Governments are Failing to Address the Ransomware Threat
Date:
March 11, 2024
The British government candidly revealed the nation is ill-prepared to address the threat of major ransomware attack after members of parliament accused officials of employing an “ostrich strategy” in relying on a pre-internet approach to national security.
In December of 2023, the UK’s Joint Committee on the National Security Strategy (JCNSS) warned there is a “high risk” the nation will experience a “catastrophic ransomware attack at any moment” due to the British government’s failure to address the growing ransomware threat.
The report specifically called out former Home Secretary Suella Braverman for having “showed no interest in the topic” despite her department being the lead government agency on national security risk and policy.
In Monday’s formal response, the government rejected key recommendations in the JCNSS report — including that the Home Office be stripped of its responsibility to tackle ransomware — and argued that its existing regulations and the current National Cyber Strategy were sufficient.
Dame Margaret Beckett MP, the committee chair, said the government’s rejection of JCNSS recommendations made it “ever clearer that Government does not know the extent or costs of cyberattacks across the country - though we’re the third most cyber-attacked country in the world – nor does it have any intention of commensurately upping the stakes or resources in response,” The Record reported.
The committee further expressed “ongoing, deep concerns” that “short-termism and lack of preparation and planning” was putting the nation at risk of “a severely damaging ransomware attack - with consequences that vary from ongoing damage to the economy and productivity to the real possibility of a national emergency.”
“If the Government insists on operating the ostrich strategy for national cybersecurity — based on legislation made before the internet arrived, centered on a Department that seems to have difficulty mustering much interest in the issue, and in stark contrast to the cyber-attackers who are so fantastically well-coordinated and resourced — where is the pro-active national security response to protect the UK supposed to come from?” Beckett lamented.
Takeaway: What are governments doing to protect organizations from this onslaught of ransomware attacks? From what we have witnessed regarding the responses thus far from the U.K., not much at all.
And the U.S. is not faring any better. While we have seen some scattered arrests of affiliates and other low-level threat actors in the ransomware space, overall law enforcement has had very little impact in disrupting ransomware operations.
In fact, the agency in charge of defending the nation from cyberattacks, the CISA (Cybersecurity and Infrastructure Security Agency), just disclosed they were also compromised by attackers.
A source familiar with the investigation told The Record that two CISA systems were compromised: the Infrastructure Protection (IP) Gateway, which stores sensitive information about the interdependencies in U.S. infrastructure, and the Chemical Security Assessment Tool (CSAT), which stores “some of the country’s most sensitive industrial information, including the Top Screen tool for high-risk chemical facilities, Site Security Plans and the Security Vulnerability Assessments.”
The UK, US and allied governments are in a tough position regarding what actions to take to stem disruptive ransomware attacks, namely because there is so much ambiguity in determining root attribution for the attacks.
Law enforcement actions and government sanctions against ransomware operators are necessary, but even if they are arrested or their operations disrupted, there will quickly be someone to take their place, because ransomware is a multi-billion-dollar industry.
Until ransomware attacks cross the line from cybercriminal activity to a national security event in the minds of policy makers, we will continue to see these disruptive and costly attacks continue unabated.
Cybercriminal activity is the purview of law enforcement. They investigate, collect evidence of a crime, indict and prosecute when possible. But this approach has done little to disincentivize ransomware operators, as most enjoy safe harbor in adversarial nations who will not extradite the offenders.
But when an attack drifts into the national security space, there are different rules of engagement, and they can include offensive action deemed appropriate and proportional.
Unless and until the U.S. and allied governments make this determination, there is little is the way of real consequences for these attacks, so organizations who are potential targets will need to continue to fend for themselves.
Guidelines and frameworks are nice, but they are still “do-it-yourself" approaches to a threat that clearly rises to the level of a national security issue, yet governments continue to do little more than some public relations.
The government needs to do more than just alert the healthcare sector that they are getting ravaged by ransomware attacks, they already know this is the case, as highlighted by the disruptions to patient care following the Change Healthcare attack, said to be “the most serious incident of its kind leveled against a U.S. health care organization.”
It’s time we started addressing them as a national security issue instead of a crime problem. Doing so would open a wide array of options for the government to more effectively respond to these attacks.
Or we could just wait until after a catastrophic attack of the level the U.K.’s JCNSS is warning of. Of course, by then it will be too late.
Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.