The editors of the Washington Post have a simple strategy for eliminating ransomware attacks on cities and other institutions:
There is a way to break the cycle: pass a federal law barring ransomware payments. Along with such a prohibition, funds should be devoted to help cities and states become more secure in the first place, focusing especially on the need to have backups of critical data. Then the Department of Homeland Security could set up a digital ghostbusters task force to help municipalities come back online after an attack. Those that had implemented adequate defenses could get aid from the feds in footing the bill. Those who surrender to hackers would face fines sufficiently larger than the ransom.
That would eliminate ransomware attacks in the same way that laws against speeding have eliminated speeding and those against smoking marijuana have abolished use of the demon weed. Perhaps a more apt analogy would be to illegal immigration. We have laws against entering the United States without presenting yourself to a duly constituted authority. Those have been effective, haven’t they?
And subsidizing state and local governments for inadequate security? I can tell you with a confidence based on experience that governments would use less money for computer security and more to give raises to public employees.
By their very nature it’s hard to point the finger at where these attacks are originating but forensic evidence suggests that the overwhelming preponderance of the attacks originate from one or more of the following: Russia, Ukraine, China, North Korea, Iran. See a pattern here? Sanctions. What about China? I would suggest that it is nearly impossible for cyberattacks to originate in China without at least the tacit approval of the Chinese government.
What all of this suggests is that there is an urgent need to for an international accord on cyberwarfare similar to those governing bacteriological and chemical warfare and taken if anything more seriously.
Here’s another suggestion: hold the companies that produced the vulnerable operating systems (mostly Microsoft and Google) responsible.
Most companies I’ve been at have not quite met best practices for security – until Sarbannes-Oaxley came into play. At that point, the threats associated with SOX actually forced a lot of things that made the systems more secure. It changed the normal incentive balance, where most executives are rewarded for adding features and reducing overhead staff, which is the opposite of what you need to do.
That gives me hope that the right kind of law might help. Forcing corporate and government CIOs to sign that they’re compliant with NIST SP800-171 or the equivalent might give them a personal reason to make things better.
That has been my experience as well. The obvious conclusion is that we need a Sarb-Ox for government. A problem is that government CIOs do not have the authority or budgets to accomplish the task. I think that something pretty draconian will be required (like requiring elected officials to put up personal bonds). Without skin in the game nothing will be accomplished.
Several of our old team members have gone on to cyber security, most of them working for banks. What I hear from them is that serious attacks that they worry about come from Russia, China and Iran. North Korea doesn’t seem to have competency to make serious attacks. Not sure about Ukraine.
Query- This seems like such an obvious thing to address on an international scale. It clearly gets short shrift in the national security arena. Is that because the people running our government, and the governments of other countries, are largely too old to understand this stuff?
Steve