Where CISA's Ransomware Tool Falls Short & What To Do About It

US technology is under attack. Nearly every category of cybersecurity has been breached in every corner of our economy and way of life, and according to a survey by Sophos, the average cost to mitigate an attack in 2020 was $1.85 million. Increasing numbers of cybersecurity professionals believe the federal government and local law enforcement have a role in policing and protecting our environments from the new and wild domain of Internet security.

In the latest attempt to demonstrate value to the citizenry, the US federal government offered a new "assessment" tool, through the Cybersecurity and Infrastructure Security Agency (CISA). The Ransomware Readiness Assessment (RRA), the latest module to the Cyber Security Evaluation Tool (CSET), purports to help organizations understand its cybersecurity posture and improve that standing.

This new tool, and the whole concept of government-sponsored technological applications, leaves more questions than answers. Let's take a closer look at how this tool falls short and what we really need to make progress against ransomware.

A Deeper Look at the Threat
According to Chainalysis, victims paid nearly $350 million in ransom via cryptocurrency in 2020, a 311% increase over 2019. Recent attacks like Colonial Pipeline, which led to consumer panic in the gas industry, and JBS Foods, show how ransomware groups are strategic in their targeting. Unless you have a security tool that specifically looks for preinfections like Trickbot or Emotet, they often go undetected, leaving many companies vulnerable.

While there are certainly national security issues that come with ransomware — North Korea and Russia are in the US's crosshairs — to get to the crux of the issue, you have to follow the money. It requires a complex solution, far more nuanced than the RRA.

Since the RRA only shows whether ransomware is present in any given moment, it doesn't account for any future exploited vulnerabilities. By dipping its toe in the water of a company's security operation, the federal government should also share responsibility. Is the CISA now responsible for knowing whether ransomware is present? Is this government agency joining the competitive industry of reviewing for compliance?

There are already legions of companies that do this and could have helped the Colonial Pipelines, Kaseyas, and JBSs of the world, all of which admitted security faults.

Suspicion of Government "Assessment" Tools
Take the case of Pegasus, a software developed by Israeli security firm NSO Group, which was supposed to target criminals and instead was used as a surveillance tool to spy on journalists and activists. Amnesty International's investigation of Pegasus was so jarring that it published an open source mobile forensics tool so others can detect the threat that Pegasus poses.

What happens if the RRA tool misses something? Does it provide for a false sense of security from zero-day threats and non-signature-based threat profiles? Does the government ensure this tool will provide protections and alerts for threats which are often not known prior? If it can't guarantee any of that, what value does the tool really have?

Private enterprises solve business problems faster, more resolutely, and more creatively than any government can. This was true for Google Maps, which was far richer and more cost effective than anything the military had invested in previously.

By introducing a free tool that doesn't properly address the issue, the government creates a security threat for those who opt to use it instead of commercial services.

A better strategy would be for the government to offer financial incentives like tax rebates or tax-free expenses that organizations can benefit from if they enlist the help of firms that can better detect threats.

True Ransomware Prevention
If you're serious about security and have endpoint detection and response (EDR) well deployed, the likelihood of a ransomware infection approaches zero. In nearly all ransomware attacks, the victim either didn't have an EDR solution in place or it had an ineffective solution that malfunctioned and created a vulnerability.

Cybersecurity Maturity Model Certification (CMMC) compliance requires Department of Defense contractors to have security information and event management (SIEM) solutions and EDR solutions in place to win government contracts. Those tools, along with any routine security and vulnerability assessment, are proven to prevent ransomware attacks. Perhaps extrapolating this requirement to other industries would have a meaningful effect on limiting attacks.

Companies do need help from the government, but this RRA module falls well short of helpful. Offering a self-assessment tool with the caveat that there are no guarantees of catching ransomware relays one message the government didn't intend: This tool simply isn't good enough and your security is still very much your problem.