President’s Cybersecurity Order: Great Start, But Something is Missing…
New parents demand surgical-style hand washing before anyone touches their newborn. Fast-forward several years, maybe a second kid, and those same parents are reciting the “5 second-rule” before putting a chicken nugget back on the kid’s plate. This desensitization eventually occurs in response every type of threat, including cyber-crime, until personally impacted.
On May 7, 2021, Colonial Pipeline shut down a pipeline running from Linden, NJ to Houston, TX due to a ransomware event purportedly led by the DarkSide ransomware-as-a-service gang. Colonial’s shutdown, which supplies approximately 45% of the fuel to the east coast of the U.S., led to a temporary gasoline shortage across the country.
While an unfortunate event, especially for Colonial, who reportedly paid approx. $5M to DarkSide in ransom, the positive effect was that cybersecurity once again caught national attention. Indeed, President Biden issued a May 12, 2021 Executive Order, in which he demanded that certain agencies of the Federal Government improve the security of its network infrastructure against outside threats through its bargaining power with software vendors, implementing zero trust architecture, focus on the security of unclassified data, require encryption for data at rest and in transit, and enabling multi-factor authentication. The President further implemented tight deadlines on certain agencies to formulate plans for such infrastructure and regulatory changes.
President Biden’s Executive Order was well-received and lauded as an important step towards cyber resiliency. This statement is not disputed. Rather, the Executive Order omits essential priorities. Best outlined by the Institute of Security + Technology’s Ransomware TaskForce in its April 29, 2021 “Combatting Ransomware Framework,” representatives from industry leaders highlighted immediate ways to fight back against the ransomware monster:
1. Strongly refine (or revoke) the Department of Treasury’s Office of Foreign Assets Control (OFAC) October 1, 2020 statement threatening to fine victims who paid ransoms to prohibited groups. With cyber-crime groups being so difficult to identify and OFAC often unable to provide to guidance to victims within the time constraints imposed by the cyber criminals, victims are less likely to share information and risk liability with OFAC. With a threat of a financial penalty from a government body, why would any ransomware victim (or its insurer) consider information sharing as opposed to quietly paying a ransom.
2. Create a Ransomware Incident Response Network (RIRN) equipped with rapid response funds. This network would include several teams throughout the U.S. (and/or encourage states to establish an emergency support function dedicated to cyber) that receive and share incident reports similar to Fusion Centers and publish alerts to the local community. Certain RIRN, if capable and if provided certain state law protections, could conduct incident response activities and share collected intel back with the primary network in a standardized format, while maintaining victim anonymity. The RIRN would likely require volunteers from the private sector and a federal rapid response fund to provide resources for business continuity, remediation costs, and to develop the RIRN teams that are restoring functionality for affected entities. In addition to restoring functionality, the methodology is that entities receiving assistance are less likely to pay ransoms.
3. Remove Anonymity from the Cryptocurrency Market. It’s the head of the snake. According to BleepingComputer, DarkSide collected $90 million in ransoms over the past nine months through multiple Bitcoin wallets (tempting...). Crypto is directly tied to the exponential rise in ransomware because criminals can collect payment without identification in any country. Cryptocurrency allows the ransom payment, initially paid by the victim in Bitcoin, to travel to a designated digital wallet, which the criminals then strip as quickly as possible. Next, the criminals typically use 1 of 2 methods: 1) Crypto-Mixing: Criminals mix the cryptocurrency in with other legitimate sources of cryptocurrency with the ransomware funds, making the illegally-procured funds extremely difficult to identify; or 2) Chainhopping: criminals exchange the ransom crypto into another cryptocurrency through several different types of cryptocurrency exchanges. Sometimes, the criminals use money-mules to create crypto accounts or set up accounts using stolen or false credentials to hide the ransom payments. Eventually, the criminals can re-invest the cryptocurrency, use it for other transactions, or withdraw it for cash.
Were the U.S. to require all cryptocurrency exchanges, crypto kiosks, and over-the-counter (OTC) trading “desks” to comply with the Know Your Customer (KYC), Anti-Money Laundering (AML), and Combatting Financing of Terrorism (CFT) laws, these cryptocurrency machines would be forced to collect certain information about the individual “cashing out” the cryptocurrency and would trace information about the currency being exchanged – all of which may prove useful to law enforcement. Further, the IST Ransomware Taskforce strongly recommends greater investment in blockchain analysis to interpret blockchain ledgers and track activity on cryptocurrency exchanges where law enforcement could potentially start blacklisting certain wallets, freeze activity, and identify patterns by illicit entities.
The Ransomware Taskforce, which is composed of representatives from entities like Palo Alto Networks, Microsoft, Amazon, Rapid7, the United States Secret Service, FireEye, and CrowdStrike, detailed several other empirical concepts and policies that the current administration is advised to consider. While the Executive Order highlights certain areas requiring change and the need to foster comprehensive information sharing between federal agencies, the immediate problem is on the ground – threatening private, state, and local entities and their infrastructure. Failure to consider and react at the private, state, and local level will inhibit in any progress at federal level.