The U.S. EO on Ransomware: What Does it Mean? – Part 2
The White House is urging companies to do more to stem the tide of ransomware attacks now that they are starting to impact critical infrastructure and supply chains. It is a good start, but what will be the implication of this to U.S. businesses?
Governments don’t hold all the answers, but they can do a lot to make the digital world a safer place to do business. Now ransomware attacks are starting to impact critical infrastructure and supply chains, the White House is pushing companies to action. This is a good start but what are the implications of its latest open letter to US businesses, urging them to do more to stem the tide of infections?
Although multi-nationals and SMBs alike have been targeted with ever greater frequency and success over the past few years, the Colonial Pipeline attack appears to have been a wake-up call for the government. It was followed just days later by a major ransomware-related outage at the world’s largest meat processor, impacting food supplies in North America and beyond.
Now Deputy National Security Advisor for Cyber, Anne Neuberger, wants US businesses to step up on cyber-security. “All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location," she wrote. "We urge you to take ransomware crime seriously and ensure your corporate cyber defense match the threat."
All companies, regardless of size or sector, should certainly take note. Ransomware attacks have become the number one existential threat to their operations. Supply chains, including just-in-time manufacturing and distribution, have already been weakened due to the pandemic. Now they’re exposed to the threat of serious disruption through ransomware. It’s perhaps no surprise that the White House is gearing up to treat these attacks with the same gravity as terrorism.
What does best practice look like?
As the White House suggests, convening leadership teams to address these threats is a must. These teams should start by conducting comprehensive vulnerability assessments of their mission critical operations; their cybersecurity teams that protect them, and use these assessments to build comprehensive ransomware play books and starting testing them immediately. In parallel, organizations should be applying best practices to mitigate ransomware attacks that include:
- Prompt software patching
- Use of multi-factor authentication (MFA), especially for RDP servers
- Network segmentation
- Deploy Zero Trust architecture to slow down attackers
- Deploy XDR solutions to enhance visibility and increase response times
- Use Defense-in-depth solutions across endpoint, networks, hybrid cloud servers and email/gateway layers
- Back-up-Back-up- Back-up using the 3-2-1 rule
- Roll out comprehensive risk-based anti-phishing and security awareness training
Many of these measures are set out in a new Executive Order from President Biden, which has some useful best practice advice designed to enhance government and supplier security.
How can the government do it better?
For those ransomware affiliates launching global attacks with impunity, there’s currently little risk with high rewards. That means every year threat actor groups get richer and bolder in their tactics. Mitigating risk of ransomware attacks can only be achieved holistically. Organizations are transferring risk through larger Cyber-insurance policies, however these big payouts can be perpetuating the problem and causing big challenges for insurance companies. They are looking to change their policies or are moving to cancel or restrict their underwriting.
Government can play a broader role to reduce risk. They can increase regulation in hopes it creates risk reducing behaviours, however they could have an even greater impact by incentivizing organizations to take action. This could take the form of grants or no interest loans issued by sector specific agencies to owner operators that adopt the NIST cybersecurity framework or provide them access to lower liability programs in the form reduced tort liability, or limited indemnity. The federal government could also streamline regulation to reduce massive audit burdens and reward organizations through tax incentives.
Changing individual and organizational behaviour is a complex thing. And it will not happen overnight. But by showing how serious they’re taking the issue, the federal government and its industry partners can start to make a positive difference.
Check out my first blog where we looked at the three administrative sections and assessed their potential to be “bold changes” that rapidly reduce risk across the federal enterprise. We also assessed the potential impact to the other sectors.