consistent policies toward ransom payments” and to enable “rapid tracing and interdiction of virtual currency proceeds.”
Yet Ms. Neuberger, who held several key posts at the National Security Agency, noted that although the White House was working to bring ransomware attacks to heel, government could do only so much.
“Much as our homes have locks and alarm systems and our offi ce buildings have guards and security to meet the threat of theft, we urge you
to take ransomware seriously and ensure your
corporate cyberdefenses match the threat,” Ms. Neuberger wrote.
It was a telling analogy — because it was one U.S. offi cials have used for a decade. Yet for years, American businesses — which operate and maintain 85% of the nation’s critical infrastructure — have pushed back on regulations that would have mandated minimum levels of cybersecurity.
A 2012 cybersecurity bill that would have required stricter cybersecurity standards for businesses that operate critical sectors, like pipelines, dams and power plants, was ultimately watered down after the U.S. Chamber of Commerce, the
nation’s largest business lobby, argued that the regulations would be too burdensome and
expensive for American companies.
Last week, Mr. Biden acted through executive order in an eff ort to force some of those changes
CyberSecurity from page 9
on the pipeline industry, using the Transportation Safety Administration’s oversight powers on the pipeline industry.
In the absence of comprehensive government mandates, however, cybersecurity practices have been voluntary. The result is that many businesses and other organizations have been, in eff ect, left to fend for themselves. And the
latest ransomware attacks have exposed the extent to which American cities, town governments, police departments and even the one of the ferry services between Cape Cod, Martha’s Vineyard and Nantucket have failed to erect suffi cient defenses.
The latest attack on one of the world’s largest suppliers of beef, JBS, for example, was pulled off by a Russian group known as REvil, which has had great success breaking into companies using very simple means. The group typically
gains access into large corporations through a combination of email phishing, in which it sends an employee an email that fools him or her into entering a password or clicking on a malicious link, and exploiting a company’s slowness to patch software.
REvil’s cybercriminals will often search for and
exploit vulnerable computer servers or break in through a well-known fl aw in Pulse Secure security devices, called a VPN, or virtual private
network, that companies use in an eff ort to protect their data. The fl aw was detected and patched two years ago, and fl agged by American offi cials again last year after a series of cyberattacks by Chinese hackers. But many companies have still failed to patch it.
Yet a year later, many companies have still neglected to run the patch, essentially leaving an open window into their systems.
In the White House memo, titled “What We Urge You to Do Now,” Ms. Neuberger asked businesses to focus on the basics. One step is multifactor authentication, a process that forces employees to enter a second, one-time password from their phone, or a security token, when they log in from an unrecognized device.
It encouraged them to regularly back up data, and segregate those backup systems from the rest of their networks so that cybercriminals cannot easily fi nd them. It urged companies to hire fi rms to conduct “penetration testing,’’ essentially dry runs in which an attack on a company’s systems is simulated, to fi nd vulnerabilities. And Ms. Neuberger asked them to think ahead about how they would react should their networks and held hostage with ransomware.
Recorded Future, a security fi rm that tracks ransomware attacks, estimated that there were 65,000 successful ransomware attacks last year, or one every eight minutes. But as businesses automate their core operations, the risk of more consequential ransomware attacks only grows.
On Thursday, just as the White House was releasing its memo, new ransomware attacks surfaced, this time on Cox Media Group, which owns 57 radio and television stations across 20 American markets. Late Wednesday, the government of Mobile County, Ala., said its systems had been held hostage with ransomware.
“Ransomware attacks are only going to get worse and more pervasive into people’s lives, and they’re not disappearing anytime soon,” said Allan Liska, an intelligence analyst at Recorded Future. “There’s a line of cybercriminals waiting to conduct these ransomware attacks. Anytime one goes down, you just see another group pop up.” www.nytimes.com/2021/06/03/us/politics/ ransomware-cybersecurity-infrastructure.html Image credit: claytodayonline.com, Ivanti, PECB