White House in spring season at twilight showing open letter on ransomware attacks on critical infrastructure

White House Open Letter on Ransomware Attacks Calls on Private Industry to Voluntarily Adopt Standards for Federal Contractors

After seeing substantial portions of the gasoline and beef supply kept from the market for days due to ransomware attacks, the United States government is calling on private organizations to shore up cybersecurity to the standards required of federal agencies and their contractors.

The call is voluntary at this time, but it is an unusual measure for the federal government to take and the straightforward language makes plain that the Biden administration is expecting immediate action. Recipients of the letter included companies responsible for maintaining critical infrastructure as well as organizations that engage with the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA).

Successful ransomware attacks prompt nationwide reassessment of security postures

The White House responded to the Colonial Pipeline attack with a proposed set of new cybersecurity requirements for federal agencies and their various vendors (via executive order), which is expected to roll out gradually over the remainder of 2021. The only firm requirement thus far is that the organizations in question conduct a review of their cybersecurity posture, but there are ambitious changes forthcoming: standardization of attack reporting and information sharing processes, creating a new standard centered on zero-trust architecture, and establishing a universal response playbook among them.

The White House letter seems to indicate that private industry is expected to follow along. Anne Neuberger, deputy national security adviser for cyber and emerging technologies, encouraged companies to voluntarily adopt many of these measures meant to deter ransomware attacks. The letter appears to be an opening maneuver in convincing companies to seriously address and upgrade necessary cyber defenses, something that is frequently put off due to budget concerns or a lack of awareness of how serious the consequences could be.

The latter of those excuses is wearing thin after a month in which gasoline supply was severely disrupted in the US and meat production was briefly shut down in several countries due to ransomware attacks, following a period of about two years in which ransomware has experienced a renaissance and evolution. Ransomware gangs now make as much (or more) providing their product to less sophisticated criminal actors, theft of sensitive documents and blackmail are an increasingly common component, and attackers are more willing to cause real-world damage. The first death directly attributable to ransomware occurred in 2020 as a German hospital was forced to shut down and a patient headed for the emergency room died in transit to another facility.

Neuberger also noted that even companies that are generally security-conscious sometimes have trouble with an executive-level perspective on the linkage between ransomware attacks on servers and the level of disruption that will have on physical day-to-day operations. The Colonial Pipeline attack served as an example; the ransomware did not cripple the actual physical infrastructure used to deliver gas, but compromise of the billing and inventory systems forced the company to shut the distribution aspect down. Chris Grove, Technology Evangelist for Nozomi Networks, points out that sometimes operations may be halted not even out of necessity but simply due to a poorly-structured response plan: “In many ransomware cases, it’s the abundance of caution on the victim’s side that causes them to initiate their own shutdowns of operations, not the attack itself causing the shutdown. The ransomware may have never hit the parts of the network that were isolated, but a decision was made by the facility operators to limit the blast radius of the attack, or segment off sections of infrastructure to protect it. Those networks may have been able to resist the attack, or may have been super-secure. But in the end, it doesn’t matter. The attackers were able to shut down and impact infrastructure outside of the scope of their attack … Defenders need to understand this, and start thinking about consequence reduction activities, not only prevention. Organizations that adopt that mindset will fare much better than those that didn’t.”

The letter also briefly addresses ransom payments, a contentious subject among political and cybersecurity figures. Some feel that ransomware attacks will not cool off until ransom payments are banned, with potential fines for violators. The opposite view is that some companies have no option but to make a payment or face financial ruin or the potential of even greater fines from release of confidential customer information, making any ransomware attacks that manage to land a death sentence. Few governments are seriously considering banning ransomware payments at this time, but the prospect of fining companies that make a payment to parties with connections to terrorist groups has been raised in the US. For the moment, the Biden executive order has made clear that ransomware payments will not be penalized.

Though the particulars of the executive order are still unfolding, the open letter concluded with a “What We Urge You To Do Now” section providing concrete recommendations to organizations. The first is to implement multifactor authentication for all employee logins, something that security professionals have almost universally been recommending for some years now. It also encourages organizations to regularly back up everything necessary to restore systems in the event of ransomware attacks and to segregate at least one copy of these backups from the rest of the network to prevent contamination. Other recommendations include establishing a penetration testing schedule and ensuring that a response plan for ransomware attacks is in place. One final recommendation is a simple one, but one that worrying amounts of organizations are not doing; keep up with security patching. A recent study by BitSight found that about 40% of the food production industry is failing to keep up with security patches, something that might have averted the JBS ransomware attack.

Saryu Nayyar, CEO of Gurucul, sees these recommendations as a solid basic launching point but feels that organizations need to be well past this stage of shoring up internal cybersecurity given the frequency and sophistication of ransomware attacks: “These are all excellent recommendations. However, there is a missing element of proactive defense here. Organizations need to implement cyber defenses that can reduce the attack surface and detect ransomware attacks in real-time, not just prepare for quickly resuming operations after a ransomware attack. Modern security operations should include data science powered technology paired with traditional cyber defenses to thwart ransomware attacks. Privileged access management, continuous authentication, MFA, risky account discovery and cleanup, intrusion detection, behavioral analytics, data loss prevention, firewalls, Endpoint Detection and Response (EDR) or even better Extended Detection and Response (XDR) – all these are modern security measures needed to keep attackers from successfully penetrating corporate networks and interrupting operations.”

Bill O’Neill, VP of Public Sector for ThycoticCentrify, added five of his own recommendations for hardening defenses against ransomware attacks:

  • “Invest in security awareness programs that educate employees on how to avoid spear-phishing attacks and detect potential ransomware.
  • Keep anti-virus and anti-malware software updated with the latest signatures and perform regular scans.
  • Frequently back up data to a non-connected environment and verify the integrity of those backups regularly.
  • Implement Privileged Access Management (PAM) best practices and solutions to control administrative user (i.e., sysadmins, DB admins, or user admins) access to critical and sensitive IT systems, applications, and workloads.
  • Vault shared privileged accounts for emergency access only and enforce least privilege for administrators – grant just enough privilege, just-in-time, for a limited time, and leave zero standing privileges.”
It is an unusual measure for the federal government to take and the straightforward language makes plain that the administration is expecting immediate action. #ransowmare #cybersecurity #respectdataClick to Tweet