Ransomware, Black Hat, Governance, Risk and Compliance

Will feds start to assess company risk of ransomware attacks? They’re at least asking questions

JBS food processing was among the companies targeted by ransomware gang REvil. Credit ratings agency Fitch Ratings said industries that rely too much on a single IT or security provider that gets hit with ransomware could see their credit posture harmed if it leads to significant service disruption. (Chet Strange/Getty Images)

The federal government appears to be exploring options for assessing individual organizations or entire vertical sectors for vulnerability to potential ransomware attacks.

"They proactively reached out to us — I'll just say that — specifically thinking about the ransomware threat, and understanding how our data can potentially help," said Dave Stapleton, chief information security officer at CyberGRX, in an interview with SC Media at Black Hat.

CyberGRX offers what Stapleton describes as a two-sided exchange for assessing risk. Organizations can use the assessments to evaluate the security of their own supply chain, and the third-party suppliers can themselves use the assessments to improve their risk profile or to promote themselves to current and potential customers. The more assessments that CyberGRX performs on suppliers (what Stapleton describes as "personas") the more rich the individual assessments become, as organizations and the suppliers themselves can see where they fall within the broader library. Total number of profiles currently in the CyberGRX library is roughly 8,500.

The specific functionality that Stapleton believes is of greatest interest to government is the ability to establish threat profiles: assessing suppliers risk to a particular mode of attack — like ransomware, for example.

"Included in that sort of filtering might be anything in our security profiles that we build that's related to offline backups or recovery exercises or now, because of extortionware, IDP and that sort of thing, because it's too late if they access all your data — toothpaste is out of the tube," he said. "That's what the government is interested in, I believe, because as our exchange keeps growing exponentially over time, government can gather insights and start initiatives."

Stapleton said the feds may recognize, for example, "'for whatever reason, health care is really bad at this. And so we need to engage the health care industry so we can start an initiative for the funding with actual data to back up that focus.'"

Such a concept for government is very familiar to Stapleton, who did similar work while at federal agencies himself, helping to implement the Federal Risk and Authorization Management Program. FedRamp is the federal government's standardized approach to assess security of the cloud offerings — where authorization lands vendors in a marketplace that agencies can use to shop for solutions.

Should government pursue a similar route for assessing risk to ransomware or any other category of malicious attack, whether in partnership with CyberGRX or not, Stapleton predicts a phased approach, similar to the one taken with FedRamp: Start with self attestation of some kind, then independent validation and — based on inherent risk for that particular type of third party — additional levels of authorizations.

"The application is clear," Stapleton said. "The trick is always going to be, how do you establish assurance and confidence? There's a lot of companies that produce a significant amount of fairly sensitive information. I don't know if [all will want] to give that information to the federal government, which hasn't always been good stewards."

Jill Aitoro

Jill Aitoro leads editorial for SC Media, and content strategy for parent company CyberRisk Alliance. She 20 years of experience editing and reporting on technology, business and policy.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.