A ransomware attack by a Russian cybercriminal group forced the largest petroleum pipeline in the United States to shut down. The worst attack ever on U.S. critical infrastructure, it is only the most recent in a growing wave of attacks, one for which the U.S., like other governments, is not prepared.
Doing so will require a whole of society effort, one in which governments, businesses and citizens all recognize the importance of cybersecurity and then act accordingly. We have a long way to go.
Ransomware involves the insertion of malicious software into a computer network that locks it up or encrypts the data; either way, computers are effectively shut down — literally. After an attack a few years ago, one company had to throw away virtually every device — computers, printers, servers, routers, phones — connected to its network.
Criminals demand payment, usually in cryptocurrency, for a key that will release the computers or the files. In a new twist, criminals demand a second payment so that files on the hacked computers are not made public.
Whichever technique is used, it is extortion. Cybersecurity experts now warn of “ransomware as a service,” in which a criminal organization develops ransomware and then allows an affiliate to use it for a fee or a slice of the payout.
It is a growth market. In “Combatting Ransomware,” a report and framework by an international task force of industry experts, the problem is called “an urgent national security risk around the world.” One analysis identified 304 million ransomware attacks worldwide in 2020, a 62% increase from the previous year.
The ransomware task force estimated that payments to ransomware cryptocurrency accounts reached $350 million in 2020, a 311% increase. Total losses — including downtime and remediation — are forecast to reach $20 billion this year.
There is no easy fix. Critical infrastructure itself is, in many cases, old and insecure. Once isolated from the internet and run by specially designed software, those operating systems are now increasingly online — as corporate operations become more dispersed, the greater the need for connectivity — and use standardized systems, which means that hacks can be used against more targets.
More worrying, security is less important than speedy and efficient connections. For utilities regulated by governments, security is an additional cost that regulators scrutinize. This is a perverse incentive structure.
A first step, then, is for governments to establish standards or guidelines for cybersecurity. U.S. President Joe Biden this week issued an executive order that directs the Commerce Department to craft cybersecurity standards for companies that sell software to the federal government.
Hopefully, it will serve as a baseline for other governments and the private sector, too. It is also important to ensure that private companies that provide critical services — a growing number given the popularity of “public-private partnerships” for infrastructure — are alert to and acting upon this threat.
Critical to any response is a requirement to share information about attacks to law enforcement and industry groups. Often, victims remain silent, fearful of reputational damage if exploits are made public. Given the increasing uniformity of operating systems, that facilitates other attacks: Other companies are not aware of their vulnerability.
It has been reported that Japan will set up a cybersecurity unit in fiscal 2022 that will allow industry, government and academia to study cyberattacks and develop more effective defenses. It is a welcome, but long overdue, development.
A second step is going after the criminal groups behind this growing business. Attribution can be difficult, but it is not impossible. In the Colonial Pipeline attack, the perpetrator was identified as a cybercriminal group called DarkSide, which admitted its involvement but confessed that it did not want to cause “social unrest.” Countering these groups demands that law enforcement agencies prioritize cybersecurity.
For the most part, these are international gangs, so governments can use intelligence agencies as well to track them down. Financial authorities have a vital role given the criminals’ reliance on cryptocurrency for payments. In other words, governments must use initiatives that cross administrative and agency lines.
Victims need guidance on how to deal with these attacks, too. One suggestion is banning ransom payments, a measure that could extend to insurance companies. Colonial is reported to have paid nearly $5 million to get its computers decrypted. A survey of Japanese companies revealed that one-third of those who admitted to having had ransomware attacks paid an average of $1.17 million. In truth, there is no easy answer to this problem, no one-size-fits-all solution.
Going after criminals is complicated by the hazy relationship between these groups and some governments. DarkSide is thought to operate from Russia; its spokesperson speaks Russian; some of its code is in Russian and there are no records of it attacking Russian targets. U.S. officials note that there is no evidence of official Russian government involvement in its operations, but there are allegations — and substantial evidence — that hacker groups have approval, tacit or otherwise, to go after Western targets.
Still, governments that shelter hackers can be held accountable too. If perpetrators can be identified and located — and they can — then pressure can be applied. At a minimum, international standards can be agreed and frameworks established for some criminal behaviors.
Ultimately, we all must get serious about cybersecurity. Governments, businesses and individual citizens must understand not only that they are vulnerable in our connected world, but they all have a role to play in securing it.
The Japan Times Editorial Board
In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.