Ransomware Requires More than Piecemeal Federal Mandates

By Kelly Bissell

Kelly Bissell joined Microsoft as Corporate Vice President in 2022. Prior to this, he led Accenture’s Global Security business. With more than 25 years of security industry experience, Bissell specializes in breach incident response, identity management, privacy and data protection, secure software development, and cyber risk management. 

PRIVATE SECTOR EXPERT VIEW — Over the last eight years, the volume of successful ransomware attacks has reached pandemic levels. The U.S. Cyber Executive Order of May 2021—the most profound U.S. cyber policy directive ever issued—is a significant, and much-needed, step toward addressing the problem. The uniformity of, and modernization of cybersecurity standards is critical to thwart increasingly sophisticated bad actors.

Following several summertime ransomware attacks, the administration has rightly focused its regulations and guidance on the most at-risk critical infrastructure sectors. These are the logical next steps to build off of the Executive Order, but we are far closer to the beginning of this story than the end.

Through our work assisting thousands of clients and ecosystem partners with their cybersecurity programs—and supporting their recovery when breaches and other security issues arise— I see three clear efforts that must be considered if we are to help secure U.S. defenses against ransomware. 

  1. Private Sectors Needs a Bigger Say in Cybersecurity Regulations

During my almost 30 years in cybersecurity– even before we called it cybersecurity—I have seen the evolution of federal involvement on this topic. The first executive order I was aware of was one President Clinton issued in 1996. Since then, every president has issued one or more cybersecurity mandates.  Almost all have been developed by public policy experts, politicians, or lawyers, rather than cybersecurity experts who are on the front lines keeping companies safe. 

President Biden’s focus on government suppliers and information sharing is well-founded. It has rightfully kick-started a flurry of activity across the federal government to explore what actions the government can take to make us safer. Our clients understand that improving our country’s cybersecurity requires the public and private sectors work together. After all, 85% of our nation’s critical infrastructure is owned or operated by the private sector.

But for policies to be effective for the private sector they must be designed with a private sector voice, with a view for how they will be implemented and the “trickle-down” effect; the impact they will have on different industries; and their efficacy in the various situations that can, and do, result from a ransomware attack.

For example, the administration and lawmakers are expending considerable effort to discourage government agencies at the federal, state, and local level, as well as private sector companies, from paying ransoms. On paper the prevention incentives make perfect sense – if the victim cannot pay, then why attack? Plus, the more organizations pay, the more lucrative attacks become, thereby fueling the ransomware marketplace.

On the other hand, the “pay, no pay” decision is rarely clear-cut. For example, in healthcare the risk of sanctions could mean deciding between actions that risk saving lives if patient treatment is being stalled by an attack. Likewise, for a manufacturer who may be losing millions for every hour its machines are offline and impacting the broader economy, making the payment in hopes of getting back online may be worth the business decision.

The hard reality is that the anatomy of a ransomware attack does not always adhere to black and white policies.

These examples I hope demonstrate why policies cannot be created in a vacuum. Having government, industry ISACs, and private sector representatives come together to address these shortfalls and refine mandates is needed and attainable.

  • Cybersecurity Vendor Market Needs Consolidation

Today, there are thousands of security tools on the market—all jockeying for market share with a mishmash of varying features and capabilities. Any security leader, or IT personnel in the case of many small and mid-sized companies, regardless of their experience level can easily get overwhelmed trying to make the “right” security choices for a company. The result is often a corporate security infrastructure of 50, 80, possibly 100 different tools all cobbled together—tools that too often have overlapping capabilities and sometimes fail to deliver what was promised.

I believe this complexity allows for cracks in our cybersecurity controls and threaten the U.S. Perhaps it is time to consolidate and standardize.

Consider the Enterprise Resource Planning (ERP) market. Nearly 20 years ago, companies had to buy several different systems to run their businesses: HR, Payroll, Accounts Payable, Inventory, etc.  Companies such as Oracle® and SAP® began to consolidate these systems into a suite and added other tools such as customer relationship management and business intelligence systems. The result was a smaller number of ERP vendors who offered more advanced features and a baseline of standard capabilities, which today play a role in every aspect of a company’s business.

For cybersecurity efficacy, we need a similar consolidation in the market. Until then, current technologies should have baseline prevention and detection controls that know when systems lack good security measures. And, much like today’s ERP systems, security tools should extend those controls across the entire enterprise and to a company’s subsidiaries and affiliates and CISA.

  • Cryptocurrency and Innovation

Proposals to ban cryptocurrencies as a way to help mitigate ransomware attacks have gained some traction. Cutting off this payment channel seems like an “knee-jerk” answer. Cryptocurrencies do have legitimate users and use beyond ransomware payments. The goal should be to make them less useful as a ransomware tool.

Today, to spend bitcoin, or any cryptocurrency, it needs to be converted into a national currency. That requires criminals keep a large amount of activity—a transactional pattern that shows large net sellers—from being identified by law enforcement. Regulating this activity requires a realistic framework that, while challenging, can be adhered to by the industry.

In addition, I believe stopping cryptocurrency is not the answer, but material innovation investment in law enforcement and key exchanges could swing the balance away from bad actors.

You cannot stop innovation, but we can drive “secure by design” principles.  The use of quantum computing innovation is already at the forefront of decrypting existing encryption. For example, we could operate nodes and collect as much data as possible, including network traffic, to triangulate the identity and purpose of transactions. We are already making strides as demonstrated by U.S. law enforcement locating and seizing over half of the $4.4 million Colonial Pipeline ransomware payment.  We can do this!

Final Thoughts on What Could Be Possible

Ultimately, what I propose is a baseline solution whereby the U.S. government and private companies work more closely on the development of a shared platform for real time information sharing that is tightly integrated early with potential future cybersecurity regulations, and on how they will be implemented.

I believe that if the cybersecurity vendor market were to consolidate, the cost and complexity of putting controls in place could be greatly reduced, which would benefit companies of all sizes. I also believe regulatory guardrails that identify transaction patterns of bad actors; updated tax laws; and investments in more innovative capabilities could stop attackers’ use of cryptocurrency.  

Could these changes make our country safer? I believe they could. Would they solve the “pay, no pay” complexities of ransomware attacks? No, but they could help reduce the likelihood of companies falling victim to ransomware. As the old adage goes: begin with the end in mind.

Find out why industry leaders like Kelly Bissell and Kevin Mandia are partnering with leaders from government like former NSA Director General Keith Alexander (Ret.), and former PDDNI Susan Gordon to join The Cyber Initiatives Group, powered by The Cipher Brief

Go beyond the headlines with expert perspectives on today’s news with The Cipher Brief’s Daily Open-Source PodcastListen here or wherever you listen to podcasts.

Related Articles