zephyr18 / istock

If Government Leaders Aren’t Worried About Ransomware, They Should Be

To combat maturing cyberthreats, we need to deepen our bench.

In a survey of 450 cybersecurity leaders worldwide, 85% said they were most concerned about ransomware in comparison to other cyber threats. Their concerns are warranted. Researchers documented 188.9 million ransomware attacks in just the second quarter of 2021.

Both the White House and Congress have urged federal agencies and the private sector to take the recent explosion of ransomware seriously. The message is clear: Working with stakeholders across the public and private sectors to disrupt and defend against cybercrime, while a well-established element of cybersecurity, is a burgeoning national security priority. It takes teamwork and engagement by all to deal with this growing problem.

This alarming trend echoes findings in FortiGuard Labs’ latest Global Threat Report: Ransomware attacks increased more than tenfold over the last year, with telecom and government organizations as two of the most frequent targets. Attacks on operational technology—including industrial control systems—also increased, with incidents disrupting supply chains, critical infrastructure functionality and services we rely on every day. 

An Alarming Trend

The increase in attacks continues a trend that began in 2020, when ransomware across all industries rose sevenfold during the final six months of the year. Cyber adversaries exploited the off-site and increasingly hybrid nature of work and learning by targeting vulnerabilities in this expanded environment. 

The 2020 spike in attacks was one result of the amplified risk of transitioning to telework and remote access. Many organizations mandated use of multifactor authentication and VPN connections as workers pivoted to home offices often connected by poorly secured residential networks.

Having rolled out these basic security measures, many organizations effectively were, from a security perspective, treating their employees as if they were still logging on at the office. Yet the reality was that these users were connecting from home office environments into which employers had little or no visibility or control. It exposed organizations to additional risk in an operating environment that few users fully understood or could adequately protect. 

During the first half of 2021, attacks escalated in sophistication, often leveraging multiple modes of infection and types of damage, such as ransomware that both encrypts the victim’s network and exfiltrates a copy of the data for sale or for additional leverage in extortion. The fallout increasingly affects operational technology––the technology controlling vital processes in industrial sectors like manufacturing, transportation and utilities. Some of these repercussions are deliberate; others may be collateral damage in attacks on corporate IT networks, as IT and operational technology become progressively intertwined.

To shore up defenses and build cyber resilience against threats to both IT and OT networks, we need a holistic approach that incorporates lessons learned and capitalizes on the increased sense of urgency.

Congress’s recent push on cybersecurity is an opportunity to build on progress, broaden coordination with the state and local levels, and tap into the skills and experiences of groups traditionally excluded from the cybersecurity workforce. To combat the growing threat, we need to work smarter as well as harder, bringing to bear the full capabilities of the private sector and federal expertise and resources.

Building on Momentum, Scaling Solutions

We have seen some success in the past year. Coordination across industry and government has resulted in key victories against malicious operations. Authorities successfully took down botnet infrastructures such as Emotet, one of the largest and most prolific malware operations in recent history, using a court order against the online hosting service used by the cybercriminals. Similar operations initiated by IT firms with broad visibility into the cybercriminal ecosystem disrupted malicious cyber activity in the first half of 2021. Such successes illustrate the value of public-private sector collaboration in blunting the impact of cybercrime.  

To help organizations protect themselves and the public from IT supply chain risks, the White House announced the National Institute of Standards and Technology will work with industry to develop a new framework that will serve as “a guideline to public and private entities on how to build secure technology and assess the security of technology, including open source software,” according to a fact sheet issued by the administration following last week’s meeting.

Progress will require a focus on improving the institutional agility needed for organizations and users to fully benefit from progress in security, IT and OT. Often, the local governments, small businesses and community banks that most affect our everyday lives are even more vulnerable to attacks than large organizations—yet these “lower-level” groups lack the talent and resources to institute meaningful change. Telling these key stakeholders to increase cybersecurity in the goods and services they use is more likely to succeed when it is coupled with guidance and mechanisms, such as links to clear security criteria mapping to NIST frameworks or exemplar cybersecurity language they could use in contracts to ensure they meet security standards and best practices. 

With the growing ubiquity of cloud-based services, weaving security into their adoption and use is equally critical. Recent efforts to standardize cloud security at the federal level provide a potential model for improving cloud security at the state and local levels, ensuring all stakeholders have timely access to the evolving benefits of cloud services and accompanying security optimized for government organizations and end users. StateRAMP, a nonprofit organization modeled after the Federal Risk and Authorization Management Program (FedRAMP), offers a clear, consistent process for state and local agencies and cloud service providers to expediently align their cloud security controls with recent progress in federal standards.

Companies and agencies must also work to bolster and diversify the cybersecurity workforce. As President Biden emphasized last week, “our skilled cybersecurity workforce is not growing fast enough to keep pace” with the increasing cyber threats. Solving this issue will require addressing the cybersecurity skills gap. Tapping into underrepresented groups––especially women, minorities and veterans––increasing access to training, and opening paths to certification should be at the core of more expansive recruitment efforts across society.

Cyberattacks are becoming more aggressive, more sophisticated, and more frequent. The trends analyzed in the Global Threat Report represent an alarming threat to U.S. national security and reflect our transition to a more networked and interconnected world of digital services. We must work together to meet this challenge under a coordinated and holistic approach to building the foundations we will need for success. 

Jim Richberg is the public sector field chief information security officer and vice president of information security at Fortinet. He formerly served in senior roles in the Office of the Director of National Intelligence.