“There is no way that this winter is ever going to end as long as this groundhog keeps seeing his shadow. I do not see any other way out. He’s got to be stopped. And I have to stop him.”
Bill Murray’s “Groundhog Day” comes to mind as we witness the recurring spate of ransomware, cyberattacks, and cyber espionage that have targeted U.S. agencies and businesses in recent years. From the ransomware attacks on the Colonial oil pipeline, which caused consumer panic and gas shortages along the East Coast, and on JBS, the world’s largest meat processor, the problem is only getting worse.
Americans now realize what many national security leaders have said for years: our digital borders can be easily penetrated and cause turmoil in our daily lives. We live in an ever-increasing digitalized world that offers amazing future technological possibilities for everyday Americans. However, this is sprinkled with the downside of cyber threats within our interconnected society. These threats are not only disruptive but can be very costly (as the $11 million ransom that JBS paid to its attackers shows), as well as cause significant loss of property or life.
So how do we stop this pesky “groundhog”? There is not an easy “cybersecurity in a box” solution. Any persistent actor, especially a nation-state, can infiltrate a network if given enough time, skill, and resources. We need a multi-pronged approach to put us on a better defensive and offensive footing going forward.
To its credit, the Biden administration has zeroed in on cyber vulnerabilities in recent months, including recent announcements by the Department of Justice that they will elevate cyber prosecutorial and law enforcement action, to a new “Ransomware and Digital Extortion Task Force” for heightened coordination of cyber activity.
The FBI recently seized $2.3 million back from the reported $4.4 million that Colonial paid their hackers. The FBI also used a court-authorized order earlier this year to remove remaining web-shells from the Chinese-based Hafnium attacks on the Microsoft Exchange servers. Various Cyberspace Solarium recommendations have become law recently. Implementing these will be critical, along with the recent Executive Order by the administration to clean up the government’s woefully inadequate cyber lawn.
Calls for “private-public sector cooperation” or “information-sharing” are important, but insufficient when it comes to systemically protecting important critical infrastructure. As former NSA & Cyber Command head, Admiral Mike Rogers, said earlier this year, “it’s not about collaboration…it’s about integration.”
There is talk of legislation that would require companies to disclose hacks. Doing so could help by not only enabling the government to potentially assist with an active breach or ransom, but by mitigating the future spread of the threat. It would also make critical infrastructure operators more aware of active threats.
A word of warning, though. Bloated regulation or cyber requirements that tether private sector entities into specific technologies could also dampen innovation while doing little or nothing to secure our infrastructure.
Businesses and CEOs can no longer take for granted their organizational digital supply chains and cyber defenses. Paying ransoms and hoping that cyber insurance will eventually make you whole is not a long-term strategy and imperfect at best.
Although ransomware has dominated headlines most recently, increasingly sophisticated spear-phishing campaigns and general breaches of user authentication processes are the standard offenses for many cybercriminals and nation-states actors. Increased focus on software supply chain security, zero-trust architecture, and multi-factor authentication need to become a mainstay of those operating in a cyber world, no matter how small the business or operation.
Critical infrastructure operators and businesses have to ask themselves if they’ll be ready if that “Winter is Coming” moment comes to their system. Did they properly back up their data and store it offline? Are their information technology systems bleeding over to their infrastructure’s operational technology? What systems will they have in place to communicate and get back online? Just as war games and military planning are a necessary function of our military apparatus to be prepared for contingencies, companies must prepare similarly for these looming cyber storms.
Nothing about cybersecurity can be foolproof or unbreachable. But the U.S. can come to terms with some of these questions and come up with solutions to avoid Phil Connor’s prediction of a winter that is “going to last you for the rest of your lives!”