Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->

Can Government Effectively Help Businesses Fight Cybercrime?

From the Biden administration's pledge to take action to INTERPOL's focus on ransomware as a global threat, governments are looking to help businesses cope with cyberattacks. But can it really work?

When Team Cymru's James Shank worked with the Ransomware Task Force to come up with the worst-case scenarios for a ransomware attack, the group focused heavily on impacts: How could attackers endanger people or cause significant damage to infrastructure?

However, the group also focused on vectors - including an exploitation chain that amplifies attacks by compromising the software supply chain, infecting managed service providers and propagating too quickly for defenders to react. In short, the scenarios the group came up with looked very similar to the attack against managed service providers using a vulnerability in the Kaseya Virtual System Administrator (VSA) servers that happened on July 2.

Related Content:

Kaseya Releases Security Patch as Companies Continue to Recover

Special Report: Building the SOC of the Future

New From The Edge: Navigating Active Directory Security: Dangers and Defenses

The ability to use existing update and control mechanisms to propagate an attack is often referred to in military jargon as "force amplification," Shank says.

"That was one of the identified vectors that we explicitly called out, because it has wide-ranging impact," he says. "Force amplification that is one of the things that we explicitly did identify as a technique that should be considered part of the worst case of scenarios."

The attack—along with attacks on oil-and-gas transport network Colonial Pipeline and meat packer JBS USA—highlights the capability of ransomware groups to affect large numbers of people, and the bottom line that attack techniques are evolving. Without any fear of retribution, the groups behind the schemes will likely only get better. Individual companies have little recourse except to improve their defenses, stay on top of the latest techniques, and prepare to minimize business disruption in the event of an attack. 

Yet, governments are hobbled as well. On Friday, US President Joe Biden discussed the attacks with Russian President Vladimir Putin, requesting cooperation and pledging consequences for any inaction, according to reports. What those actions will be are unclear.

"I made it very clear to him that the United States expects, when a ransomware operation is coming from his soil even though it's not sponsored by the state, we expect them to act if we give them enough information to act on who that is," Biden told the White House press.

The Cyberspace Solarium Commission (CSC), a bipartisan group of legislators and cybersecurity experts, recommended more than 80 policy initiatives that aim to improve US cybersecurity in March 2020. Among the foundations of the recommendations, the CSC focused on deterrence to shape rival nations' behavior, deny benefits to attackers, and impose significant costs on any successful attack. 

So far, at least 27 of those recommendations have been turned into US policy, and another 30 are hoped to be introduced as legislation and executive action this year. 

While companies need to better defend themselves, the government can help them by recommending cybersecurity measures and passing along threat information and by taking actions to dissuade attackers, whether it is sanctions against collaborating countries, indictments against individuals, or offensive attacks against the infrastructure used by criminals and their financial windfalls, says Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies (FDD) and the executive director of the Cyberspace Solarium Commission.

"No one of them can solve it alone—you have to do all three," he says. "We need to be working consistently across all three of those lines of effort."

The Ransomware Task Force recommended five policies: Coordinated diplomacy and law enforcement efforts, an aggressive whole-of-government campaign by the United States to dissuade ransomware groups, the establishment of cyber response funds to help business, an international framework for responding to ransomware, and more regulation of cryptocurrency. The recommendations cannot be done piecemeal but need to be pursued all at the same time, says Team Cymru's Shank. 

He has high hopes for such an approach. While companies and nations may seem to be at a disadvantage compared to cybercriminals operating in other jurisdictions, the vast majority of interests lie in solving the problem of ransomware, he says. 

"The attackers—compared to the army of people who have an interest in them not being successful—they are way, way out numbered," he says.

Ransomware as Terrorism

The United States is not the only nation whose government has put a spotlight on ransomware. On July 8, INTERPOL put the threat of ransomware on par with terrorism activity, as a priority for collaborative law enforcement efforts. 

Ransomware for sure is a worldwide problem. WannaCry and NotPetya, two cyberattacks that mimicked ransomware, caused tens of billions of dollars in damage, shutting down operations not only at US companies, but European and Asian firms as well. The vast majority of businesses affected by the Kaseya ransomware attack were outside the United States, with 45% of downstream attack attempts detected by Kaspersky occurring in Italy and 15% in Columbia. The United States ranked second, with 26% of detections of the REvil ransomware payload.

In its annual conference this week, INTERPOL called for tighter partnerships between countries to combat ransomware and other threats.

"A global strategy in response to the threat of ransomware is critical – one where we successfully build trust, see effective exchange of data, and maximize rapid operational assistance to law enforcement agencies," INTERPOL Secretary General Jürgen Stock said in a statement

Companies also need to do more to protect themselves from attacks. As automation and cost savings are implemented, those funds should be reinvested, says FDD's Montgomery. Colonial Pipeline benefited from significant automation of its operations, but it did not invest that into cybersecurity to keep that its oil-and-gas transport network safe, he argues.

"They let go dozens and scores of people when they automated, and when they were attacked, Colonial Pipeline could not have reverted back to the 1960s when their pipeline was manual," he says. "So when you move toward more automation, invest in the security of your operational systems."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file