It's been a banner year for ransomware. Several high-profile attacks have rocketed this threat to the top of the Biden administration's agenda. They're bringing the full weight of U.S. policy to bear on cybersecurity and this recent scourge of ransomware, which has preyed on businesses who keep the country running.
A recent MeriTalk white paper, Colonial Pipeline Hack Rockets Ransomware to the Top of the U.S. Security Agenda, explored how the White House is applying pressure on nation-state adversaries and rallying overseas allies. The private sector also needs to get off the sidelines, especially those in critical infrastructure. Legal obligations to disclose attacks to Federal authorities appear to be coming in an effort to create more transparency.
Precedence and Legislative Response
The Federal push for better security is unprecedented and shows that cybersecurity is completing the leap from a technical problem to a national priority. Over on Capitol Hill, lawmakers are cranking up similar efforts. Legislation in the works would back up the Biden administration's strategy and draw business into a more collective defense structure.
The Biden White House is taking the most visibly assertive stance to improve cybersecurity of any presidential administration in history. Driving the urgency is a series of rapid-fire attacks that began before the administration took office and continued to spread through its early days. Suspicion that these attacks originated on foreign soil adds significant fuel to the fire for action.
Almost 80% of critical infrastructure is privately owned. Outside of highly regulated sectors, like the power grid, Congress has been reluctant to impose binding requirements to achieve specific levels of security or support collective government cyber efforts. These recent attacks have changed the conversation.
Senator Mark Warner, D-Va., predicted that legislation will soon emerge to mandate private sector organizations report cyber incidents to Federal authorities, and expects the bill to have strong bipartisan backing. The bill's aim would be to improve the government's awareness of cyberattacks with ransomware demands and the ability of the Feds to take action against perpetrators.
Experts Discuss Company Strategy
Officials from leading cybersecurity providers agreed that Federal policy and legislative efforts to improve security and curb ransomware are pointed in the right direction. However, making a dent in ransomware will require targeted organizations to commit to technology improvements that make them less vulnerable.
Mark Bowling, Vice President of Security Response Services at ExtraHop, charted the growth in ransomware attack sophistication over the past five years—from the days when many malware-based attacks compromised single servers or workstations—through the wave of WannaCry and NotPetya attacks that self-propagated through networks "to achieve massive reach and inflict maximum damage."
Bowling also shared the steps critical infrastructure companies need to take to decrease their exposure. First, they must develop a risk management strategy with executive stakeholder support. Companies should develop their most appropriate technical cybersecurity framework, "irrespective of your regulatory compliance framework—regulatory compliance is not equal to effective cybersecurity."
Betting on the Future
Significant change is always an uphill task, and even more so with very slim margins in Congress and political divisions. But what sets apart the issues of cybersecurity and ransomware are growing public awareness and concern that demands a government response for improving security.
There is plenty of room to debate the details of how to get there, but few seem to doubt the value of the destination. To learn more about the congressional response to ransomware, and how it will affect businesses, read the white paper.