The past year has brought much change to the cybersecurity landscape, both in terms of the overall threat landscape and the way government and industry are responding to them.
However, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said the biggest change she’s seen is not a single policy or attack, but the evolution of cybersecurity into “a kitchen table issue” that has brute forced its way into the mainstream consciousness of American society.
This, she posited, is in no small part due to the widespread impact and prevalence of ransomware on society.
“We’ve seen ransomware attacks have real impacts on people’s lives, whether that’s gas at the pump or food at the grocery store, money from the bank, the disruptions against hospitals and school and municipalities. It’s really started to have a wake-up effect,” said Easterly Nov. 10 at the Re:Wired conference.
However, unlike previous wake up calls that failed to marshal a sense of national urgency, the attacks against Colonial Pipeline, JBS and Kaseya and their widespread downstream impacts on the national supply chain, businesses and consumers appear to have pierced through the public’s consciousness and crossed a red line for policymakers in Washington.
Combined with the SolarWinds and Microsoft Exchange attacks on government and private businesses, the federal government is truly treating cybersecurity as a national priority for the first time.
As SC Media has reported, cybersecurity policy both inside and outside of the federal government has become a defining feature of President Joe Biden’s first year in office. It is an issue that now regularly rises to the level of presidential comment, requires high-profile summits with industry or foreign allies and is considered important enough for law enforcement agencies to shift the lines on how they engage with industry or investigate companies that demonstrate malfeasance or neglect in protecting their systems and data.
Many of these actions have been directly geared towards disrupting ransomware. For too long, Easterly it has been too easy to jump into the fractured and decentralized ransomware market, where a cybercriminal doesn’t even have to be part of the core operational team or an affiliate to profit off the activity. The government's full-court press against ransomware operators since May — including recent actions to put out bounties for information on the DarkSide ransomware group and arresting members of the ReVIL gang — is part of a larger effort to make it harder for ransomware groups to operate, leverage IT infrastructure and get their money.
“There are very low barriers to entry to being part of, for example, the ransomware ecosystem where you have service operators that run dashboards, you have people that run the help desk, you have initial access brokers,” she said. “All it takes to become part of the ecosystem essentially is a little bit of money, so there’s too little friction in the system.”
Other actions and initiatives taken this year are aimed squarely at the federal government, including a slew of directives for agencies to implement zero trust architectures, boost logging capabilities, implement endpoint detection and response technologies and focus on patching known, exploited vulnerabilities. All are more or less designed make it harder for for state-backed hacking groups to compromise government networks and more difficult to stay hidden when they do.
Easterly said she believes the civilian federal government’s complex IT infrastructure — composed of 102 individual agencies, many of which are still using badly outdated technologies — is actually more difficult to protect than military networks.
But the interconnected nature of our technology infrastructure means that the government can no longer afford to look at a vulnerability or exploit in a vacuum, but rather by its potential to impact the broader commerce and activities that those affected systems helps to underpin.
Asked what role information security professionals in the private sector should expect to play in this broader effort, Easterly indicated that the government regularly leans on threat intelligence companies and academia for analysis and visibility of the threat landscape. A cybersecurity advisory committee established in June will bring in representatives from these sectors to discuss ways for CISA “do things differently,” she said, because the status quo of federal and critical infrastructure cybersecurity remains “unacceptable.”
“At the end of the day, I feel like that’s my community, man, and we want to ignite the power of hackers and researchers and academics because at the end of the day, the world is full of vulnerabilities and I feel like the offense is dominating the defense,” said Easterly. “So I want to make sure that we are tapping into the brilliance and goodness of that community to help us identify and to close those vulnerabilities. I think that’s incredibly important.”