With ransomware attacks multiplying, US moves to bolster defenses

Holidays are not time off for hackers. Over the July 4th weekend, a sophisticated cyberattack on a software supplier sent multiple ransomware notices to companies across the world.

Prior to Memorial Day, it was the meat supply that hackers put in jeopardy. In response to that attack, the company JBS Foods USA decided to pay an $11 million ransom – but now, what appears to be the same cybercriminal group has broadened its scope and upped the ante, initially demanding $70 million to restore services after a hack of the Miami-based software company Kaseya and roughly 60 of its customers.

Kaseya supplies software to managed service providers, which then operate smaller organizations’ information technology systems, ranging from dentists to grocers. Hundreds of stores of the Swedish grocer Coop closed over the weekend when their cash registers became inoperable. The managed service provider for the grocery chain is a Kaseya customer, and with the malware attacking Kaseya at the source, that left Coop and some 1,500 other businesses around the world scrambling over the weekend to get back online.

The hack comes during what one cyber expert calls a “period of adjustment” for the​ federal government.​ After struggling to keep pace with cyber​threats​, the government has moved to place leadership on the issue with a single official who has enhanced authorit​ies. ​​​It's a step toward greater coordination, oversight, and accountability on large and fast-evolving risks.

Last month, senators approved Chris Inglis, a former deputy director of the National Security Agency, as the nation’s first-ever national cyber director. A similar role was eliminated in 2018, but now the newly strengthened position – along with an office of up to 75 staff members – will coordinate the government’s cyber portfolio and digital defense strategy. A second key post, director of the primary domestic cybersecurity agency, the Cybersecurity and Infrastructure Security Agency (CISA), is expected to be filled shortly.

Sen. Angus King, a Maine independent, called these posts as vital in the digital age as the secretary of Defense and chairman of the Joint Chiefs of Staff. “We have to reimagine conflict,” Senator King said. “The front line of this conflict can take place in a server farm on Wall Street, in a pipeline company or in an electric company or in a water service utility anywhere in America.”

Under this new leadership, the U.S. is looking to better protect government systems as well as businesses. And officials are making clear they will seek not just to hold cybercriminals to account, but also companies whose inadequate cybersecurity measures have put them and their customers at risk. Even when a company, like Kaseya, does many things right, the lack of criminal consequences for hackers and success so far in obtaining ransom payments causes the cycle of cyber malfeasance to continue.

Charles Dharapak/AP/File

Chris Inglis, then deputy director of the National Security Agency, testifies in Washington in 2013. Mr. Inglis was confirmed in June as the government's first national cyber director, within the Executive Office of the President.

JBS’s ransom payment came just weeks after another company, Colonial Pipeline, made a similar payment in May. The gas pipeline company, which provides nearly half the fuel for the East Coast, paid a $4.4 million ransom to a different criminal group. The multi-day shutdown sparked fears of a shortage, causing long lines at gas stations along parts of the East Coast. While some of that ransom was ultimately recovered by the FBI, U.S.-based companies still paid out millions to cybercriminals in a matter of weeks. 

Asked about the ethics of ransom payments during his nomination hearing on June 10, Mr. Inglis said the U.S. ought to hold companies accountable “not so much for paying the ransom – but for being in a position where they had to pay the ransom in the first place, for the failure to prepare for that.”

With 2,354 U.S. schools, governments, and healthcare facilities impacted by ransomware last year alone, according to a study from antivirus software firm Emsisoft, “a team effort” is needed to address the problem, Mr. Inglis said.

In May, President Joe Biden issued an executive order intended to shore up federal networks against cyberattacks. Among other things, it requires federal contractors to meet new cybersecurity standards and share information about any breaches. The order also established a year-long process for “enhancing software supply chain security” in advance of the Kaseya hack.

“What you’re starting to see from the Biden Administration already is a little bit more of a wariness around leaving [cybersecurity] in the hands of the private sector,” says Josephine Wolff, an associate professor of cybersecurity policy at The Fletcher School of Tufts University.

The new national cyber director is responsible for coordinating cyber components of the departments of Justice, Homeland Security, and Treasury in battling ransomware. The CISA director will be the primary conduit between the federal government and private sector.

Jen Easterly, the nominee to lead CISA, called the national cyber director the “coach of the team,” during the same June 10 hearing. The Army veteran and former NSA official likened her prospective organization, CISA, whose role includes protecting civilian networks and critical infrastructure, to the “quarterback” of federal cybersecurity.

Congress, too, is pushing for the federal government and private sector to work more in concert to defend against ransomware. A bipartisan cadre of senators have drafted legislation that would require certain private sector entities, including critical infrastructure operators, to report cyber intrusions within 24 hours to the federal government. Such reporting has historically been voluntary, and companies have often been hesitant to disclose breaches. The information shared would be exempt from Freedom of Information Act requests and from use as evidence in lawsuits. The Senate Homeland Security Committee is also working on drafting legislation to address ransomware.

While all this might seem to portend conflict between the business community and the government, the U.S. Chamber of Commerce’s Christopher Roberti says he’s expecting a fruitful partnership.

The relationship between government and the private sector in cybersecurity has been “strong for a long time,” says Mr. Roberti, senior vice president for cyber, intelligence, and supply chain security policy at the Chamber. “We have to stay together and avoid the tendency to try to say, ‘It’s not my fault, it’s your fault,’ because that just benefits the adversaries.”

The Chamber wrote a letter of recommendation last summer in support of the new position of national cyber director. Mr. Roberti says conversations with Mr. Inglis were a part of the reason why.

“He’s a person who really does value collaboration, cohesion, and working together to identify the critical problems that we face – and then help to come up with solutions,” Mr. Roberti says.