As the cyber dimension of the Ukraine conflict erupted, demonstrating the ungoverned and unstable nature of full-on cyberwar, a parallel ransomware alert from the US government got comparatively scant coverage. But it, too, merits attention.
The alert served as a reminder of the two species of cyber threat: the unpredictable, spinning-pinball threats that can lurch out of control and pulverize innocents in random fashion — and the intricately designed, coolly targeted threats meant to ransack a particular organization's servers and perhaps its bank account.
The Ukraine clash may generate plenty of damage of the first type. Indeed, it may already be doing so. But while that conflict progresses, the second type of threat, epitomized by ransomware, is taking no holidays.
A Formal Alarm
Issued in February, days before hostilities broke out between Russia and Ukraine, the Joint Cybersecurity Advisory from the FBI, CISA (the Cybersecurity and Infrastructure Security Agency), and the NSA sounded a formal alarm about "an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally."
Attack targets are no longer predictably the biggest, richest organizations, according to the report. Ransomware groups have learned to infiltrate enterprise SaaS platforms and exploit them as hubs for firing off waves of malevolent executables at scale, victimizing platform clients, both large and small. According to the advisory, the FBI in 2021 "observed some ransomware threat actors redirecting ransomware efforts away from 'big-game' and toward mid-sized victims to reduce scrutiny." The FBI’s counterpart agencies in the UK and Australia, the National Cyber Security Centre (NCSC-UK) and Australian Cyber Security Centre (ACSC), concurred that organizations "of all sizes" suffered ransomware attacks throughout the year.
On the one hand, in this national security sphere, any additional recognition or investment at the top of government is overdue and cannot hurt. On the other, recognition does not mean the government has the reach or means to protect you — something the two species of cyber threat have in common.
Who's in Charge?
One early, grim lesson of the Ukraine cyberwar is that no authority is firmly in charge and no government agency can consistently shield its citizens from blowback. Governments aren't even supervising some of the cyber combatants: freelance hacktivists like Anonymous, jamming Russian broadcast channels and the Kremlin website, answer to their own moral code, not a central command in Kyiv. And Ukraine's own "I.T. Army" is a barely directed worldwide corps of digital adepts connecting via Telegram to wreak cyber havoc.
What could go awry in that woolly, infinitely multilateral conflict sphere? No national cyber defense framework can keep innocent parties from becoming collateral damage.
The thing is, no government ransomware policy can unilaterally create a safer, more secure environment either.
Government cannot remake the trend throughout the private sector toward hybrid compute workloads. With a thoughtful hybrid strategy, an enterprise hosts its more sensitive workloads on-premises, and deploys less critical resources to a more economical third-party public cloud provider. The practice may yield savings, but with the simultaneous concern that roles and responsibilities once firmly controlled by data center operators may be much less clearly delineated. Involving cloud providers makes evaluating risk and modeling effective security controls more complex. It must be done, but it is up to individual organizations.
Government can recommend private interests perform overdue software updates or implement dual-factor authentication protocols. But those best practices will never be mandated by act of Congress; they are up to individual organizations.
Influencers from security agencies can keynote one conference after another, emphasizing today's key challenge for CISOs everywhere: threat visibility across the environments they're laboring to secure. CISOs can't defend against threats they can’t see. Total, real-time visibility into IT and cloud infrastructure is the ideal; the reality is, almost all organizations lack it. They're unaware of what devices and individuals are connected, with what access to sensitive systems and data. Visibility into third-party access to company systems also remains poor. To spot ransomware before it digs in and does damage, CISOs should be adopting security solutions that visualize an entire attack surface. But the initiative to make such visibility a top priority must come from CISOs themselves.
The conclusions drawn by the Joint Cybersecurity Advisory are recommendations, not directives — and if you've been tracking the rise of ransomware, they feel familiar: Keep systems and software up to date. Train workers to spot phishing links and dodgy attachments. Implement 2FA. Back up your data. We have heard this advice before; the advisory simply delivers it from a higher-echelon source.
That doesn't mean it's dismissible — quite the contrary. But what is really important is how organizations everywhere react. The Ukraine conflict is erasing the last vestiges of complacency about the destabilizing, out-of-control threat of cyber weapons. We should do all we can to see that this cybersecurity advisory does the same for the threat of well-controlled, ruthlessly targeted cyber piracy.