What we owe the ransomware gangs
We learned this week that the U.S. meat processing industry – a critical link in the nation’s food supply chain – is vulnerable to crippling cyber attacks. The disturbing revelation follows a report last month showing that our country’s pipeline infrastructure – which supplies fuel from refineries to gas pumps – contains serious cybersecurity vulnerabilities that could be exploited by rival nations or criminal groups. Also: cyber defenses in our country research universities, hospitals and public security agencies are of inferior quality and require urgent attention and investment. We now know.
Red Teaming a savings of 22 trillion dollars
Who has informed the American public of these lingering risks, one of which could potentially plunge our nation into crisis? It was not the Department of Homeland Security – whose mandate is to protect the nation from internal threats. It wasn’t either CISA – Cyber Security and Infrastructure Security Agency – the main cybersecurity agency in our country.
No. It was a group of criminal gangs – most of them working in Russia or in the countries of the former Soviet bloc in Eastern Europe. They have names like the evil (considered responsible for JBS); Dark side (Colonial pipeline); Ryûk (hundreds of hospitals); and Babouk (DC Police Department). There are (many) more.
I would call these “ragtag” groups, because that’s how we like to think of criminal gangs, except they’re anything but. Ransomware operations are well funded, specialized, well trained, and operate with a sort of clinical efficiency. In fact: it’s all business.
What is their business? This is known as “double extortion,” which refers to the group’s double blow of stealing victims’ data, installing ransomware, and then using both to negotiate the biggest payoff possible. Seen in another way, however, part of the business ransomware gang is to find, investigate and exploit security vulnerabilities in organizations’ networks and online operations. In the legal IT services market, this is called “red teaming” and it is a growing industry.
Of course, ransomware groups do not charge for this red teaming service directly. Yet: it’s an integral part of what they do. And, while the service is neither sought after by victims nor beneficial to them in any way, it has benefited us, collectively, in the world’s largest economy. At the very least: Successful ransomware attacks eliminate security laggards across industries. They send these companies and often their close competitors to scramble for better protection against cybercriminals.
Gimme Shelter (Cyber)
In my opinion, this we deplore ransomware “epidemic” is best viewed as a decentralized, cross-sectoral red team exercise that we have simply contracted out to the crowd. Was it a smart idea? Not really. This is the national security equivalent of hiring the Rolling Stones by the Hells Angels to “manage” their security. infamous free concert at the Altamont circuit in 1970.
Just like the ‘Stones, we could easily have hired true security professionals to get the job done. DHS, CISA, Department of Transportation or other oversight agencies could have performed their own independent audits of the type Darkside, Ryuk, and REvil do every week. Our government could have used its authority to demand, rather than gently suggest, that companies submit to cybersecurity reviews or participate in industry ‘tabletop’ exercises that examine likely scenarios, including ransomware attacks. . This is especially true for critical infrastructure where a small number of companies control huge swathes of the networks that run our economy.
If these public agencies had done so, in the public interest, they might have discovered many of the same weaknesses in public and private sector infrastructure that ransomware groups ultimately discovered and exploited – like the server. Obsolete and insecure VPN that provided the Darkside group with access to Colonial’s network. In testimony this week, Colonial CEO Joseph Blount admitted that his company’s IT team had lost track of the server. “We did not see it and it did not appear in any penetration tests,” he said. “It is sad.”
I will say.
Finding such loopholes in the context of a government-mandated audit would have been a much better result. This would have given Colonial an important warning that its protections were inadequate and allowed them to address these weaknesses in an orderly fashion, limiting disruption to society as a whole.
But that’s not what happened. Why?
Government regulators, lawmakers and industry groups have for decades opposed calls for more regulatory oversight of cybersecurity. Instead, they hid behind the 40-year-old Reagan-era doctrine that “the government is the problem.” Regulatory grabbing has also wreaked havoc, putting the private sector and infrastructure owners in the position to make and enforce their own rules.
This is literally true in the electricity industry, where NERC, the North American Electric Reliability Corporation, a non-governmental “self-regulatory body” created by the utility industry is responsible for developing and making meet reliability standards for the electrical industry in the United States. Today, these include cybersecurity standards.
Time and again, our elected leaders and agencies with oversight power have taken at face value the words and promises of private sector companies, which have consistently downplayed the threat while overestimating their capacity as advocates. Testifying before the US Senate, CEO of Colonial Blount was in a hurry whether his company participated in cybersecurity tabletop exercises conducted for pipeline operators by the Department of Transportation. He did not give a direct answer. When asked later if his company was part of an ISAC (an “information sharing and analysis center”) for his industry, he replied that he did not know. When asked if Colonial had a cybersecurity response plan in place prior to being compromised, which included a plan for ransomware, he admitted that was not the case.
Instead, Blount opened up about his company’s decision to hire companies like Principal and Dragos after being hit clean up the mess as if such decisions were evidence of forward thinking and contingency planning. Note to Mr. Blount: Calling the fire department to put out the fire that is ravaging your home cannot properly be considered “fire prevention”.
From Russia with love
So here we are. Our “friends” in Russia and Ukraine are doing us a valuable public service. In the absence of any concerted government effort to do so, they are putting publicly traded companies, private businesses, state and local governments, and CI owners on the infosec treadmill for a “stress test.” Of course, they get rich in the process and wreak havoc in our society. As far as we know, they also pass some of what they find to governments looking to weaken and destabilize our own.
The silver lining? There are now a lot of flares lighting up the sky. Public and private sector organizations that were content to keep their dismal cybersecurity practices low no longer have that luxury and are scrambling to fix their business.
To extend the “stress test” metaphor: many companies collapse and fall off the conveyor belt in a pretty dramatic way. Still others huff, huff, and fail more gracefully (and silently). Certainly, some pass the test (s) with flying colors.
As a society: is it better for us to know which companies have crappy security and which ones don’t? Yes. Is letting ransomware groups find out the truth the best and most sensible way for us to learn this important information? No. Ransomware, after all, is a pretty annoying tool to reveal this, but it does reveal it all the same. Hopefully, as a society, we will find a way to get it right.