The Biden administration is pushing hard to help fight the rise of ransomware attacks on private industry, and the White House is taking steps on multiple fronts to work with the private sector to combat the issue.
Anne Neuberger, the White House deputy national security advisor for cyber and emerging technologies, sent out a June 3 open letter to the private sector with advice on how businesses can best protect themselves from ransomware attacks.
This comes in addition to announcing a rapid strategic review on the topic and making it clear President Biden will address the issue with Russian President Vladimir Putin at their summit on June 16. The White House is also actively engaging with the private sector on the issue.
“The Federal government, under the leadership of President Biden, has been stepping up to strengthen the nation’s defenses against cyberattacks, but we can’t do it alone,” White House Press Secretary Jen Psaki said at a June 3 daily briefing. “Business leaders have a responsibility to strengthen their cyber defenses to protect the American public and our economy.”
Open Letter to Industry
Neuberger’s letter outlined six main actions businesses can take to protect themselves from ransomware attacks: implementing the five main actions in Biden’s Cyber executive order (EO), backing up data and keeping the backups online, testing incident response plans, updating and patching systems as they become available, segmenting networks, and using a third party to check the security team’s work.
“Ransomware attacks have disrupted organizations around the world, from hospitals across Ireland, Germany, and France, to pipelines in the United States and banks in the U.K. The threats are serious, and they are increasing. We urge you to take these critical steps to protect your organizations and the American public,” Neuberger wrote.
Neuberger prioritized five actions from Biden’s cyber EO that should immediately make an impact and drive down risk. Those actions are implementing multi-factor authentication (MFA), endpoint detection, endpoint response, encryption, and having a “skilled, empowered” cybersecurity team.
Neuberger emphasized that these main five actions are considered “high impact” and should “significantly reduce the risk of a successful cyberattack.” Neuberger also emphasized the need for up-to-date backups and keeping those backups offline in case of a successful ransomware attack.
“The most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German and other organizations around the world is that companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively,” Neuberger added.
A More Involved Executive Branch
All signs point to Biden’s administration taking a more active stance in the cybersecurity space, both at the Federal and private levels.
In addition to Biden’s Cyber EO, which Neuberger reinforces with her industry recommendations, the Transportation Security Administration recently put out a directive that would require owners and operators of critical pipelines to designate a cybersecurity coordinator and disclose when they are the victims of cyberattacks.
“Under President Biden’s leadership, the Federal government is stepping up to do its’ part, working with like-minded partners around the world to disrupt and deter ransomware actors,” Neuberger wrote.
The Colonial Pipeline and JBS USA ransomware attacks just represent the most recent threats to critical infrastructure. Cyberattacks have been on the rise with recent ransom payments potentially incentivizing more attacks. Just yesterday, Rep. Carolyn Maloney, D-N.Y., reached out to Colonial Pipeline Company and CNA Financial to get more information about their respective decisions to pay millions in ransoms.
“These attacks have been on the rise for years because these criminal groups are able to make a profit off the backs of businesses, schools, local governments, and more,” Psaki said. “Our focus is on the destruction of ransomware infrastructure and actors, including through close cooperation with the private sector.”
“That’s ongoing,” Psaki added. “[It is] something that’s a priority to the President, and that will be a priority in the national security team.”
Industry Reaction
The letter has support in the cybersecurity industry, with general optimism about the level of White House involvement.
“The growing sophistication of ransomware means all businesses … will eventually become targets of ransomware,” Caroline Seymour, VP of product marketing at Zerto said in a statement to MeriTalk. “We’ve seen it too often recently with cyberattacks against major suppliers like JBS foods and the Colonial Pipeline. It’s encouraging to see the White House urging companies to take this issue seriously.”
Some in the cybersecurity industry still do not feel like enough is being done to combat the issue at its root.
“Prescriptive and top-down approaches have been tried over and over again and what is clearly needed is a strong set of laws protecting the USA and prescribing minimum standards in required cybersecurity for companies (e.g. DoD’s CMMC is a great start for this overall), a combination of tax-incentives to offset the anticipated costs and evolutionary changes, and then an enforcement arm of auditors and overseers to make certain these meaningful laws and requests are followed,” Carl Herberger, VP of security services at CyberSheath told MeriTalk.
In general, members of the private sector have agreed with the White House the sentiment behind the White House push, even if they are hesitant about the overall effect it will have.
“This letter represents a change in tone and rhetoric from the White House, but, by itself, the letter changes nothing,” Eric Greenwald, general counsel for Finite State and former special assistant to President Obama and senior director for cybersecurity, told MeriTalk.
“It will perhaps lead to a modest increase in awareness among companies who have had their heads in the sand on ransomware, but moving the needle requires change in business practices around cybersecurity,” Greenwald added. “[The administration’s increased involvement is] encouraging, but it will require effective implementation and enforcement in order to be effective.”