Ransomware Called Exploding Threat, More CISA Money Needed
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency needs to beef up its Joint Cyber Planning Office for wider communication routes between government and industry and Congress “needs to put CISA on a path to being a $5 billion agency,” House Homeland Security ranking member John Katko, R-N.Y., told a Wednesday Cybersecurity Subcommittee ransomware hearing. The past 18 months brought an increased frequency of cyberattacks, plus growing sophistication of threat actors, and larger amounts being demanded of victims, experts said at a Chamber of Commerce webinar, also Wednesday. Homeland Security Secretary Alejandro Mayorkas called ransomware one DHS' "most-significant priorities."
Katko said CISA is using the state cybersecurity coordinators, as authorized by the National Defense Authorization Act. "There's more to be done" and it needs more resources, he said. Mayorkas said small businesses are 50% to 75% of the known victims of ransomware attacks, and such intrusions increased more than 300% last year. He said DHS chose ransomware as the first of a series of 60-day cybersecurity "sprints" aimed at ramping up existing efforts. He said CISA and the Secret Service have resources for businesses, and the agency is exploring increased grant spending on cybersecurity issues.
The scope of ransomware attacks is impossible to know because many are never reported to authorities, said CISA Executive Assistant Director-Cybersecurity Eric Goldstein. Hogan Lovells cybersecurity lawyer Pete Marta said clients almost always start out adamant they won't pay, but "reality sets in" after a day or two and paying can be the right business decision. David Smith, Secret Service agent in charge of its Criminal Investigative Division, said ransomware actors sometimes are proud of reputations of holding up their end of the bargains, but "you cannot trust a criminal to be a righteous player."
Roughly two-thirds of ransomware attacks originate with phishing emails containing attachments or links, said Splunk Senior Director-Security Lisa Wallace. Goldstein said it's "simply not realistic" for most businesses to try for the cybersecurity capacities and technologies that a major bank or federal agency have. They are better off deploying basic capabilities and working with cybersecurity service providers for threat monitoring or managed security services, he said. He said a variety of basic steps can drive down risk, such as enabling automatic updates on software or deploying software patches promptly when they're released. The goal of ransomware is finding an organization's "crown jewel data" and then stealing or encrypting it, so identifying that data and then ensuring it's backed up offline from the main network at regular intervals "is the most powerful remedy," Goldstein said.
Hogan Lovells' Marta said ransomware attacks have been going on for years, and companies "are getting pummeled" now, with two to three clients a week contacting his firm for help about an attack. Many don't make it into the news, he said. Marta said a mistake businesses often make is believing they won't be a victim because they aren't a big player or their industry seems an unlikely target. A small manufacturer is more likely to be hit than a seemingly more lucrative target because it "unquestionably" has fewer defenses, he said: Sophistication of attacks is growing from simple encryption of important business data to weeks-long theft of sensitive data capped with installation of malware so there are multiple pressure points for paying up.