A conference in Washington about the dry, often dour subject of ransomware policy briefly broke into song this week, courtesy of Jen Easterly, director of the government’s Cybersecurity & Infrastructure Security Agency (CISA).“Install your updates, make better passwords, think before you click and use multiple factors,” Easterly sang to the tune of Schoolhouse Rock’s “I’m Just A Bill.”The full version of what Easterly called “Cyber Schoolhouse Rock” will debut at the RSA Conference in San Francisco next month, part of the government’s attempt to coax private industry into adopting such security practices as patching promptly, using password managers to quash password reuse, and adopting multifactor authentication instead of relying on passwords alone.“We have to make cyber hygiene as common as brushing your teeth and washing your hands,” Easterly said before her performance.During this panel at the conference hosted by the Institute for Security & Technology (IST), Easterly also discussed CISA’s efforts to alert potential ransomware victims to vulnerabilities they need to patch. She said its Ransomware Vulnerability Warning Pilot, launched last March, has already issued 2,049 warnings to the 7,000-plus entities that have signed up for this test. And she emphasized CISA’s “secure by design” initiative to get companies to drop risky software-development practices, calling it “the way we fix this problem ultimately.”The panel additionally featured Craiglist founder turned philanthropist Craig Newmark pledging his support to amplify a message of everyday security responsibility for everybody, even if that means looking like a scold. “I don’t mind being an asshole if it serves the country,” he said. “I’m not the nerd you want, but I’m the nerd you got.”
Megan Stifel presents an ‘Uncle Sam Wants You’-style poster to Craig Newmark as Jen Easterly looks on. (Credit: Rob Pegoraro)
Panel moderator Megan Stifel, chief strategy officer of IST and executive director of its Ransomware Task Force, wrapped up the panel by unveiling a poster of Uncle Sam, but with Newmark’s face, above the message “I Want You To Defend Against Ransomware: Prepare, Don’t Pay.” And then the organizers handed out laptop-sticker versions of that art.But for all the lighthearted moments of that talk, the ransomware problem—in which attackers implant malware in an organization that encrypts and often exfiltrates data before threatening to delete or publish the data if the victims don’t pay up—remains brutally serious. In just the last few weeks, United Healthcare has struggled with a ransomware attack on its Change Healthcare subsidiary, first apparently paying $22 million to one ransomware group but then having a second group say it had the stolen data and would soon publish it. In its earnings report (PDF) posted last Tuesday, United Healthcare said it had already spent $872 million on the attack and had set aside another $800 million.“Ransomware poses as great an existential threat to national security even if it does not kill Americans directly,” said Andrew Boyd, a security consultant and a member of IST’s board of directors, in a morning keynote. “Ransomware-as-a-service is being used by foreign governments, principally the Russians.”Ransomware is also terrible for the individual organizations and people hit by it, especially when smaller companies and shops are involved. “When an organization is ransomed or there’s extortion, it really is one of the worst days in that person’s career,” Sonia V. Jimenez, an attorney in the Department of Justice’s computer-crime section, said in an afternoon panel. She added that the DOJ is now seeing “brutal” techniques that can involve threats to family members of targets.Conference speakers stressed the don’t-pay message, emphasizing the fundamental untrustworthiness of ransomware attackers. “They’re criminals, and you can’t trust them,” former CISA head Chris Krebs said in a late-morning talk.
Recommended by Our Editors
But there was also a fair amount of sympathy for how ransomware victims may feel forced to pay to prevent harm to their customers or third parties.“You get into the data, and it’s oh my god, they have pictures of cancer patients,” said Gwenn Cujdik, a lawyer who works on breach responses for the insurance firm AXA XL. “If we don’t pay, 911’s down.”Speakers did, however, agree on the importance of pushing IT vendors to ship more resilient software and systems, followed by stronger law-enforcement efforts to disrupt ransomware attackers and the companies that abet their crimes—both categories called out in a Ransomware Task Force progress report issued in April.CISA Executive Assistant Director Eric Goldstein, speaking on the same panel as Jimenez, repeated a point Biden administration representatives have been making over the past three years: We can’t keep asking people and companies to compensate for systematic flaws in technology products and instead need to lift that burden from them by having those vendors adopt secure-by-design practices. “We need to keep pushing on that shift in accountability to those entities that can bear it,” he said. Switching from defense to offense, the FBI’s recent takedown of the Lockbit ransomware operation’s online presence drew praise along the lines of “more of the same,” including operations targeting the financial intermediaries of ransomware attackers and other measures to erode the sense of impunity of attackers who still aspire to enjoy the occasional luxury-yacht rental outside of Russia.Keith Rawson, head of cyber-crime threats at the UK’s National Cyber Crime Unit, offered a concise definition of that strategy in an afternoon panel: “imposing cognitive fear in their lives.” He added: “We need to press that button more and more.”
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.