Brief #45 – Technology
By Charles A. Rubin
Ransomware on the Uptick: A Clear and Present Danger
May 14,2021
Policy Summary
The Colonial Pipeline Company, which describes itself as “the largest refined products pipeline in the United States” transporting gas and jet fuel through a pipeline system spanning 5,500 miles between Texas and New Jersey reported on Friday May 7 that it was the victim of a ransomware cybersecurity attack. The company assured the public that the attack had only affected its information technology systems and not its operation capacity but, as a precaution, it was proactively taking certain systems offline to contain the threat. The action temporarily halted all pipeline operations effectively cutting supplies to much of the Eastern seaboard.
The incident is only the latest attack that have been occurring with alarming frequency and have targeted hospitals, local governments and businesses large and small. The cybersecurity firm Kaspersky estimates that by the end of 2021 a business will be targeted by a ransomware attack every 11 seconds causing up to $20 billion in damage. This does not factor in any ransom payments.
Law enforcement, government and business seem powerless to stop it.
Analysis
Ransomware attacks are those which use malware to encrypt the data and files of targets either on individual computers or on a company’s servers. The attacks are difficult to detect and repel because they are multi-layered. The vast majority of successful ransomware attacks start with reusable passwords being obtained through phishing and email trickery. An additional attack vector are innocuous attachments like invoices or other documents that an unsuspecting user opens that starts the chain of intrusion. Unpublished operating system flaws are then exploited. More recently, unsecure/unpatched remote access methods put in place during the pandemic have enabled more direct attacks.
What is important to note, is that ransomware is now a lucrative industry that knows no border and is hidden in the shadows. The Federal Bureau of Investigation (FBI) and National Security Agency (NSA) have identified the groups behind many of these attacks but they are a long way from shutting them down or apprehending their masterminds.
While some organizations choose to pay ransomware demands, it is generally not recommended as there is no guarantee that access to infected systems will be restored and by paying up, victims further incentivize these forms of cyberattack. Many companies don’t disclose ransomware attacks or, if they do, won’t reveal the attackers’ demands.
The government’s response has been tepid at best. The recommended strategy has been mitigation – requiring frequent password changes, using strong and unique passwords, enabling multi-factor authentication, segmenting systems so that one system infected cannot infect others, keeping operating systems up-to-date, deploying anti-malware software. This is all good advice but not enough.
Throughout this crisis it became clear that the energy sector, in particular, is privately not publicly controlled, meaning that this attack on our infrastructure put private companies as the first line of defense from, seemingly, foreign adversaries. Yet, these same companies have exposed their systems on a very public internet. Since it is clear the internet cannot be policed, it is imperative that critical infrastructure be disconnected or certainly operate under more strict guidelines.
Our interconnectedness has enabled many to weather the pandemic but it has made us even more vulnerable. We desperately need law enforcement to intervene and for national governments to cooperate to identify and punish countries that sanction this activity within their borders.
Engagement Resources
- Cybersecurity and Infrastructure Security Agency and FBI Joint Statement on the Colonial Pipeline Attack
- The Institute for Security and Technology has a Comprehensive Attack Plan for Ransomware
- The Bank Policy Institute (BPI) is a nonpartisan public policy, research and advocacy group, representing the nation’s leading banks – Read their Ransomware: A Resource Guide
- Mitre Corporation maintains federally funded R&D centers and public-private partnerships to tackle challenges to public safety, stability, and security.