With the bipartisan infrastructure bill now signed into law, security experts and state and local governments alike are eager to activate more than $1 billion in cybersecurity funding to help in the fight against threats like ransomware. This legislation will leverage the resources of the federal government to help state and local governments stand up to an increasingly consequential threat landscape. It’s also the latest of many actions from the administration to put more attention on the need for better cyber defenses – at home and abroad. Because the actions taken domestically are only bolstered by those taken by our foreign allies as well.
A 30-nation virtual ransomware summit held last month recognized the need for “urgent action, common priorities, and complementary efforts” from government sectors, and identified the level of collaboration needed to create a network effect of action across borders. From rapid information sharing on nation-state attacks, to activating law enforcement agencies, to countering the illicit financial channels that launder ransomware payments, this ecosystem of government resources, diplomatic engagement—and now major legislation—are a big part of the solution in the fight against ransomware. But they’re not the only part.
A joint statement that published following the recent ransomware summit emphasized this notion, and pointed to the additional roles that individuals, companies, and whole industries must play to counter threats like ransomware. According to the statement, “A nation’s ability to effectively prevent, detect, mitigate and respond to threats from ransomware will depend, in part, on the capacity, cooperation, and resilience of global partners, the private sector, civil society, and the general public.” Working together, each of these stakeholder groups brings certain responsibilities and strengths when it comes to building resilience and action against ransomware. Here are some of the roles they must play:
With cybercrime actors continuing to target critical and vulnerable industries, companies can benefit from information sharing from within their sector to mitigate risks and help thwart active threat campaigns. While not explicitly reported, the fact that additional pipeline companies weren’t hit following the Colonial Pipeline breach last summer signals this type of backchannel information sharing that exists within certain sectors.
Companies in non-competitive arenas like healthcare lead in this industrywide information sharing because of the non-competitive nature of their businesses. When competitive advantage is a factor in whether to share information, companies can lean on Information Sharing and Analysis Centers (ISACs) to anonymously share information within their spheres without disclosing trade secrets. Credit’s due to sectors such as retail, automotive, and defense for leading in the proliferation of the ISACs. Other industries are following suit and building a mechanism for knowledge sharing and action against cyber threats—even if that sharing must remain anonymous.
The billion-dollar grant funding from the infrastructure bill will help harden our cyber defenses at a national, state, and local level. However, the federal government must also acknowledge the deficiencies and drawbacks that have existed when working with private-sector companies on cyber resilience—especially when it comes to information sharing. Bureaucracy, red tape, and time-to-action are all common complaints when companies willingly report on threats or breaches with the government. This has not traditionally been viewed as a reciprocal cycle. As the government continues to compel companies to share information on breaches (or considers legislation to enforce it), it needs to quickly act on that information and get it back out into the community for everyone’s benefit via threat bulletins or other tangible methods.
Additionally, the federal government often uses the same software as the private sector. By demanding better security standards and practices within these projects, the government can leverage its buying power to accelerate innovation and achieve better security. Private companies would benefit from this, too.
The government should also extend these discussions and seek information from security vendors, acknowledging that security is a team sport, and most companies rely on vendors and partners to stay safe. Vendors should become part of the conversation and knowledge transfer as much as any other company.
A third element of this recent joint statement was both obvious and alarming—especially considering that it was coming directly from the Oval Office on behalf of dozens of global leaders. It said that steps like maintaining healthy backups, quickly implementing patches, using strong passwords, leveraging multi-factor authentication, and educating users are the seemingly simple actions that continue to provide some of the best defense against cyber threats.
That’s just good security hygiene, but the prominence of this reminder in a joint statement from 30 governments illustrates the continued work companies must do to improve their own postures against cyber threats. These are perhaps the most significant actions needed against ransomware. While the joint statement emphasizes a commitment to working with the private sector to promote cyber hygiene, the onus remains on companies to take all actions possible to remain resilient.
A recent survey of U.S. executives revealed significant skepticism in the government’s ability to mitigate cyber threats. Only 15% of respondents believe that diplomacy effectively stops future cyberattacks. True diplomacy alone may not be enough, but when combined with actions, cooperation, and collaboration among private sector companies, as well as funding to harden national and local government defenses, we can all work together to battle against ransomware and shift the tide in this unfair, uneven fight. And that’s an outcome we can all agree on.
Mark Manglicmot, vice president, security services, Arctic Wolf