Welcome to The Cybersecurity 202! There's a “blast furnace” aimed at D.C. this weekend, my colleagues at the Capital Weather Gang report. So get ready to smelt some pig iron from ore or, I guess, stay inside with the air conditioning on.
Ransomware attacks are getting worse in the U.S. despite heightened efforts to combat them
A group of top cyber experts released a task force report one year ago laying out 48 detailed recommendations to combat the scourge of ransomware attacks.
One year later, they’re wrestling with the fact the damage caused by ransomware, in which hackers lock up victims' computers and demand payment to unlock them, is likely as high as ever. Ransomware payments by victims spiked 70 percent in 2021 over the previous year's levels.
“Ransomware continues to hammer on health care, continues to hammer on education and continues to hammer on industry — and these [hackers], in many different ways, continue to act with impunity,” Philip Reiner, a co-chair of the Ransomware Task Force and CEO of the Institute for Security and Technology (IST), told me.
That's not to say there haven't been some successes. “After a year, we hoped to see some impact. And I think at this point we can safely say that there has been some impact,” Reiner said.
But ransomware is an ongoing challenge for the task force, which is hosting an event marking its first anniversary starting at 10:30 a.m. today.
Details
The speaker lineup is a testament to how critical the government considers ransomware defense at this point. It includes a who’s who of top government cyber officials including National Cyber Director Chris Inglis, CISA Director Jen Easterly and Deputy Attorney General Lisa Monaco.
There will be two big messages, according to a preview conversation I had with Reiner and IST Chief Strategy Officer Megan Stifel, another task force co-chair.
- Government and industry have devoted a remarkable amount of resources to combating ransomware during the past year — far more than has been committed to any previous cyber challenge.
- And yet there’s a long way to go. Available data suggests ransomware attacks have held steady or are increasing and many of the likeliest victims, including schools and small businesses, are no better protected than they were one year ago.
Victims paid over $600 million in ransom payments in 2021, per the firm Chainalysis, a 70 percent increase over 2020. And there’s been limited progress on some big goals, such as making it tougher to secretly transfer ransoms using cryptocurrency.
The task force is releasing a 28-page report that rigorously details its accomplishments and what’s left undone.
On the positive end:
- Justice Department prosecutors have ramped up legal charges against ransomware hackers and operations to claw back cryptocurrency paid as ransoms. The department recovered more than $8 million connected to ransoms from attacks on Colonial Pipeline and the IT service firm Kaseya.
- The United States and international allies have banded together on counter-ransomware initiatives, including calling on Russia to stop providing safe haven for ransomware hackers in its territory.
- Congress has surged funding for counter-ransomware work at the Cybersecurity and Infrastructure Security Agency (CISA) and elsewhere in government.
The task force will focus on a handful of big priorities in the coming year.
- One project focuses on making it easier for small and medium businesses to get up-to-date information about cyberthreats — and to share information about threats they’re facing back with the government.
- Sharing such information is one of the biggest things the government does to help protect businesses against hacking, but government efforts so far have mainly focused on larger businesses and those in particular sectors deemed critical for national security.
- Congress recently passed a law mandating that companies in critical sectors share information about significant hacks with the government. The task force is looking for ways to leverage the implementation of that law to increase voluntary cyberthreat information sharing among a larger group of businesses, Stifel told me.
Other ongoing projects are aimed at making it tougher for ransomware hackers to demand and receive ransoms using cryptocurrency and examining cyber insurance changes that could make ransomware attacks less successful.
Another key focus for the task force: Keeping the pressure for reform up even when ransomware isn’t on the front page any longer.
The task force’s initial timing couldn’t have been better from a public awareness perspective. One week after publishing its 2021 report, the Russia-based ransomware gang DarkSide locked up computers at Colonial Pipeline — arguably, the most consequential cyberattack in history, which limited U.S. gas supplies and prompted panic buying.
More high-profile attacks followed one after the other — hitting the Irish health-care system, the JBS meat processor and the IT services firm Kaseya and its clients. But there have been fewer headline-grabbing ransomware attacks more recently and public attention is more likely to wander.
“It’s really important to keep the momentum going,” Reiner told me. “Just because there isn't a Colonial Pipeline in the news doesn’t mean this isn’t hurting people every day.”
They also want to lay the groundwork so government and industry are better prepared to tackle the next big cyber challenge.
“We know that there will be something new besides ransomware,” Stifel told me. “So, whatever the next version of [cyber extortion tool] that emerges, it’s well past time to figure out some of these government capabilities that should become routine.”
The keys
Prosecutors won’t charge ‘good-faith’ cybersecurity researchers, Justice Department says
Top Justice Department officials are telling federal prosecutors to not bring charges when “good-faith” cyber researchers exceed “authorized access” in a tech system, Joseph Menn reports.
The move is aimed at bringing up to date the nation's main federal hacking law — which dates to 1986 — and reducing legal jeopardy for cyber researchers, who previously feared being prosecuted for some innocuous and routine practices,
“Well-intentioned hackers in the past were routinely silenced by legal threats,” Joseph writes. “Even in recent years, civil suits and criminal referrals have been used to cancel public talks on dangerous vulnerabilities or cast doubt on research findings.”
For example:
- Mobile voting company Voatz referred a Michigan college student researching its app for a course to the FBI in 2019.
- Last year, Missouri Gov. Mike Parson (R) threatened a local journalist who examined the public source code of a government website and warned state officials that they were exposing educators’ personal information.
The U.S. Supreme Court earlier narrowed what counted as hacking under the 1986 law.
There are limitations to the new guidance, however. It doesn't stop companies from bringing civil cases against good faith cyber researchers and state officials can still bring such cases based on their own statutes. The change was first reported by Bloomberg News.
Cybersecurity experts reacted with a mix of applause and caution. Atlantic Council cyber safety innovation fellow Beau Woods:
Huge congrats to the Department of Justice team that's been creating enlightenment inside the Dept. about the value of good faith security research and researchers for many years. Policy positions like these are the result. https://t.co/sBYhxvi3gX
— Beau Woods (@beauwoods) May 19, 2022
Mandiant’s John Hultquist:
This is great news but I’m a little afraid some will see this as an invitation to cross lines that might still land them in hot water. https://t.co/IbZpOR2SQ0
— John Hultquist🌻 (@JohnHultquist) May 19, 2022
The guidance still has its limitations. SCYTHE’s Elizabeth Wharton:
Worth noting: testing for vulns to extort victims is expressly noted as not in good faith https://t.co/7W6q6txpdL pic.twitter.com/wFP7Vseznv
— Elizabeth Wharton (@LawyerLiz) May 19, 2022
NBC News’s Kevin Collier:
This is an enormous better-late-than-never policy change from DOJ to not prosecute white hat hackers. But it's limited: still doesn't stop bad-faith lawsuits or states (Missouri, for example) from charging cybersecurity researchers.https://t.co/S0scT01bG7
— Kevin Collier (@kevincollier) May 19, 2022
Digital rights lawyer Marcia Hofmann:
As I read it, prosecutors “should decline” to prosecute good-faith security research, but still have the discretion to do so
— Marcia Hofmann (@marciahofmann) May 19, 2022
Republican nominee for Pa. governor disputes Biden’s 2020 win and could get oversight of 2024 elections
Doug Mastriano has vowed to decertify some of his state’s voting machines and has asserted that Pennsylvania’s Republican legislature has the power to decide which presidential electors to send to Washington, Rosalind S. Helderman, Isaac Arnsdorf and Josh Dawsey report. Former president Donald Trump has endorsed Mastriano, who would have the power to appoint the state’s top elections officer if he becomes governor.
Mastriano is one of a number of election deniers who is running for a key role in a battleground state. Other politicians who deny that President Biden won the 2020 election are running to become their states' secretary of state or for Congress.
“As far as cleaning up the election, I mean, I’m in a good position as governor,” Mastriano told podcast host and former Trump aide Stephen K. Bannon in April. “I have a voting-reform-minded individual who’s been traveling the nation and knows voting reform extremely well. That individual has agreed to be my secretary of state.” Mastriano hasn’t publicly said who he has in mind for the role.
National security watch
Former officials launch 11th-hour effort to delay antitrust legislation, citing national security
Former U.S. officials including NSA general counsel Glenn Gerstell penned op-eds Thursday that renewed national security concerns about antitrust legislation aimed at reining in major U.S. technology companies. They argue the legislation could inhibit companies’ ability to protect users and give China an advantage.
Those concerns have been dismissed by some lawmakers, who say that the lack of antitrust regulation could lead to less innovation — its own national security threat.
The op-eds come as Senate Majority Leader Charles E. Schumer (D-N.Y.) prepares to put the legislation up for a vote, Axios’s Ashley Gold reported.
Global cyberspace
Greenland’s health service ‘severely’ hit in cyberattack
The health-care system’s computer network crashed and workers had to restart systems, limiting health-care workers’ ability to access patient records, The Record’s Jonathan Greig reports. It’s not clear if the attack was caused by ransomware.
Cyber insecurity
Securing the ballot
Industry report
Daybook
- CRDF Global hosts a panel on cybersecurity lessons from Ukraine for the Balkans today at 9 a.m.
- Deputy Attorney General Lisa Monaco, National Cyber Director Chris Inglis and CISA Director Jen Easterly speak at an Institute for Security and Technology event on the first year of the Ransomware Task Force today at 10:30 a.m.
- A House Oversight and Reform Committee panel holds a hearing on the Technology Modernization Fund on Wednesday at 10 a.m.
- Undersecretary of Commerce for Industry and Security Alan Estevez speaks at an event hosted by the Atlantic Council and Krach Institute for Tech Diplomacy at Purdue on Wednesday at 10 a.m.
Secure log off
Today’s second @washingtonpost TikTok features a lawsuit in Wisconsin, telenovela style https://t.co/kn2HY6Vumx pic.twitter.com/HZEXmuAfhL
— Chris Vazquez (@ByChrisVazquez) May 19, 2022
Thanks for reading. See you Monday.