With ransomware attacks multiplying, US moves to bolster defenses
-
Dwight Weingarten Staff writer
| WASHINGTON
Holidays are not time off for hackers. Over the July 4th weekend, a sophisticated cyberattack on a software supplier sent multiple ransomware notices to companies across the world.
Prior to Memorial Day, it was the meat supply that hackers put in jeopardy. In response to that attack, the company JBS Foods USA聽聽an $11 million ransom 鈥 but now, what appears to be the same cybercriminal group has broadened its scope and upped the ante, initially demanding $70 million to restore services after a hack of the Miami-based software company Kaseya and roughly 60 of its customers.
Kaseya supplies software to managed service providers, which then operate smaller organizations鈥 information technology systems, ranging from dentists to grocers. Hundreds of stores of the Swedish grocer Coop closed over the weekend when their cash registers became inoperable. The managed service provider for the grocery chain is a Kaseya customer, and with the malware attacking Kaseya at the source, that left Coop and some 1,500 other businesses around the world scrambling over the weekend to get back online.
Why We Wrote This
The latest hack comes as the government steps up its digital defense, with a new national cyber director. Officials are taking aim at cybercriminals, as well as businesses with lax cybersecurity.
The hack comes during what one cyber expert calls a 鈥減eriod of adjustment鈥 for聽the鈥嬄爁ederal government.鈥嬄燗fter struggling聽to keep pace with cyber鈥媡hreats鈥, the government has moved to place leadership on the issue with a single official聽who has enhanced聽authorit鈥媔es. 鈥嬧嬧婭t's a step toward greater coordination, oversight, and accountability on large and fast-evolving risks.
Last month, senators approved Chris Inglis, a former deputy director of the National Security Agency, as the nation鈥檚 first-ever national cyber director. A similar role was eliminated in 2018, but now the newly strengthened position 鈥 along with an office of up to 75 staff members 鈥 will coordinate the government鈥檚 cyber portfolio and digital defense strategy. A second key post, director of the primary domestic cybersecurity agency, the Cybersecurity and Infrastructure Security Agency (CISA), is expected to be filled shortly.
Sen. Angus King, a Maine independent, called these posts as vital in the digital age as the secretary of Defense and聽chairman of the Joint Chiefs of Staff. 鈥淲e have to reimagine conflict,鈥澛. 鈥淭he front line of this conflict can take place in a server farm on Wall Street, in a pipeline company or in an electric company or in a water service utility anywhere in America.鈥
Under this new leadership, the U.S. is looking to better protect government systems as well as businesses. And officials are making clear they will seek not just to hold cybercriminals to account, but also companies whose inadequate cybersecurity measures have put them and their customers at risk. Even when a company, like Kaseya, does聽, the lack of criminal consequences for hackers and success so far in obtaining ransom payments causes the cycle of cyber malfeasance to continue.
JBS鈥檚 ransom payment came just weeks after another company, Colonial Pipeline, made a similar payment in May. The gas pipeline company, which provides聽聽for the East Coast, paid a $4.4 million ransom to a聽. The multi-day shutdown sparked fears of a shortage, causing long lines at gas stations along parts of the East Coast. While some of that ransom was ultimately聽, U.S.-based companies still paid out millions to cybercriminals in a matter of weeks.聽
Asked about the ethics of ransom payments during his nomination hearing on June 10, Mr. Inglis said the U.S. ought to hold companies accountable 鈥渘ot so much for paying the ransom 鈥 but for being in a position where they had to pay the ransom in the first place, for the failure to prepare for that.鈥
With 2,354 U.S. schools, governments, and healthcare facilities impacted by ransomware last year alone, from antivirus software firm Emsisoft, 鈥渁 team effort鈥 is needed to address the problem, Mr. Inglis said.
In May, President Joe Biden issued an intended to shore up federal networks against cyberattacks. Among other things, it requires federal contractors to meet new cybersecurity standards and share information about any breaches.聽The聽order聽also established a year-long process for 鈥渆nhancing software supply chain security鈥 in advance of the Kaseya hack.
鈥淲hat you鈥檙e starting to see from the Biden Administration already is a little bit more of a wariness around leaving [cybersecurity] in the hands of the private sector,鈥 says Josephine Wolff, an associate professor of cybersecurity policy at The Fletcher School of Tufts University.
The new national cyber director is responsible for coordinating cyber components of the departments of Justice, Homeland Security, and Treasury in battling ransomware. The CISA director will be the primary conduit between the federal government and private sector.
Jen Easterly, the nominee to lead CISA, called the national cyber director the 鈥渃oach of the team,鈥 during the same June 10 hearing. The Army veteran and former NSA official likened her prospective organization, CISA, whose role includes protecting civilian networks and critical infrastructure, to the 鈥渜uarterback鈥 of federal cybersecurity.
Congress, too, is pushing for the federal government and private sector to work more in concert to defend against ransomware. A bipartisan cadre of senators have 聽that would require certain private sector entities, including critical infrastructure operators, to report cyber intrusions within 24 hours to the federal government. Such reporting has historically been voluntary, and companies have often been hesitant to disclose breaches. The information shared would be exempt from Freedom of Information Act requests and from use as evidence in lawsuits. The Senate Homeland Security Committee is also working on drafting聽聽to address ransomware.
While all this might seem to portend conflict between the business community and the government, the U.S. Chamber of Commerce鈥檚 Christopher Roberti says he鈥檚 expecting a fruitful partnership.
The relationship between government and the private sector in cybersecurity has been 鈥渟trong for a long time,鈥 says Mr. Roberti, senior vice president for cyber, intelligence, and supply chain security policy at the Chamber. 鈥淲e have to stay together and avoid the tendency to try to say, 鈥業t鈥檚 not my fault, it鈥檚 your fault,鈥 because that just benefits the adversaries.鈥
The Chamber wrote a聽聽in support of the new position of national cyber director. Mr. Roberti says conversations with Mr. Inglis were a part of the reason why.
鈥淗e鈥檚 a person who really does value collaboration, cohesion, and working together to identify the critical problems that we face 鈥 and then help to come up with solutions,鈥 Mr. Roberti says.
