By Jessica Dine
The U.S. is still reeling from the Colonial Pipeline ransomware attack that left the East Coast cut off from its fuel supply for days on end. Unfortunately, this marks only the latest in a series of cyberattacks against critical infrastructure. From the D.C. police to the city of Atlanta to hospitals and public healthcare during the COVID-19 pandemic, the last few years have seen mounting evidence that critical infrastructure is increasingly at risk from digital attacks.
For years, security experts have been warning of these very risks, as the physical and the digital worlds have become increasingly entangled. These predictions have rapidly been shown to be true and culminated a gas shortage felt by millions of Americans — an attack not by a state-sanctioned actor, but by a year-old private group called DarkSide. The increased efficiency and convenience of the internet comes with its own set of drawbacks, and one of those is the widespread potential for harm by an expanding pool of bad actors.
Almost 700 ransomware attacks have been conducted against critical infrastructure in the last seven years, and over half of those have taken place since 2019. As ransomware tools become increasingly available online and the need for technical hacking skills to conduct an attack continues to diminish, we can only expect this trend to continue.
The recent spate of attacks does seem to have brought the issue of cybersecurity to the government’s attention. On May 12, President Biden signed an executive order focused on strengthening governmental cyber defenses. The American Rescue Plan Act of 2021 included increased funding for the Cybersecurity and Infrastructure Security Agency and the Technology Modernization Fund, and the U.S. Department of Justice has initiated a ransomware task force.
But enough of our critical infrastructure is maintained by the private sector that a focus on government security alone is nowhere near enough, and the aforementioned agencies have no authority to mandate increased security in the private sector, only to recommend it.
The Institute for Security and Technology’s Ransomware Task Force, established in December and including representatives from Amazon, Microsoft and the FBI among many others, recently published a framework on the best path forward in combating the growing threat of ransomware. Their recommendations include greater public-private collaboration, transparency in incident reports and payments, and an increase in victim resources. If implemented, this framework would give us a much needed boost in combating future attacks, but it still leaves open the question of whether, and when, victims should pay.
To date, responses to ransomware attacks have varied considerably. Some victims pay (and often perpetrators of ransomware attacks facilitate that, asking for a sum they expect to realistically receive to increase their odds of a payout); others spend more than the ransom itself to recover lost data and update their security infrastructure. Both approaches have their benefits and costs. CISA and the FBI both recommend against making the payments for ransomware attacks, as the attacker has no obligation to follow through, private data might be publicized anyway, and it only incentivizes the perpetrators of ransomware attacks to continue. On the flip side, of course, are the immediate concerns of an entity whose private data is at risk of being lost or published, or in some cases — as in healthcare — the very real, imminent risk to human life. When actual lives are at stake, performing an accurate risk assessment that correctly weighs both the ethical and financial considerations involved is unrealistic to expect.
Ideally, the private sector would be given a clear-cut framework for deciding when, and when not, to pay. Corporations shouldn’t be asked to decide in the heat of the moment, under imminent threat, on the best course of action. But what the private sector must be responsible for is proper preventative security measures — updated networks, data backups, and a generous budget for cybersecurity. The government should be given a means to enforce its guidelines for critical infrastructure security until the private sector collectively comes to terms with the fact that security might not increase profits, but it is a necessary investment nonetheless. Finally, one crucial element of any cybersecurity approach is both simple and relatively inexpensive, and starts from the ground up: citizen education.
The most high-tech security infrastructure in the world can be rendered ineffective if an employee accidentally opens malware on a company network — and even today, nine out of ten cyber-attacks are initiated through a phishing email. Security awareness training should be a mandatory part of employee training, and as is generally the case in the quickly-evolving world of cyber-security, it should be looked at as an ongoing, iterative process that is updated in step with cybercrime’s increasing sophistication.
By intertwining our critical infrastructure with the digital world, society has opened itself up to a host of new vulnerabilities. We can only combat the growing threat of cyberattacks through a collective, comprehensive approach, one that moves as quickly and as flexibly as the rapidly evolving dark side of the digital world.
