Ransomware, hackers hijacking systems and demanding big money to release them, has become more than a threat for state and local governments and school districts. So far the federal government has been lucky. Now a coalition of companies and nonprofits called the Institute for Security and Technology has come up with a long list of recommendations for dealing with ransomware. For more, the president and CEO of the Cyber Threat Alliance and for White House cybersecurity special assistant, Michael Daniel, joined Federal Drive with Tom Temin.
Insight by Carahsoft: This exclusive e-book demonstrates just how far agencies have come and where they still need to go to take fully advantage of DevSecOps to drive modern capabilities to their customers.
Tom Temin: Mr. Daniel, good to have you on.
Michael Daniel: Yes, thanks for having me.
Tom Temin: Tell us about the genesis of these recommendations, a bunch of organizations, a bunch of companies came together to attack this issue. How did that group form, and under what guise?
Michael Daniel: It really came about because those of us in the industry have been watching an evolution in ransomware over the last few years. If you roll the clock back, Tom to you know, 2013 2014 ransomware was primarily an economic nooses. The ransoms affected primarily individual computers and ransoms were a couple of 100 bucks. Now, as you mentioned, they’re affecting state and local government school systems, but they’re also affecting hospitals and other parts of critical infrastructure. And the ransoms are well into the hundreds of 1000s, sometimes millions of dollars. So ransomware is really becoming national security and a public health and safety threat. And so under those conditions, many of us in the industry felt like it was important to really take this problem head on. And so that was the genesis of why this group came together.
Tom Temin: It’s almost perhaps a matter of time before a federal agency gets hit.
Michael Daniel: I’m almost surprised that it hasn’t happened already to some sort of significant degree. So yes, I mean, this threat is continuing to grow. And unless we do something about it, it’s not going to get any better on its own.
Tom Temin: And so what are the top recommendations, especially for the government itself to start to organize around this issue? I know that it has caught the attention of Secretary my orcas of DHS, who I think contributed to your report in the first place.
Michael Daniel: Yes, absolutely. And I think you can see that certainly the National Security Council, the Department of Justice, the Department of Homeland Security, they’re all taking this issue very seriously. When you look through our report, we really focus in on trying to do four things. One is we want to deter more actors from using ransomware in the first place, we want to really disrupt the actors that are currently using ransomware. We want to better prepare businesses and governments to be resilient to ransomware. And we want to enable folks to respond better to ransomware if they do have a ransomware incident. So within that there are really five recommendations that I would highlight for you. One is that the federal government really needs to make a coordinated international diplomatic effort to reduce the safe havens, the countries that are harboring a lot of these cyber criminals, to the US government really needs to put together a sustained hold of government intelligence driven anti ransomware campaign, and it needs to be coordinated at the White House level. Third, governments should establish a cyber response and recovery fund to support ransomware response. And they should mandate that organizations report ransomware payments, and they should require organizations to consider alternatives before making payments. Fourth, there should be an internationally coordinated effort to devise a ransomware framework, like how do you respond to ransomware, kind of like we did for the Cybersecurity Framework A number of years ago? And lastly, we need to really impose some additional requirements on cryptocurrency exchanges to comply with well known best practices in the financial industry.
Tom Temin: Yes, because in that last point, a lot of the payment demands are for payment in cryptocurrency. Why is that by the way?
Michael Daniel: Well, almost all the payment demands are for cryptocurrency. And it’s because it’s much, much harder to trace. And it’s much more anonymous, and it flows in various ways that make it much more difficult for law enforcement to track down the payments.
Tom Temin: Sure, I guess if you send a check for $10,000 or a million dollars to some address in Russia, it’s pretty easy to follow.
Michael Daniel: Yes, that’s right.
Tom Temin: And to some extent it looks like Cisco at DHS. And as we mentioned earlier, the Secretary is actually on to this issue already spoke before the Chamber of Commerce just a few days ago, and said, yeah, this is something we have to get behind. So it sounds like you’re getting traction early with this report and with these recommendations.
Michael Daniel: I think that’s right. We’ve gotten a very good reception from the executive branch. There was a hearing on Capitol Hill recently that also where the report got a good reception from various members of Congress. So I think we are getting traction. I think it’s because many people recognize the threat that ransomware poses,
Tom Temin: And it’s probably encouraging that the White House has fairly quickly filled the major cybersecurity position. available to it in the White House in the National Security Council and elsewhere, where some of those had been vacant for a while during the prior administration.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
Michael Daniel: Yes, this administration has clearly prioritized cybersecurity as an issue that it is going to focus on. And, yes, absolutely, in terms of filling positions with people they’ve done that they’ve also, you know, begun issuing policies. So it’s really clear that this administration takes cybersecurity very, very seriously.
Tom Temin: And state and local agencies, federal agencies, for that matter, school districts and city governments and so forth. Is there anything in your experience they can do in the meantime, to better protect themselves?
Michael Daniel: Well, you know, the interesting thing about ransomware is a lot of the best practices that cybersecurity experts have talked about for many years are applicable to defending yourself against ransomware. So for example, using good password management using multi factor authentication, segmenting your network so that it’s not all one big network where you get in once and you get everywhere, right? All of those sort of technical practices are still applicable to ransomware. But I think the other thing is really thinking through and having a plan in place for what are you going to do if you get hit with ransomware. And sort of thinking that through ahead of time is a big help.
Tom Temin: I wonder if just having replicated virtual machine copies of your major systems kept offline is a good practice. And then if something is hit with ransomware, say, Great, keep it and erase the whole thing, and just spin up a new one?
Michael Daniel: Absolutely. I mean, anything you can do to make yourself more resilient to what the bad guys are trying to do is beneficial. So absolutely, keeping backup copies of data, you know, that are offline and inaccessible. Also looking at how you store data. I mean, for example, many private sector companies, one of the things that we have found is that the bad guys will when they gain access to a network, one of the things they will do is they will look to see if you have an insurance policy, if you’re a private sector company, and then they will look to see what the maximum payout for that insurance policy is. And then magically, the ransom is set to exactly that maximum payout. So protecting that kind of information, your private sector company is really, really important.
Tom Temin: And do you think there’s a tie in between this effort that you have established to kind of take on ransomware and the cybersecurity Maturity Model certification program that applies to supply chain vendors in the defense supply chain, who may hold data? That is the government’s and those companies could be subject to ransomware? It seems like there’s a connection here.
Michael Daniel: Absolutely, I would say that the connection is really that what you’re seeing is that the threats that are out there in the general cyberspace environment, are just demanding that companies reach a higher level of cybersecurity maturity than many of them have done so far. And particularly if you were in the supply chain for any federal agency, any government agency for that matter, you’re probably going to have to start meeting some requirements for cybersecurity. If you’re in critical infrastructure, and other parts of the economy, you’re probably going to see more and more of those kinds of requirements emerge. And with the group that established the study, we’ve been talking about the Institute for security and technology. Are any of the cloud people involved in that effort? Sure. I mean, you can definitely see like we had Microsoft very heavily involved. And we had some representatives from Amazon that participated in this. And we also consulted broadly across the industry, even for people and companies that weren’t listed as major contributors. There was a lot of consultation that went on with that group,
Tom Temin: Because I would think cloud exposure to ransomware would be a big issue one, because the companies are extremely rich, that are the big cloud providers. And second, nobody is totally invulnerable.
Michael Daniel: That’s right. You know, it’s interesting with the cloud, you get some benefits, right? I mean, you saw this, for example, with the exchange vulnerabilities that came out a couple of months ago, where Microsoft was very rapidly able to fix anybody that was using the cloud version of Office 365, like pretty much instantaneously that was addressed. On the other hand, as you pointed out, you now with the cloud service providers have this huge aggregation of risk. And so gaining access to the cloud in an unauthorized manner could give you the ability to affect a very large number of organizations all at the same time. So absolutely. I think that our shift to the clouds changes some of the security dynamics that are out there.
Tom Temin: And just looking at this at the extreme for a second before we wind up. Can you imagine a scenario, suppose a major cloud that has government data, lots of applications, I mean, there’s limitless, or DoD for that matter, would somehow be held for ransom. Can you see the United States responding beyond merely diplomatically and beyond law enforcement to perhaps militarily in some manner?
Michael Daniel: It’s hard to imagine a scenario that gets you all the way there that is, you know, sort of immediately plausible, but it’s not completely out of the realm of possibility. If you had an aggregation of circumstances that really put public health and safety at risk that really threaten people’s lives directly, then yes, I mean, I certainly think you could see a whole range of options all the way up through and including military, you know, technical operations.
Tom Temin: Well, let’s hope it doesn’t get that far. And people read and act on your report. Michael Daniel is former White House cyber security Special Assistant, now CEO of the cyber threat Alliance. Thanks so much for joining me.
Michael Daniel: Thank you for having me.