The Biden administration will launch a global campaign to combat ransomware as part of a multi-pronged effort to bolster U.S. national security and critical infrastructure in the digital realm, said Anne Neuberger, deputy national security advisor for cyber and emerging technology, in a virtual keynote address to the annual RSA Conference.
The ransomware initiative is part of a larger plan to modernize the nation's cyber defense by securing the software supply chain, investing in new technologies and taking other steps to combat an alarming rise in malicious cyberattacks, Neuberger said.
The administration can no longer passively wait for the next cyber crisis to take hold before it decides to engage, Neuberger said. "While we must acknowledge breaches will happen and prepare for them, we simply cannot let waiting for the next shoe to drop to be the status quo under which we operate. The national security implications of doing so [are] too great."
The speech comes just days after Colonial Pipeline resumed normal operations, following a ransomware attack by the DarkSide organization, which forced the temporary shutdown fuel delivery for nearly half of the eastern U.S. The company paid a $4.4 million ransomware to regain control of its IT infrastructure, Colonial Pipeline CEO Joseph Blount told The Wall Street Journal.
The Biden administration has spent many of its first 100 days jumping from a cyber frying pan into a virtual fire as it combats malign activity from nation states and criminal actors. These were highlighted by the fallout from SolarWinds, a supply chain attack attributed to the Russian SVR, and the Microsoft Exchange Server hack, which Microsoft has linked to threat actors connected to China.
"International cooperation to address ransomware is critically important," Neuberger said, "because transnational criminals are most often the perpetrators of these crimes and they often leverage global infrastructure and money laundering networks to do it."
Those incidents highlighted a few lessons in how to deal with cybercrime, Neuberger said:
Adversaries will look for any opening to attack, whether hunting for coding errors or compromising supply chains to create an attack vector.
Partnerships are critical for the safety of the country in cyberspace. The government needs the private sector and the private sector needs the government's partnership.
The government urgently needs to modernize cybersecurity defenses in order to protect its own data and also ensure it can deliver services to the American people. A shift in mindset from incident response to prevention is necessary and prioritize investments to get ahead of threats and facilitate early detection, Neuberger said.
The average company incurs a cost of $13 million per breach, Neuberger said, citing a 2019 study from Accenture and the Ponemon Institute. A separate report from CSIS and McAfee showed cybercrime cost 1% of global GDP in 2018.
A key focus of the administration is to secure the software supply chain. The current model of "build, sell and maybe patch" as a practice that leaves the federal government using software that has flaws built directly into the product used by agencies and potentially millions of corporate users and consumers, Neuberger said.
"These are defects and vulnerabilities that the developers are accepting as the norm, with the expectation they can patch later," she said. "Or perhaps developers decide to ship software with defects and vulnerabilities they decide to ignore if they, the vendor, deems those defects and vulnerabilities are not sufficiently serious to merit fixing."
That approach can no longer continue, she said. Software needs to be developed in a secure build environment using steps like encryption, limiting privileges and strong authentication.
Last month the Department of Justice formed a Ransomware and Digital Extortion Task Force, which involves the FBI and certain divisions within the DOJ to disrupt, investigate and prosecute ransomware activity, according to an internal DOJ memo.
The Department of Homeland Security is already working with a task force formed last month by the Institute for Security and Technology, which includes more than 60 experts from leading cybersecurity vendor companies, government agencies, law enforcement and international organizations.