Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service
National Cyber Director Sees Ransomware As Continuing ThreatChris Inglis: 'Too Soon To Tell' If Gangs Have Changed Their Behavior
Despite a recent slowdown and some cybercriminals claiming they have stopped or abandoned ransomware attacks, National Cyber Director John "Chris" Inglis says it's "too soon to tell," if the behavior of these groups has changed permanently or if they are waiting for an opportunity to return.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Speaking at the Reagan Institute in Washington, D.C., on Thursday, Inglis, who was approved by the U.S. Senate in June as the nation's first cyber director, says that while the information in the public domain seems to show that large-scale ransomware attacks have fallen off in the last few months, cybercriminal gangs remain a threat to the nation's critical infrastructure.
In June, President Joe Biden met with Russian President Vladimir Putin to discuss cybersecurity issues, especially those concerning ransomware gangs suspected of operating within Russia's borders. Putin's government has denied that these groups operate with impunity within the country (see: Analysis: The Cyber Impact of Biden/Putin Summit Meeting).
Since that time, however, some ransomware gangs claimed that they have ceased operations, but it's believed by security analysts that many have simply switched names or revamped their malware (see: Ransomware: LockBit 2.0 Borrows Ryuk and Egregor's Tricks).
"We've seen that those kinds of [ransomware] syndicates had, to some degree, deconstructed, but I think it's a fair bet that they have self-destructed - essentially gone cold and quiet," Inglis told the audience Thursday. "Let's see whether the storm will blow over - whether they can then come back. And what I think will make the difference is whether Vladimir Putin and others who have the ability to enforce the law - international law as we know it - and ensure that they don't come back."
Before the Labor Day weekend this month, the White House and other federal agencies warned about cybercriminal groups taking advantage of the holiday to launch attacks. And while there were no major incidents reported, Howard University in Washington, D.C., acknowledged an attempted ransomware attack that targeted its IT systems (see: Howard University Hit With Ransomware Attack).
Despite some success over the past several months, Inglis says the federal government still needs to develop a much more strategic approach to ransomware and cybercrime, which he called a "systemic" problem.
"We're not actually figuring out how to prevent them from accessing those systems. We're not finding ways to bring them to justice. We're not finding ways to follow the money," Inglis said. "All of that adds up and constitutes a system that creates weakness - from a lack of resilience to the economy to the unmitigated avarice of those actors. You have to address all of those things."
To Pay or Not
When asked about whether organizations that have been victimized by ransomware should pay the attackers, Inglis says while meeting the demands of attackers is a bad idea, the federal government is not seeking to punish those organizations that do pay. He noted that hospitals and other critical infrastructure operators must continue to perform essential services.
"In order to save lives, hospitals need to get patients to the right place at the right time. They may have no other choice but to pay that ransom," Inglis said. "That may well be the right choice at that moment in time. And we're not, therefore, going to penalize someone for doing what was essential at that moment to save lives and to deliver critical services, but we will go back and look at how we got there."
Inglis said his office and other federal agencies, such as the U.S. Cybersecurity and Infrastructure Security Agency, need to address why these organizations were attacked and what could be done to create more resilient systems that can sustain an attack. Inglis has spoken previously about building these types of systems (see: National Cyber Director Chris Inglis Focusing on Resiliency).
"We're going to address this by making our systems resilient and robust, and many of these [attacks] are preventable by simply installing the right degree of software controls, hardware controls - also, training people not to click on links or things of that sort," Inglis says. "We've got the muscle memory necessary to surge resources to help immediately restore and recover so that we don't have to pay the ransom. We also need to make sure that if we get to that place where we're up against an adversary … we bring them to justice."
Besides ransomware, Inglis was asked about how his office is developing and how his position as the national cyber director differs from that of Anne Neuberger, the deputy national security adviser for cyber and emerging technology.
Confusion about who is in charge of the nation's cybersecurity defenses and responses has also raised concerns among members of Congress, who have asked the Biden administration for additional clarity (see: Lawmakers Want Federal Cybersecurity Leaders' Roles Clarified).
Inglis says he sees his role as operating "inside cyberspace," which includes ensuring that government agencies are using the right and secure combination of software and hardware to guarantee that systems are protected and resilient against ransomware and other types of attacks.
When a cyber issue requires that the U.S. government "bear other instruments of power," such as international diplomacy or law enforcement action or possibly a military response, the responsibility then falls to Neuberger and the National Security Council, Inglis said. This is what happened in the case of the ransomware attack on Colonial Pipeline Co., which threatened national security (see: How Did FBI Recover Colonial Pipeline's DarkSide Bitcoins?).
At the same time, if an incident is self-contained and only affects one agency or organization, Inglis' office can ensure that the proper staff is responding and CISA can provide mitigation and other advice. "That's not to say that it's scripted, or that it's as straightforward as we'd like it to be, but reasonable people who stay in contact with one another can determine what resources we need to bring to bear and everybody plays their role in a complementary fashion," Inglis noted.