4 actions that can protect critical infrastructure from ransomware
Connecting state and local government leaders
The nation’s wealth combined with its aging infrastructure make it a primary target for increasingly sophisticated threats spanning the public and private sectors.
Over the last five months, cyberattacks have reached an inflection point as bold, opportunistic hackers succeeded in compromising America's most critical infrastructure -- water (Oldsmar, Fla.), food (JBS) and fuel (Colonial Pipeline) supplies. Profit is a key motivator: Reports reveal that victims paid hackers over $406 million in cryptocurrency ransoms last year. Yet the financial motivation of the crimes belies their potentially catastrophic consequences.
The barrage of cyberattacks has exposed a need to reimagine what the nation protects and how it modernizes to safeguard critical infrastructure, which includes defining what that means today. We’ve realized, especially after the past year and a half, it’s not only the legacy infrastructure that’s been in place since World War II that’s vulnerable. It’s Zoom, Amazon and other technologies that have kept society afloat and sane while battling the vicious virus.
The U.S. has always been adept at pivoting in the face of hardship and vulnerability. Below are four steps the federal government can take to combat these attacks, especially now when hackers in the most remote areas of the world can lock down companies and industries with mere keystrokes.
1. Critical infrastructure attacks must be understood as digital terrorism
Until now, foreign hackers mounting ransomware attacks have been acting with only modest repercussions. U.S. officials managed to recover $2.3 million from the Colonial Pipeline ransom. Though a successful counterstrike, it still left the Moscow-based DarkSide ransomware group with $2.1 million -- money that in Russia can go a long way toward sports cars, mansions and even funding a team of 150 foreign hackers for a year.
The U.S. must change the economics of ransomware attacks. Companies should not be left with the option to either pay ransoms or suffer the consequences, and officials should no longer consider hacks to be merely financial crimes. Given the economic impact and damage, ransomware attacks on critical infrastructure should be considered “digital terrorism," and those responsible should be labelled “digital terrorists.” Pursuing and disrupting hackers’ needs is crucial to garnering a response from not only law enforcement – but the entirety of the U.S. government.
2. The U.S. must reconsider the definition of "critical infrastructure" for the modern era, and make digital security a priority
At this point, the federal government must expand the definition of critical infrastructure past bridges, dams, highways, pipelines and transit systems. Society's digital connective tissue includes both the internet and the services it provides. It has become clear that Americans cannot work and live without digital service providers like Amazon, Microsoft and Zoom. These assets must be considered critical infrastructure and made resilient against cyberattacks, beyond physically securing their data centers and corporate headquarters.
The Biden administration's American Jobs Plan is on the right track to improving America's outdated data highways: President Joe Biden has earmarked $100 billion for an affordable high-speed broadband infrastructure that may reduce the digital divide. That’s a great start because it acknowledges that part of what's outdated is not just concrete and rebar, but also the nation’s IT infrastructure.
What’s more, cybersecurity experts are acutely aware that legacy utility, service and transportation facilities may have reasonable physical security, but remain inadequately protected from digital threats. Recent attacks made clear that the weakness must be addressed now using modern hardware, software and IT protocols pioneered by U.S. companies. To the extent that critical infrastructure providers are under-equipped to make necessary investments in modern cybersecurity technology, government incentives will speed deployment.
3. Ransomware payments must be banned by law
Paying a ransom is dangerous. Each payout encourages future ransomware attacks, and worse yet, the victim has no guarantee that hackers won't return for another payday. As a matter of public policy, the U.S. government must outlaw ransom payments, as they are turning small-time crooks into big-time threats: One company's capitulation enables a menace to society.
Traditional risk management through insurance isn't the answer; it only encourages ransomware attacks and widens their impact. Colonial Pipeline had at least $15 million in cyber insurance, but as ransomware attacks continue, the growing burden of multi-million dollar payouts will either compel insurers to increase premiums and exclusions, or drop companies that file claims for attacks. This is already happening: AXA says it will no longer reimburse ransom payments for French ransomware victims, and if that wasn't enough, banks have started raising interest rates and demanding more collateral from companies that have suffered customer data breaches. Of course, the banks themselves have long been targeted by cybercriminals, and insurance companies are now under threat as well.
4. Seize the opportunity for public/private collaboration
Given its financial resources, the United States might be assumed to have such a sophisticated critical infrastructure that is virtually impervious to danger. However, the nation’s combination of wealth and aging infrastructures – not just pipelines and water, but electric grids and transit systems – make the country a primary target for increasingly sophisticated threats spanning the public and private sectors. Despite its strengths, The U.S. ranks 13th overall in quality of critical infrastructure.
It’s time for the government to retire industrial age concepts of security and begin protecting both citizens and businesses against mounting digital threats. Collaborating with private-sector experts will help the public sector anticipate likely threats, enabling smarter and faster adaptations as the security landscape evolves. As hackers increase their resources and deploy sophisticated ransomware attacks, the nation will need every possible advantage to defend against them. With the public and private sectors working together, we will prevail.
NEXT STORY: NYC opens cyber operations center