What is a common phrase that makes both an army general and a CISO happy?
“Yes boss we are safe and secure”.
Just like an army unit, the cybersecurity domain also must deal with unfamiliar faces and personalities of a cyber-attack. No matter what arms and ammunitions (read, tools and frameworks) organizations adopt to make the enterprise secure from these attacks, the adversaries always tend to mend their ways by shifting in techniques.
Recent cyber-attacks such as the SolarWinds supply chain attack, the Colonial pipeline breach, the Garmin, the JBS, and many more are still happening somewhere in some part of the world. In several instances, they are still not detected, thereby leaving the cybersecurity industry stretched thin.
In recent years, ransomware incidents are increasingly prevalent among the US state, local, tribal, and territorial government entities, and critical infrastructure organizations.
A majority of the state-sponsored cybersecurity attacks are happening as ransomware. Hence, there is a growing realization in the federal government across the world to term this as another form of terrorism.
In the wake of the colonial pipeline attack, the US Department of Justice has elevated investigations of ransomware attacks to a similar priority as terrorism. Newly introduced regulations from the regulatory bodies such as the SEC and OFAC protect ransomware victims by preventing them from paying the ransomware amount as demanded by the attackers. Accordingly, they signal a new area of regulatory enforcement that will likely become the government’s most powerful tool to curb the spread of ransomware.
The SEC’s latest Cybersecurity Guidance also focuses on disclosure requirements as they relate to ransomware or other cyber-attacks. This has also resulted in a division of opinion between the law agencies, government entities, and corporates on whether the treatment of ransomware should take the form of a regulation. Paying the ransom may be a less expensive option for cash-strapped companies rather than building their entire infrastructure again from the scratch. Or should agencies and corporates wait in a precarious position when the nation’s infrastructure or people’s life is at stake (read the attack on Ireland’s health services ).
Irrespective of the opinions, the lawmakers still think that preventing payment of the ransom may have a positive long-term impact. This might force criminals to move to alternate modes of making money which are not outlawed.
Some of the regulatory guidelines and practices by the law-making agencies in view of ransomware attacks are as under:
- The US President Joe Biden’s Executive Order charting a new course to improve the nation’s cybersecurity and protect the Federal Government network
- Regulations governing legitimate cryptocurrency trading platforms
- OFAC and the Financial Crimes Enforcement Network (known as “FinCEN”) warned that companies risk violation of OFAC regulations, and the imposition of regulatory and financial penalties, when they make or facilitate ransomware payments to threat actors who are, or are agents of, sanctioned persons
- The Office for Civil Rights (“OCR”), the HHS agency responsible for regulations of healthcare organizations deems ransomware attacks as a serious breach and has strict compliance requirements that fall under HIPAA’s breach notification rule, 45 C.F.R. Part 164, Subpart D
- State laws such as the NYDFS also echoed the federal regulatory concerns and issued Insurance Circular Letter No. 2, which discussed cyber insurance carrier risk related to making ransomware payments
- EU legislative proposals for strengthening anti money laundering (AML) and countering terrorism financing (CFT)
- Recent guidance from the UK National Cyber Security Center (NCSC)
Though generally skeptical that the new laws are what's needed to secure the nation's cyber-infrastructure, the cybersecurity experts and risk scholars contend that the best approach is preparation—following best practices such as regularly backing up data, educating employees about threats and risks, and maintaining robust detective and preventive controls. As the enforcement agencies take their own course to develop actions against ransomware as a regulation , some basic points of cyber hygiene mentioned below are definitely a collective call for action to prevent ransomware attacks from happening at the first place:
- Web application and API security
- Monitoring the new threat vectors to attack and break the cyber kill chain
- End-point security enhancements through next-gen EDR solutions
- Data backup and vaulting to ensure recovery of critical data and business resiliency
- Implementing a zero-trust approach for every individual and device within an enterprise
- Implementing network segmentation
- User awareness and training, especially around phishing
- Security of remote access tools
- Usage of user and entity behavior analysis to detect and alert for any user or system abnormality
Ransomware is not going away– at least anytime soon. It is important that the organizations gauge their readiness by doing their risk assessments and taking appropriate corrective actions to face this unknown enemy terrain. It is also imperative that organizations consider the impact of federal and state regulations on their supplier operations as well. This ensures that every party understands what needs to be done in event of a ransomware incident.