“The scale of this problem is that I think the country has to deal with it,” he said.
Ray’s remarks reflect a developing consensus within the Biden administration that ransomware is one of the most serious threats to national security the United States has ever faced. And it’s part of a broader, all-hands effort by the White House to convince the public that it has control of the situation — even as some cybersecurity experts say the executive branch is limited in how it can handle attacks. What can unilaterally do to stop it?
15,000 ransomware incidents in the past year
The United States was hit by more than 15,000 ransomware incidents against organizations last year alone, according to Brett Callow, a threat analyst at cybersecurity firm Emsisoft. Callow said the attacks cost the US an estimated $596 million and $2.3 billion in ransom payments and lost productivity in 2020. He added that the true figures could be even higher, as Emsisoft’s estimates accounted for only confirmed cases of ransomware incidents.
According to Callow, over the years, bullying actors have been able to kill large enterprises in new attacks.
A DOJ memo issued Thursday by Deputy Attorney General Lisa Monaco instructs US prosecutors to internally report all ransomware investigations conducted by the US government in a move designed to better coordinate the tracking of criminals online on which they are working.
The memo cites ransomware – malicious software that seizes control of a computer unless the victim pays a fee – as an immediate threat to the nation’s interests.
“We must increase and centralize the internal tracking of investigations and prosecutions of ransomware clusters and the infrastructure and networks that allow these threats to persist,” Monaco wrote.
And in a letter sent from the White House, the National Security Council’s top cybersecurity official, Anne Neuberger, wrote to corporate executives and business leaders that the private sector needed to better understand its critical role.
“All organizations should understand that regardless of size or location, no company is safe from being targeted by ransomware,” Neuberger wrote. “We urge you to take the ransomware crime seriously and ensure that your corporate cyber defense matches the threat.”
Neuberger said US businesses of all sizes should immediately implement security measures such as creating offline backups of critical data, implementing multi-factor authentication, and enforcing encryption.
In Journal interviews, Ray lashed out at the Russian government for allowing cyber actors that the United States and others believe to be behind the recent Colonial and JBS attacks to continue operations in Russia. Huh.
“Time and time again, a great deal of them locate actors in Russia. And so, if the Russian government wants to show that it’s serious about this issue, it’s time for them to demonstrate some real progress.” There’s a lot of space that we’re just not seeing,” Ray said.
Attack on agenda when Biden meets Putin
The administration is “not taking any options off the table” in response to the JBS incident, Press Secretary Jen Psaki said in a press briefing this week.
Those announcements follow several weeks of other moves by the administration designed to show how aggressively it is tackling the threat of cybercrime and foreign hacking.
In April, the Justice Department launched an internal task force dedicated to hunting down ransomware criminals and disrupting their financial networks. The White House announced a 100-day sprint to assess the cybersecurity of the nation’s electric grid, working with utilities to install surveillance technology that can scan for signs of hacking.
Following the Colonial Pipeline closure, the Department of Homeland Security took emergency measures to compel the critical pipeline industry to report cybersecurity incidents to the federal government within 12 hours and designate a “24/7, always available” cybersecurity coordinator. Did it Within 30 days, companies must also assess how their practices are in line with the TSA’s long-standing pipeline safety guidelines.
Officials acknowledged that it was the first step in the wake of the attack that halted the operation of one of America’s most important fuel pipelines.
Meanwhile, according to two sources familiar with the situation, the US government has taken some aggressive steps in recent months in response to the ransomware. The move involves compromising and monitoring cybercriminal networks and, in some cases, identifying individual actors involved in specific attacks within hours.
The capabilities of the US government are limited
But while the Biden administration is taking a tougher stance on ransomware, it still struggles with the limits of its capabilities. Sources told CNN that the government’s power to break into ransomware gangs is “situationally dependent” on the perpetrators’ own sophistication and defensive measures.
Asked on Wednesday whether he planned to retaliate against Russia for the JBS ransomware attack linked to Russia, Biden told Poole reporters: “We’re looking at that issue closely.”
US officials have been drawing comparisons between the hacking threat and terrorism for years.
In 2018, President Donald Trump’s Director of National Intelligence Dan Coates warned that the system was “blinking red” again as foreign actors conduct a series of cyber infiltration and attacks against targets in the United States, more than 9 years old. Next is a reference to the dangerous activity observed. / 1 1
“And here we are nearly two decades later, and I’m here to say that the warning lights are turning red again. Today, the digital infrastructure that serves this country is really under attack,” he said at the time. said.
At a strategic level, the administration’s moves to appoint senior cybersecurity officials or ban governments harboring cybercriminals could have significant long-term effects – such as creating stronger international standards discouraging hacking – but the risks of ransomware actors Short-term change unlikely. said Alexis Serfetti, a senior analyst at Eurasia Group, a political risk consulting firm, Financial Incentives.
Administration must grapple with the limits of its authority imposed by law, as well as gaps in legislation that Congress has neglected to fill for years.
Legal and industry experts say it is not possible for the Biden administration to enforce a single, standard set of cybersecurity rules governing the full range of critical infrastructure sectors such as pipelines, airlines, telecommunications networks and more. The complexity of each industry, and their relationship to the wider US economy, show how difficult it is to design cyber security rules, let alone enforce them.
“You’ve got, you know, it’s not easy to achieve a standard setting of patchwork, checkerboards, regulatory requirements, contractual obligations. And cyber minimum requirements that you’ll apply to all 16 [critical infrastructure sectors],” said Chris Kaminsky, former DHS Acting Under Secretary.
Where the executive branch gains the most, along with the private sector, is in its vast buying power. By setting cybersecurity rules for federal agencies, Biden could indirectly shape commercial cybersecurity, winning over contractors who don’t meet the standard, Kamisaki said.
Ed Amoroso, CEO of cyber security firm TAG Cyber, said the administration could do more to expand commercial incentives. For example, Amoroso said, the US government could subsidize training for new cybersecurity professionals to help organizations implement the latest best practices.
“In every field, there are not enough people who know how to do this,” Amoroso said. “I am begging the administration to please turn on the Cyber Core program.”
role of congress
Congress has its own role. For years, lawmakers have struggled to create a single, federal law that spells out when and how companies must report data breaches. While many states have their own breach notification rules, and some rules exist at the federal level in specific contexts, such as securities regulation, the US is largely governed by a patchwork of data breach rules.
Meanwhile, the federal agencies charged with regulating specific sectors of the economy each have their own Congressional Charter that spells out what they are empowered to do, and in some cases, the same agency must separate one industry from another. manner may need to be regulated. All this makes it difficult to develop mandatory cyber security regulations.
According to cyber security experts, this is the result of a difficult conversation about who should take responsibility for protecting the public from cyberattacks – the government or the private sector.
“The struggle right now is to understand who is going to manage that risk,” said Sergio Caltagirone, VP of threat intelligence at cybersecurity firm Dragos. “Is the US government going to protect critical infrastructure, or should the US government provide more tools and capabilities and approaches to these companies to do it themselves?”
CNN’s Alex Marquardt and Jamie Crawford contributed to this report.