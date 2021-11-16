That's according to a congressional review out this morning from the House Oversight Committee. The review focused on three headline-grabbing attacks against CNA Financial Corporation, Colonial Pipeline and the meat processor JBS Foods – but its conclusions apply broadly to ransomware attacks across critical industry sectors.
Lawmakers will discuss the findings at a hearing this morning with National Cyber Director Chris Inglis, CISA Executive Director Brandon Wales and FBI Assistant Director Bryan Vorndran.
Here are two big takeaways:
1.Victims often didn’t know who in the federal government to call.
In some cases, the companies simply didn’t have a pre-existing relationship with a federal agency. In other cases they didn’t know where to look first among several agencies that relate to their industry sector.
“Colonial was in contact with at least seven federal agencies or offices,” the committee found. “CNA was initially referred to one FBI field office before a different field office was designated as the primary point of contact.”
In the case of JBS, the company emailed the FBI. But it took several hours for a substantive reply, as the email was forwarded between case agents at the same field office who were trying to determine the right point of contact, investigators found.
2.Hackers put companies under intense pressure to pay ransoms quickly to get their computers systems back online.
Hackers with the REvil gang, for example, told JBS their $22.5 million ransom demand would double if it wasn’t paid quickly. They also threatened to post the company’s data publicly if they weren’t paid within three days. Eventually JBS negotiated paying an $11 million ransom.
Colonial faced a similar threat of a doubled ransom after a set period of time. Hackers with the DarkSide gang amped up the pressure with a clock ticking down in the corner of the company’s computer screens.
The pressure was often compounded by a sense of chaos within companies as executives who were shut out of company email systems scrambled to communicate by personal email and text messages.
What's ahead
The report underscores the immense challenge facing the Biden administration as it works to stem a wave of ransomware attacks that are increasingly threatening national security and the economy.
The administration has punched back at ransomware hackers with a series of law enforcement actions. That includes indictments and sanctions against key hackers. They’ve also launched operations to claw back millions of dollars in ransomware payments from the perpetrators of the Colonial Pipeline hack and the Kaseya attack, which affected hundreds of businesses.
But the administration has had less success pressing companies to adopt better cybersecurity procedures that would prevent ransomware attackers from breaching their systems in the first place.
The Department of Homeland Security mandated upgraded cyber procedures for the pipeline sector in the wake of the Colonial hack and similar regulations are in the works for the air and rail sectors. But it’s looking unlikely that Congress will give the administration authority to mandate such protections more broadly.
Adding insult to injury: Today’s Oversight hearing comes just days after a hacker compromised the FBI website, sending phony cyberattack email alerts to thousands of people.
The top Republican on the committee, Rep. James Comer (Ky.), plans to ask about the attack during today’s hearing warning that “hackers’ ability to penetrate the FBI’s systems could create catastrophic consequences and chaos,” according to an opening statement shared with The Cybersecurity 202.
Chairwoman Carolyn B. Maloney (D-N.Y.) will describe the attack as part of “a tipping point as cyberattacks have become more common and potentially more damaging.”
The FBI blamed the hack on a “software misconfiguration.” Personally identifiable information was not exposed and the vulnerability was “quickly remediated,” the bureau said.
The keys
President Biden signed an infrastructure bill filled with cyber measures
The $1.2 trillion infrastructure package has roughly $2 billion in cybersecurity money. Much of those funds are aimed at boosting state and local cybersecurity through a $1 billion grant program.
The bill also includes:
- $21 million for the office of National Cyber Director Chris Inglis
- A $100 million Cyber Response and Recovery Fund for victims of significant hacks
It’s the first of several cybersecurity-packed bills that Biden could sign in coming months.
- Lawmakers soon plan to take up Democrats’ massive social spending bill, which would put $500 million toward CISA’s cybersecurity programs.
- This week, the Senate is set to consider the annual defense authorization bill, where lawmakers typically pack cybersecurity provisions. Top lawmakers have already proposed adding to the bill a 72-hour ransomware reporting requirement for critical infrastructure companies.
CISA publishes playbooks for federal agencies to respond to vulnerabilities and hacks
The playbooks are designed for government agencies, but CISA is urging private companies to review them to improve their own cybersecurity practices, Deputy Executive Assistant Director for Cybersecurity Matt Hartman said.
President Biden ordered CISA to create the playbooks as part of a wide-ranging executive order aimed at boosting the federal government’s cyber defenses.
CISA has taken a more aggressive approach to dictating how federal agencies manage their cybersecurity in recent years. The agency recently ordered agencies to remediate known software vulnerabilities.
Government scan
DHS launches long-awaited cyber hiring program
The new Cybersecurity Talent Management System aims to streamline and speed up the hiring process for cyber workers at the Department of Homeland Security. The system was authorized in 2014, but it took years to go online, drawing the ire of lawmakers.
DHS will first use the system to fill high-priority cybersecurity jobs at the department’s office of the chief information officer and CISA. Next year, the program will expand to “several DHS agencies with a cybersecurity mission,” according to the department.
Chat room
Around 20 percent of the largest defense contractors are highly susceptible to ransomware, researchers say
Around 40 percent of the top 100 defense contractors are slow to issue patches for known computer vulnerabilities, according to the cybersecurity risk firm Black Kite. Just over 40 percent of the contractors had at least one credential leaked in the previous three months, like a username or password. Black Kite conducted risk assessments of the companies using public data then applied its own system to measure the companies’ susceptibility to cyberattacks.
