The REvil ransomware gang is in the news again! This time for a supply chain attack and the largest public extortion demand ever – $70 million dollars.
What will it take to defeat REvil, other ransomware gangs, and really all malicious hackers and malware?
Five things: Better local security controls, political agreement, global law enforcement cooperation, a counterterrorism effort and a more secure Internet. Let’s take each of these individually.
Better Local Controls
This is the part everyone has been trying to do already since the beginning of computers. Every organization needs, and has been trying to get, better local controls. This means stronger authentication, better patching, more secure configurations, better monitoring and more educated users. Most organizations are not only trying to do this, but are required to do this by one or more regulatory controls (e.g., PCI-DSS, GDPR, HIPPA, NERC/FERC, SOX, ISO 17001, GLBA, etc.).
By far, the two biggest reasons for malicious compromise are social engineering and unpatched software, followed by password issues. Any organization that better concentrates on these areas would be far better off than those that do not. The problem is that, for a myriad of reasons, organizations have a hard time doing these three things well. It is mostly a lack of focus. Defenders are told there are hundreds of things they need to be doing perfectly all at once to stop hackers and malware, and the three things that matter more than everything else added up all together get lost in the mix. So, this category would be better summed up as better, far more focused local controls.
Unfortunately, even better, far more focused, local controls alone will not make malicious hackers and malware go away completely. As long as malicious hackers and malware can do what they do with almost no risk of getting caught, cyber crime will continue. So, what will it take to significantly diminish malicious hackers and malware? Answer: The next three fixes.
Nation-states are among the biggest purveyors of illegal hacking and malware. Nearly every country now has robust, offensive cybersecurity hacking operations, all of which are couched in a wave of patriotism. Nation-states discover, create and buy massive amounts…in the hundreds to thousands…of zero-day attacks…each year. Some countries have hundreds of thousands of “probes”, which means compromised devices and software in other countries. They have so many of them that they need specialized, AI-based systems just to manage them. Countries have used malware to destroy physical devices and compromise energy infrastructures. Some countries directly fund ransomware gangs to steal intellectual property and money. Others accept bribes and turn a blind eye to ransomware gangs and essentially act like cyber criminal safe havens. As long as all of this is true, malicious hacking will continue unabated.
Cyberwarfare is every bit a part of our war plans today as kinetic war is, except we are always doing cyberwarfare even when the real, physical wars are not happening. We need global agreement on what is and is not allowed by a nation-state during times of claimed peace…a digital Geneva Conventions. The United Nations has been working on a similar plan for over a decade. The latest iteration can be viewed here. But it is very hard for all nations, with often diametrically opposed objectives to come together and agree on anything. Still, the French are trying to come up with a way forward.
The goals are to get all nations to agree on what is and is not allowed in cyberwarfare, to declare some acts as out of bounds (such as attacking hospitals and energy grids). We need all nations to agree to stop functioning as cyber criminal safe havens. And we need all nations to become more cyber resilient. When one nation becomes more resistant to malicious hackers and malware, we all become safer.
If you are interested in this topic more, see our related webinar.
Global Law Enforcement Cooperation
Part of the solution is getting all nations to agree on what is and is not considered cyber crime, and to agree to enforce each other’s warrants and arrest requests. Right now, most nations only have a few other close allies that are willing to accept each other’s warrants, subpoenas and other court actions. All a cyber criminal has to do to completely avoid arrest is to commit their online crime across a country’s border that does not recognize their country’s legal jurisdiction; and vice-versa. Hence, as an example, Chinese and Russian hackers can attack the United States and its ally’s assets without fear of repercussion; and the opposite. It is not like the United States is going to be arresting Americans in response to Chinese and Russian cyber crime arrest warrants.
All nations, especially the nations with large groups of malicious hackers and malware writers, need to come together and agree to enforce legitimate, judicial requests from each other. Unfortunately, this requirement is tightly wound with the previous one, and requires a political solution to go forward. Step one is to get the politics settled, followed by the judicial details.
Many groups are recognizing that it will take a nation-sized, offensive campaign, often likened to a counterterrorism effort to defeat ransomware. Their argument is that no single entity, besides an entire country, has the resources and intelligence to fight ransomware. The Institute for Security and Technology’s Ransomware Task Force Report made similar recommendations for the U.S. These recommendations include:
- Declare ransomware a national emergency
- National funding to fight ransomware
- Multi-intelligence agency focus on ransomware
- Anti-ransomware campaign led by the White House
- Anti-ransomware cybersecurity framework
- Crackdown on ransomware payments
The whole idea is to use a nation-coordinated defense and offensive capabilities to create a more comprehensive defense and raise the cost of using ransomware to commit cyber crime.
A More Secure Internet
Lastly, malicious hackers and malware writers will continue to do what they do as long as we cannot identify and stop them. We need an improved evolutionary version of the Internet to make it significantly harder for malicious hackers and malware to hide and function. This means replacing the default, pervasive anonymity of the Internet and replacing it will opt-in, stronger authentication for participants wanting more security, which is probably most of the world. Making a stronger Internet will mean creating a bunch of new protocols and services, but none of them are beyond our technical capabilities. In fact, we have had the ability to make the Internet far more secure for decades. We just have not had the global cooperation needed. Perhaps, the billions of dollars being lost to ransomware alone, in a single year, is starting to be the tipping point event to make global competitors work together. It is a big ask, but it is doable.
Until we get global agreement: political, jurisdictional and an improved Internet, we all need to be focusing on the three local security controls, which, if done better, will have the biggest improvement on our cybersecurity risk: stopping social engineering, better patching and stronger authentication. We do not have to wait on global politicians to do any of those things.