Ransomware top of mind for DHS cyber chief

The Department of Homeland Security’s cyber chief said his organization is trying to do more to address ransomware and other digital threats that directly touch the lives of citizens.

Speaking at the RSA Conference in San Francisco, Cybersecurity and Infrastructure Security Agency Director Christopher Krebs said his agency has stepped up efforts to proactively reach out to federal agencies, local governments, businesses and critical infrastructure managers about how to prepare and what to do if their data is encrypted and held ransom by criminals or state-aligned hacking groups.

“For years and years and years, particularly in the federal government, we’ve been focused on the nation-state adversary, the highly capable, the big four: Russia, China, Iran [and] North Korea,” he said. “I think we’ve been a little bit late to the game on ransomware,” he said, adding, it’s what average Americans see “in their schools, their hospitals and their municipal agencies.”

Krebs described CISA’s role as that of a middleman uniquely positioned to canvass all the major stakeholders in the cybersecurity ecosystem and “facilitate a knowledge transfer from the haves to the have-nots.” CISA can leverage the collective financial and human capital resources of the big fish -- like major banks -- and push that knowledge and awareness down the chain to the broader cybersecurity ecosystem.

He cited a number of ways organizations can build greater resilience against such attacks, including patching their systems, implementing multifactor authentication, having an incident response plan in place and ensuring there are recoverable backups so that they’ll “be better off when that bad thing happens.”

While ransomware is not a new phenomenon, agencies like CISA increasingly see it and similar attacks deployed across a broader spectrum, from local governments and businesses to critical infrastructure. Earlier this month, the agency warned the public that hackers had successfully breached the IT and operational technology systems of a natural gas compression facility and used commodity ransomware to encrypt its data. According to the notice, the facility never lost control of its operations, but the incident has served as a wake-up call for industrial control system operators that these incidents are only likely to worsen.

Nation-states deploy ransomware-like attacks too: North Korea’s infamous WannaCry attacks operated almost exactly like ransomware, though U.S. officials noted there appeared to have been no way to actually pay the ransom.

Iran uses code similar to ransomware for some its most destructive wiper malware. Following the Jan. 3 drone strike of Iranian Quds Force General Qassem Soleimani, CISA coordinated with approximately 26,000 individuals across federal, state and local government, industry and industrial control system operators to develop preparations for potential retaliation.

Krebs said CISA quickly surmised that an immediate, all-out cyber attack on industrial control systems in response was unlikely, since Tehran would have needed preexisting access to infrastructure networks to do so. However, the incident put a national spotlight on the issue of American cyber readiness that opened up an opportunity to kill two birds with one stone and build further resilience. The agency pushed out guidance about common Iranian tactics, techniques and procedures and noted that Iran’s most devastating tools, like its wiper malware, look and function similar to ransomware, except they destroy the data instead of holding it ransom.

“When everything … died down the next week, we didn’t want to take our foot off the gas, because we had the nation’s attention, we had leadership’s attention,” Krebs said.

Officials also worry that ransomware could target voter registration databases and other IT systems in the weeks leading up to Election Day. According to Reuters, CISA set up a specific program last year to help state and local governments guard against this possibility. Krebs said offline or analog backups with paper voter rolls and a ready-to-go plan for how elections officials are going to communicate with the public and media are vital to successfully weathering such an attack.

“An adversary … that understands we care about election security [might say], ‘We’ve got a big election coming up, I’ll bet I can go pop that database and ask for $2 million, and I’ll bet they’ll pay,’” Krebs said.