Recent ransomware attacks indicate that the current model of cybersecurity isn’t working. It’s time for a wholesale rethink.
Once again, cybersecurity has become a headline topic within and well outside technology circles, along with the little-known operator of a significant fuel pipeline: Colonial Pipeline. A ransomware attack, and ensuing panic buying of gasoline, resulted in widespread fuel shortages on the east coast, thrusting the issue of cybersecurity into the lives of everyday Americans.
Colonial Pipeline CEO Joseph Blount later acknowledged that his company ultimately paid the cybercriminals $4.4 million to unlock company systems, generating a great deal of controversy around the simple question (and associated complex potential answers), of whether companies should pay when their systems are held hostage by ransomware.
SEE: Security incident response policy (TechRepublic Premium)
The wrong debate on the right issue?
There are good arguments to each side of the “should companies pay” question, particularly when a cyberattack cripples a significant piece of critical infrastructure. Debates about morality and encouraging criminal behavior might have merit, but if transportation infrastructure is threatened and there’s no technical solution in sight, those arguments have a much smaller interested audience.
SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)
Rather than debating what’s ultimately a moral and ethical question that’s been around since the dawn of humanity, the proper debate we should be having is about the critical role of technology at non-technology companies. This might seem like an odd question, as technology had become ubiquitous from the mom-and-pop corner store, to Fortune 10 conglomerates. What’s striking, however, is that for the vast majority of these companies, technology is not their core business.
The challenge of tech at non-tech companies
While companies with technology as their core business like Amazon, Facebook, Google and Microsoft have become household names, they’re the exception in a sea of organizations that do everything from manufacturing cars to running hospitals to delivering fuel via pipelines. These companies have to maintain and execute wildly complex processes, far-flung operations and complex talent networks. Assuming they can do all that, they also need to build, support and secure enormously complex technology systems.
SEE: DarkSide ransomware group suffers setbacks following Colonial Pipeline attack (TechRepublic)
This might seem like stating the obvious, but the impact is similar to asking Amazon to stand up a “side business” performing complex brain surgery in-house or asking Apple to launch an internal department that does oil exploration, drilling and refining to power its data centers. These complex businesses are better left to others.
Putting the security back in cybersecurity
When the general public talks about cybersecurity, a colorful trope about the Wild West often makes an appearance, referring to the lawless and chaotic days of westward expansion in the United States of the 1800s. Unfortunately, this historical reference is more apt than many realize, as general commerce and infrastructure security were under constant threat from organized criminal gangs in that era, just as they are today.
The threat of organized crime ultimately threatened large and small businesses to the point that companies like Wells Fargo built what amounted to their own police and investigative units. A private company maintaining its own extensive network of armed security and special agents tracking criminals and assisting local sheriffs seems like a quaint historical relic, but that’s exactly what we’ve asked most organizations to do today when it comes to cybercrime.
In the absence of well-equipped and well-organized law enforcement, cybersecurity is indeed the Wild West, with organized gangs yielding botnets rather than Colts and nabbing bitcoin rather than stagecoach treasure boxes.
A variety of specialized cybersecurity companies have become the modern version of the Wells Fargo special agent, providing security for hire on a commercial basis. Yet, they lack the legal authority and pervasive reach of an organized government entity. Just as the general citizenry demanded safe, routine commerce and infrastructure from its government as the western U.S. was settled, so too should our citizens now demand safe, routine commerce and infrastructure from our government in the Wild West of the digital realm.
Our existing government entities are also scattered across an alphabet soup of agencies. There does not seem to be any agency that’s the go-to source of technical acumen, jurisdictional authority and good old fashioned detective work and crime fighting that’s required to make ransomware a crime that doesn’t pay.
Can this be an inflection point on ransomware?
Perhaps the Colonial Pipeline will be an inflection point that puts ransomware, and the fact that it’s currently more economically efficient to pay off the criminals than build an internal cybercrime police force, into the limelight. Ransomware attacks need to go from a whispered admission of implied guilt to a well-articulated criminal threat to civil society that merits an appropriate, state-sanctioned response. Even if you’re one of the few organizations where technology is the core business, just as we wouldn’t expect Bank of America to round up an armed posse to hunt down criminals that robbed one of its branches, nor should we continue to expect companies to do the cyber equivalent.