How to help stop the surge of ransomware attacks

Call it the Year of Ransomware. Global attacks increased by 151% in the first half of 2021, surpassing the total volume for all of 2020. Victims included a major U.S. oil and gas pipeline, Ireland’s national health service, and the public school systems in Maryland and New York state. French insurer AXA was hit just days after announcing it would no longer cover damage for ransomware attacks in its home market.

These attacks inflict real damage. One survey estimates the average total cost of recovery – including downtime, labor, and ransom – at more than $1.8 million per attack. 

Even that number seems low. The Illinois Attorney General’s office, hit in April, chose not to pay the ransom but spent $2.5 million to repair its computer systems and communicate with people affected by the breach. State lawmakers subsequently increased the AG’s cyber security budget by $8 million.

Many companies see paying ransom as the quickest way to get their businesses up and running again. But the FBI says it just encourages more attacks, and experts are debating whether payments should actually be outlawed in order to remove the economic incentive. AT&T’s former Senior Vice President and Chief Security Officer advises victims with no other options to “pay the damn fee” –

then take steps to make sure it doesn’t happen again.

What can be done about ransomware?

First, vulnerable companies – which is almost all of them – should be incentivized to increase their cyber security preparedness and held accountable if they fail to do so adequately. The Biden Administration is exploring “how to accelerate voluntary adoption” of improved cybersecurity measures. Still, only federal agencies and government contractors are currently required to follow certain cybersecurity guidelines.

Organizations that operate without adequate protections in place should face consequences to a much greater extent than they do now. We need the ability to assess the effectiveness of risk management controls before there is a breach or attack. Moreover, companies must be held accountable if they fail to meet stipulated requirements, even if a breach hasn’t occurred yet.

As businesses collect more data, they must proportionately increase their investment in cyber risk management. Far too many companies, including a fair number of the Fortune 500, lack adequate cyber defenses. Ignorance is no longer an excuse: the Cybersecurity and Infrastructure Security Agency (CISA) recently issued a fact sheet outlining how companies should protect themselves against ransomware attacks. A world of resources is at companies’ fingertips.

Next, the private and public sectors should share information about cyber threats, vulnerabilities, attacks, and attempted intrusions. As I wrote in my last post, the White House recently issued an Executive Order (EO) to help strengthen the cyber defenses protecting government agencies and critical infrastructure. Among other things, the EO requires companies contracting with the government to disclose any significant cyberattacks.

While this requirement is a good first step, every company – not just government contractors – should be working with governments and other organizations to share information on cyber incidents. Faster, more complete sharing of information will improve our collective ability to anticipate and respond to cyberattacks. And this cooperation should extend to relationships with governments overseas and global companies. As things stand, the bad guys simply have too much of an informational advantage over the defenders.

Then there’s the SBOM, or software bill of materials. An SBOM lists the components in a software product much as a label lists the ingredients in a can of soup. If a piece of software turns out to have vulnerabilities, an SBOM makes it easier to track the components, locate the source of the problem, and implement patching or other risk mitigation measures. Serious consideration should be given to the idea (referenced in the EO) of incentivizing or requiring software suppliers to provide an SBOM.

Performance targets are another potentially helpful measure. In July, President Joe Biden signed a memorandum that directed government agencies to come up with performance goals for critical infrastructure. This “industrial control initiative” aims to develop and deploy systems that warn of an impending cyber threat to critical infrastructure. Already, 150 electric utilities serving 90 million U.S. residential customers have agreed to deploy technologies that will guard against such attacks.

President Biden’s EO shows that his Administration is committed to unifying what is currently a patchwork of industry-specific statues and regulations that makes it hard to tell if U.S. critical infrastructure is as secure as it needs to be. The attack against Colonial Pipeline might have been averted if better systems had been in place. Implementation of performance targets can make it more likely that they will be.

Finally, to help reduce malicious cyber activity, including the spread of ransomware, countries need to develop global cyber standards and best practices to govern the protection of data and the online conduct of both companies and sovereign states. We must also promote greater transparency, as well as conformance and testing protocols, while creating mechanisms that enable real accountability for nonconformance by governments and private organizations.

The EU’s General Data Protection Regulation (GDPR) is an example of how compliance requirements can be adopted across many different countries, including several that are not a part of the EU. One big reason why GDPR has worked well thus far is that it provides very strong guidance for appropriate conduct and metes out serious penalties for violations: up to 20 million Euros or 4% of a corporation’s revenue – whichever is greater.

Similar types of standards (or other rules of the road) and conformance protocols are needed to create momentum toward a safer and more transparent  cyberspace. Mechanisms should be developed to try to hold private organizations and national governments legally accountable.  

While these measures won’t stop ransomware completely, they can help reduce their frequency by decreasing the economic incentives to perpetrate attacks and increasing the cost to cyber miscreants.

Andy Purdy is Chief Security Officer at Huawei U.S.A.