This week, the Ransomware Task Force released its report on combating ransomware. The RTF, sponsored by the Institute for Security & Technology, is made up of more than 50 expert volunteers from software companies, cybersecurity vendors, government agencies, non-profits, and academic institutions. The Task Force’s report is timely and its recommendations urgent. The urgency stems from how ransomware has changed over the past few years, evolving from an economic nuisance to a significant national security and public health and safety threat. Given the seriousness of the problem, the Cyber Threat Alliance joined the Task Force early on and participated extensively in the three-month sprint to develop the report and its recommendations.
The report calls on multiple different organizations across the ecosystem, including public, private, and non-profit entities, to increase their efforts to combat ransomware. Naturally, the cybersecurity industry will play a key role in implementing many of the recommendations. However, out of the report’s 48 recommendations, several will require more than just the participation of cybersecurity companies; they will require the cybersecurity industry’s active leadership and focused involvement for success. These recommendations include:
- Creating a private sector threat focus hub – cybersecurity companies can and should help governments disrupt the criminal gangs behind ransomware. Cybersecurity companies bring unique insights and capabilities to disruption efforts, including knowledge of criminal activity, access to infrastructure, and an ability to affect the defensive ecosystem at scale. Such collaboration already occurs regularly, but it usually happens in an ad hoc manner, at a small scale, or based on personal relationships. Further, while the private sector thrives on informality, the government often needs formal structures to regularly operate at scale. Thus, current collaboration models have difficulty reaching the scope, scale, and cadence needed to disrupt our adversaries’ business models strategically. To bridge this divide and achieve the scope, scale, and operational cadence needed to impose real costs on the bad guys, the report recommends that the private sector organize a Ransomware Threat Focus Hub, sponsored by an existing non-profit, to provide a permanent, long-term conduit to connect with the US and other responsible governments. Private sector entities could come and go from this hub as their business interests dictate, but the hub itself would persist. This Threat Focus Hub would facilitate and coordinate sustained private sector actions against an agreed-upon target list. To be clear, though, such support does not mean undertaking offensive cyber operations or “hacking back.”
- Identifying targets for disruption – given the security industry’s insight into on-line criminal activity, cybersecurity companies can provide unique information to aid the government in identifying specific ransomware developers, criminal affiliates, and malicious infrastructure to target for disruption. In addition, cybersecurity companies can provide insight on how to target these groups. What are their weaknesses? Where are there systemic vulnerabilities that can be exploited? Such targeting efforts would be significantly hindered without cybersecurity industry involvement.
- Developing a Ransomware Framework – although multiple organizations have published ransomware guides, no single authoritative source of best practices exists. Therefore, the RTF recommends that the U.S. National Institute of Standards and Technology lead a multi-stakeholder effort to develop a Framework for ransomware preparation and response that aligns with the existing Cybersecurity Framework. The security industry will need to actively participate in the development of this Framework, because the industry’s perspective will be critical to ensuring that the Framework is effective at reducing ransomware risk.
- Updating cyber-hygiene regulations and standards and Requiring local governments to adopt baseline security standards– the report makes two recommendations around cybersecurity standards. The first is that governments take the lead in updating cyber-hygiene regulations and standards for regulated industries. The second is that the US government mandate that State and local governments meet certain baseline security standards. Developing such standards will be challenging, because they cannot be compliance checklists – such approaches do not work in cybersecurity. Therefore, the security industry needs to contribute to the development and identification of those standards, so that they will reduce the vulnerability of state and local governments to ransomware and evolve as the threats continue to evolve.
- Establishing Ransomware Incident Response Network – To increase the volume and utility of ransomware information, the Task Force recommends creating a Ransomware Incident Response Network. The RIRN would be made up of any entity that wanted to participate and abide by the Network’s sharing rules. The RIRN would serve several functions, including facilitating receipt and sharing of incident reports, directing organizations to ransomware incident response services, aggregating data, and sharing or issuing alerts about on-going threats. Since cybersecurity providers will have relevant data and understand its complexities, they should help form and actively participate in the RIRN.
- Creating a standard format for ransomware reporting – one key challenge in combating ransomware is the lack of information in certain areas, particularly the rate and impact of ransomware attacks. Addressing this gap will require increased information sharing but achieving such an increase will depend on several factors. One of those factors is ease of sharing. When information sharing is easier, more entities share. Therefore, the RTF recommends developing a standard ransomware attack reporting format. While the format will have multiple non-technical sections, at least one section will focus on any technical data that might be available about a ransomware incident. Since cybersecurity companies are the organizations that often have such data, the industry should play a key role in developing the standard format so that it provides value for the industry as well as other users in improving preparations for and responses to ransomware.
- Mandating a ransomware reporting requirement – finally, the Task Force recommends that governments should require companies to report ransom payments to the government. Since many cybersecurity companies are also incident response companies, the process of compiling and submitting the mandatory reports will fall on them. Therefore, the security industry should participate in the development of the reporting mandate to make sure that it is practical.
As these recommendations show, cybersecurity companies will play a pivotal role in making the RTF’s recommendations successful. In fact, without the industry’s active participation, many recommendations will not even get off the ground. We cannot afford such an outcome.
To be clear, any one of these recommendations will not eliminate the threat of ransomware by itself. However, if implemented in their totality, the threat of ransomware would be substantially reduced. We will never eliminate cybercrime or ransomware in its entirety, but we can reduce the threat ransomware poses to our society and increase the cost for the bad guys. CTA has committed to working on implementing the RTF’s recommendations. We call on the security community to join us in this critical effort.