Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:00 AM

Can Government Effectively Help Businesses Fight Cybercrime?

From the Biden administration's pledge to take action to INTERPOL's focus on ransomware as a global threat, governments are looking to help businesses cope with cyberattacks. But can it really work?

When Team Cymru's James Shank worked with the Ransomware Task Force to come up with the worst-case scenarios for a ransomware attack, the group focused heavily on impacts: How could attackers endanger people or cause significant damage to infrastructure?

However, the group also focused on vectors - including an exploitation chain that amplifies attacks by compromising the software supply chain, infecting managed service providers and propagating too quickly for defenders to react. In short, the scenarios the group came up with looked very similar to the attack against managed service providers using a vulnerability in the Kaseya Virtual System Administrator (VSA) servers that happened on July 2.

Related Content:

Kaseya Releases Security Patch as Companies Continue to Recover

Special Report: Building the SOC of the Future

New From The Edge: Navigating Active Directory Security: Dangers and Defenses

The ability to use existing update and control mechanisms to propagate an attack is often referred to in military jargon as "force amplification," Shank says.

"That was one of the identified vectors that we explicitly called out, because it has wide-ranging impact," he says. "Force amplification that is one of the things that we explicitly did identify as a technique that should be considered part of the worst case of scenarios."

The attack—along with attacks on oil-and-gas transport network Colonial Pipeline and meat packer JBS USA—highlights the capability of ransomware groups to affect large numbers of people, and the bottom line that attack techniques are evolving. Without any fear of retribution, the groups behind the schemes will likely only get better. Individual companies have little recourse except to improve their defenses, stay on top of the latest techniques, and prepare to minimize business disruption in the event of an attack. 

Yet, governments are hobbled as well. On Friday, US President Joe Biden discussed the attacks with Russian President Vladimir Putin, requesting cooperation and pledging consequences for any inaction, according to reports. What those actions will be are unclear.

"I made it very clear to him that the United States expects, when a ransomware operation is coming from his soil even though it's not sponsored by the state, we expect them to act if we give them enough information to act on who that is," Biden told the White House press.

The Cyberspace Solarium Commission (CSC), a bipartisan group of legislators and cybersecurity experts, recommended more than 80 policy initiatives that aim to improve US cybersecurity in March 2020. Among the foundations of the recommendations, the CSC focused on deterrence to shape rival nations' behavior, deny benefits to attackers, and impose significant costs on any successful attack. 

So far, at least 27 of those recommendations have been turned into US policy, and another 30 are hoped to be introduced as legislation and executive action this year. 

While companies need to better defend themselves, the government can help them by recommending cybersecurity measures and passing along threat information and by taking actions to dissuade attackers, whether it is sanctions against collaborating countries, indictments against individuals, or offensive attacks against the infrastructure used by criminals and their financial windfalls, says Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies (FDD) and the executive director of the Cyberspace Solarium Commission.

"No one of them can solve it alone—you have to do all three," he says. "We need to be working consistently across all three of those lines of effort."

The Ransomware Task Force recommended five policies: Coordinated diplomacy and law enforcement efforts, an aggressive whole-of-government campaign by the United States to dissuade ransomware groups, the establishment of cyber response funds to help business, an international framework for responding to ransomware, and more regulation of cryptocurrency. The recommendations cannot be done piecemeal but need to be pursued all at the same time, says Team Cymru's Shank. 

He has high hopes for such an approach. While companies and nations may seem to be at a disadvantage compared to cybercriminals operating in other jurisdictions, the vast majority of interests lie in solving the problem of ransomware, he says. 

"The attackers—compared to the army of people who have an interest in them not being successful—they are way, way out numbered," he says.

Ransomware as Terrorism

The United States is not the only nation whose government has put a spotlight on ransomware. On July 8, INTERPOL put the threat of ransomware on par with terrorism activity, as a priority for collaborative law enforcement efforts. 

Ransomware for sure is a worldwide problem. WannaCry and NotPetya, two cyberattacks that mimicked ransomware, caused tens of billions of dollars in damage, shutting down operations not only at US companies, but European and Asian firms as well. The vast majority of businesses affected by the Kaseya ransomware attack were outside the United States, with 45% of downstream attack attempts detected by Kaspersky occurring in Italy and 15% in Columbia. The United States ranked second, with 26% of detections of the REvil ransomware payload.

In its annual conference this week, INTERPOL called for tighter partnerships between countries to combat ransomware and other threats.

"A global strategy in response to the threat of ransomware is critical – one where we successfully build trust, see effective exchange of data, and maximize rapid operational assistance to law enforcement agencies," INTERPOL Secretary General Jürgen Stock said in a statement

Companies also need to do more to protect themselves from attacks. As automation and cost savings are implemented, those funds should be reinvested, says FDD's Montgomery. Colonial Pipeline benefited from significant automation of its operations, but it did not invest that into cybersecurity to keep that its oil-and-gas transport network safe, he argues.

"They let go dozens and scores of people when they automated, and when they were attacked, Colonial Pipeline could not have reverted back to the 1960s when their pipeline was manual," he says. "So when you move toward more automation, invest in the security of your operational systems."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-11-26
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via C...
PUBLISHED: 2021-11-26
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious...
PUBLISHED: 2021-11-26
Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other se...
PUBLISHED: 2021-11-26
There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be add...
PUBLISHED: 2021-11-26
BaserCMS is an open source content management system with a focus on Japanese language support. In affected versions users with upload privilege may upload crafted zip files capable of path traversal on the host operating system. This is a vulnerability that needs to be addressed when the management...