4 actions that can protect critical infrastructure from ransomware

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Caleb Barlow
 

Connecting state and local government leaders

By Caleb Barlow

|

The nation’s wealth combined with its aging infrastructure make it a primary target for increasingly sophisticated threats spanning the public and private sectors.

Over the last five months, cyberattacks have reached an inflection point as bold, opportunistic hackers succeeded in compromising America's most critical infrastructure -- water (Oldsmar, Fla.), food (JBS) and fuel (Colonial Pipeline) supplies. Profit is a key motivator: Reports reveal that victims paid hackers over $406 million in cryptocurrency ransoms last year. Yet the financial motivation of the crimes belies their potentially catastrophic consequences.

The barrage of cyberattacks has exposed a need to reimagine what the nation protects and how it modernizes to safeguard critical infrastructure, which includes defining what that means today. We’ve realized, especially after the past year and a half, it’s not only the legacy infrastructure that’s been in place since World War II that’s vulnerable. It’s Zoom, Amazon and other technologies that have kept society afloat and sane while battling the vicious virus.

The U.S. has always been adept at pivoting in the face of hardship and vulnerability. Below are four steps the federal government can take to combat these attacks, especially now when hackers in the most remote areas of the world can lock down companies and industries with mere keystrokes.

1. Critical infrastructure attacks must be understood as digital terrorism

Until now, foreign hackers mounting ransomware attacks have been acting with only modest repercussions. U.S. officials managed to recover $2.3 million from the Colonial Pipeline ransom. Though a successful counterstrike, it still left the Moscow-based DarkSide ransomware group with $2.1 million -- money that in Russia can go a long way toward sports cars, mansions and even funding a team of 150 foreign hackers for a year.

The U.S. must change the economics of ransomware attacks. Companies should not be left with the option to either pay ransoms or suffer the consequences, and officials should no longer consider hacks to be merely financial crimes. Given the economic impact and damage, ransomware attacks on critical infrastructure should be considered “digital terrorism," and those responsible should be labelled “digital terrorists.” Pursuing and disrupting hackers’ needs is crucial to garnering a response from not only law enforcement – but the entirety of the U.S. government.

2. The U.S. must reconsider the definition of "critical infrastructure" for the modern era, and make digital security a priority

At this point, the federal government must expand the definition of critical infrastructure past bridges, dams, highways, pipelines and transit systems. Society's digital connective tissue includes both the internet and the services it provides. It has become clear that Americans cannot work and live without digital service providers like Amazon, Microsoft and Zoom. These assets must be considered critical infrastructure and made resilient against cyberattacks, beyond physically securing their data centers and corporate headquarters.

The Biden administration's American Jobs Plan is on the right track to improving America's outdated data highways: President Joe Biden has earmarked $100 billion for an affordable high-speed broadband infrastructure that may reduce the digital divide. That’s a great start because it acknowledges that part of what's outdated is not just concrete and rebar, but also the nation’s IT infrastructure.

What’s more, cybersecurity experts are acutely aware that legacy utility, service and transportation facilities may have reasonable physical security, but remain inadequately protected from digital threats. Recent attacks made clear that the weakness must be addressed now using modern hardware, software and IT protocols pioneered by U.S. companies. To the extent that critical infrastructure providers are under-equipped to make necessary investments in modern cybersecurity technology, government incentives will speed deployment.

3. Ransomware payments must be banned by law

Paying a ransom is dangerous. Each payout encourages future ransomware attacks, and worse yet, the victim has no guarantee that hackers won't return for another payday. As a matter of public policy, the U.S. government must outlaw ransom payments, as they are turning small-time crooks into big-time threats: One company's capitulation enables a menace to society.

Traditional risk management through insurance isn't the answer; it only encourages ransomware attacks and widens their impact. Colonial Pipeline had at least $15 million in cyber insurance, but as ransomware attacks continue, the growing burden of multi-million dollar payouts will either compel insurers to increase premiums and exclusions, or drop companies that file claims for attacks. This is already happening: AXA says it will no longer reimburse ransom payments for French ransomware victims, and if that wasn't enough, banks have started raising interest rates and demanding more collateral from companies that have suffered customer data breaches. Of course, the banks themselves have long been targeted by cybercriminals, and insurance companies are now under threat as well.

4. Seize the opportunity for public/private collaboration

Given its financial resources, the United States might be assumed to have such a sophisticated critical infrastructure that is virtually impervious to danger. However, the nation’s combination of wealth and aging infrastructures – not just pipelines and water, but electric grids and transit systems – make the country a primary target for increasingly sophisticated threats spanning the public and private sectors. Despite its strengths, The U.S. ranks 13th overall in quality of critical infrastructure.

It’s time for the government to retire industrial age concepts of security and begin protecting both citizens and businesses against mounting digital threats. Collaborating with private-sector experts will help the public sector anticipate likely threats, enabling smarter and faster adaptations as the security landscape evolves. As hackers increase their resources and deploy sophisticated ransomware attacks, the nation will need every possible advantage to defend against them. With the public and private sectors working together, we will prevail.

NEXT STORY: NYC opens cyber operations center

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.