The Ransomware Task Force looks back on the two-year anniversary of its report

Two years ago, a group of experts from government, industry, nonprofits and academia released a report on ransomware that made nearly 50 recommendations for tackling the growing cyber crisis.

A lot has changed since then. Days after the report’s release, a ransomware attack hit Colonial Pipeline and sparked a fuel panic — an incident that was one of the main triggers for the Biden administration to shift gears on how to approach cybersecurity. Of late, there’s evidence that ransomware has been experiencing if not an active decline, then a lull in its effectiveness in some ways.

So how does that original group, known as the Ransomware Task Force, think things are going in the fight against ransomware a couple years later?

“I think we’re doing pretty well, but not doing amazing,” Megan Stifel, a co-chair of the task force, told me.

Another co-chair, Michael Daniel, invoked the staid language often used by government auditors at the Government Accountability Office. “At the risk of being too much of a Washington insider, it feels like to me we can use the title of any GAO report: ‘Progress has been made, but more needs to be done,’” he told me.

There’s progress by at least by one measure, though. The task force has seen a great many of its recommendations become reality. According to a status report out today from the task force, 92 percent of its 48 suggestions have seen “some degree of action.”

The recommendations emerged from four chief goals"

Developing a nationally and internationally coordinated strategy to deter attackers;

Disrupting ransomware gangs and undercutting their profits;

Helping prepare potential victims by increasing awareness and fortifying their defenses; and

Strengthening organizations’ ability to respond when a ransomware attack does happen.

Taking measure of the overall picture

It’s hard to say what’s behind ransomware’s current state. There are many overlapping phenomena, several of which Daniel, CEO of the Cyber Threat Alliance, mentioned:

The war in Ukraine is keeping Russian hackers busy, and Russian ransomware gangs have been among the most notoriously active.

Governments have stepped up their efforts to combat ransomware gangs.

Everyone’s more aware of the threat it poses.

There are signs that ransomware hackers are going after lower-profile targets less likely to make headlines.

Researchers that track ransomware saw organizations’ payments to the gangs to decrypt their systems fall in 2022 compared with 2021. And, Stifel said, attacks on U.S. critical infrastructure are less frequent. At the same time, “we are seeing large attacks on critical infrastructure outside the United States, and we still know that hospital systems and school systems and state and local governments, in addition to small businesses, are still getting hit,” said Stifel, chief strategy officer for the Institute for Security and Technology.

Both say that ransomware remains a major problem. And our March survey of cybersecurity experts found that they feared ransomware will be worse in 2023 than in 2022.

Taking measure of progress

Stifel was reluctant to explicitly trace any cause-and-effect gains against ransomware to the task force’s report.

But the recommendations are being implemented, and one big indicator of that is the Biden administration’s national cybersecurity strategy, Stifel said, which emphasized the fight against ransomware and taking disruptive action against malicious hackers.

Other important reflections of the task force’s work, Daniel said, include the setup of support funds from state and local governments, and legislation that Congress passed that requires owners and operators of critical infrastructure to report to the government when they suffer a major incident or pay a ransomware attacker.

The report itself notes some of those areas of progress, as well as:

“Ongoing efforts to reduce some of the risks posed by cryptocurrency,” the form of payment ransomware gangs rely upon most.

“Governments have taken action to prioritize ransomware defenses and investigations” and “victims have changed their responses.”

Sen. Elizabeth Warren (D-Mass.) said at an Armed Services Committee hearing on Thursday that she would soon reintroduce legislation with Sen. Roger Marshall (R-Kan.) to crack down on illicit crypto, citing ransomware as a major reason.

“This is a business built on crypto,” she said.

Looking forward

The task force is looking ahead. “Part of our challenge in this is maintaining momentum while tempering expectations because this is a long-term fight,” Daniel said. “Ransomware is an incredibly lucrative business model. And it has a lot of utility for the bad guys.”

One area where Daniel said he’d like to see more progress is increasing the rate of government disruption operations. The Biden administration has been making them more of a priority, dating back even to the Colonial Pipeline attack when the Justice Department seized back some of Colonial’s payment to the hackers.

And Stifel said it’s important for governments to resist the urge to ban ransomware payments “because some of these threat actors will take it as an invitation to test it.”

If the task force was putting out its recommendations from two years ago today, Daniel said he’d want to see it include what to do about the role of artificial intelligence, which might help attackers by, say, improving the quality of their phishing emails. He also said he’d want to contemplate the role of quantum computing, which could aid defenders in decrypting systems without a key — or help gangs strengthen their encryption.

In addition to the two-year report’s release, the task force is holding an event today featuring appearances from top Biden administration officials like Kemba Walden, the acting national cyber director, and Anne Neuberger, deputy national security adviser for cyber and emerging technology.

“That actually, by the way, continues to show the U.S. government interest in this,” Daniel said.

Haines warns that foreign adversaries could exploit debt limit debate, calls intelligence leaks ‘demoralizing’

Director of National Intelligence Avril Haines warned that Chinese and Russian-linked operators would leverage a potential U.S. debt default to spread claims that the United States is a dysfunctional democracy, Peter Martin reports for Bloomberg News.

Martin writes: “It is ‘almost a certainty’ that both countries would use such an event for propaganda purposes through ‘information operations,’ using it as evidence that the US political system is dysfunctional, Haines told the Senate Armed Services Committee on Thursday.”

A default would create uncertainty about the U.S. monetary system and American institutions, she said, with the caveat that the intelligence community did not have information to provide its own assessment.

Shalanda Young, director of the Office of Management and Budget, echoed Haines and warned China and Russia would capitalize on the “chaos” that could ensue amid a default, our colleague Amy B Wang , director of the Office of Management and Budget, echoed Haines and warned China and Russia would capitalize on the “chaos” that could ensue amid a default, our colleague Amy B Wang reported

Haines also testified that the intelligence leaks in which an Air National Guard member allegedly transmitted sensitive U.S. documents through a Discord server were “frustrating” and “demoralizing” to the U.S. intelligence community, Joe Warminsky reports for The Record.

The damage to U.S. national security “is just unacceptable on every level, obviously,” Haines testified. The documents have provided revelations about U.S. assessments about the Russia-Ukraine war, competitiveness with China and foreign spying, among other issues.

AI and tech companies agree to open up their systems at Def Con

A group of tech and AI companies agreed to have their systems publicly hacked at this year’s Def Con conference, in a move led by the White House to expose potential security risks posed by AI, Elias Groll reports for CyberScoop.

“Attendees at the premier hacking conference held annually in Las Vegas in August will be able to attack models from Anthropic, Google, Hugging Face, Microsoft, NVIDIA, OpenAI and Stability AI in an attempt to find vulnerabilities,” Groll writes.

The announcement came leading up to the White House hosting the chief executives of Google, Microsoft, Anthropic and OpenAI to discuss AI risks.

Generative AI tools like ChatGPT have sparked concerns from cyber experts over how they can write malware or spread believable disinformation.

Sven Cattell, the founder of Def Con’s AI Village, tweeted that the tests would serve as an educational opportunity for the public:

12) I don't know exactly what needs to change, I want to show hackers and policy people the problem up close and bring the people who have experience with this to talk about their ideas. — Sven Cattell @comathematician@infosec.exchange (@comathematician) May 5, 2023

Artificial intelligence has also been getting scrutiny on Capitol Hill. Senate Intelligence Committee Chairman Mark R. Warner (D-Va.) last week wrote to several AI and tech companies asking them to prioritize security measures and bias mitigation in the design and development of their AI systems.

The letter singled out AI-linked security risks, including “the origin, quality, and accuracy of input data (data supply chain), tampering with training data (data poisoning attacks), and inputs to models that intentionally cause them to make mistakes (adversarial examples).”

Former Uber security chief sentenced for breach coverup, will avoid prison

Former Uber chief security officer Joe Sullivan was sentenced for covering up the theft of company data on 50 million Uber customers in 2016, but he will not go to prison, our colleague Joseph Menn reports.

“U.S. District Judge William Orrick sentenced Sullivan to three years of probation, noting his significant past work in protecting people from the sort of crime he later concealed. He also said that Sullivan’s steps had succeeded in keeping the stolen data from being exposed,” Joseph writes.

Sullivan is the first corporate executive to be found guilty of a breach related to crimes committed by outsiders, the report notes.

The hackers “used a stray digital key Uber had left exposed to get into the Amazon account, where they found and extracted an unencrypted backup of data on more than 50 million Uber riders and 600,000 drivers,” Joseph writes. “Sullivan’s team steered them toward Uber’s bounty program and noted that the top payout under it was $10,000. The hackers said they would need six figures and threatened to release the data.”

“Negotiation ended with a $100,000 payment and a promise from the hackers that they had destroyed the data and would not disclose what they had done,” Joseph writes. “While prosecutors called it a coverup, testimony showed that Sullivan’s staff used the process to get clues that would lead them to the real identities of the perpetrators, which they felt was necessary leverage to hold them to their word. The two were later arrested and pleaded guilty to hacking charges, and one testified for the prosecution in Sullivan’s trial.

“The obstruction charge drew strength from the fact that Uber at the time was nearing the end of an FTC investigation following a major 2014 breach, which occurred before Sullivan joined the company,” Joseph’s says.

More than 180 letters were filed that praised Sullivan and asked he not be jailed. One such letter was signed by 40 current or former chief security or chief information security officers, Joseph writes.

