How Bad is This Ransomware Thing? Worse Than You Ever Imagined.

Fortunately, We Finally Have an Administration Who Gets It

 

Who is Doing This?

It appears three groups are doing the dirty deed.

One is plain old-fashioned criminals, out to make a buck whenever and wherever they can. These groups are truly international now, as well as domestic. The sad reality is that this sort of crime in not all that hard to carry out and it is hard to stop or trace (more on that later). Suffice it to say there is an abundance of low-life types getting into this arena.

A second category is composed of state actors. They do this to vex their enemies and to develop both capabilities and intelligence to do more serious harm when they wish to do so. North Korea, Iran, and Russia lead this list, but there are others as well.

The third category is something of a hybrid. This seems mostly a Russian phenomenon. Independent groups pick the targets and carry out the attacks, pocketing the ransom that is paid, but experts believe these are likely coordinated with a host government, which may indicate targets they would like to see attacked or not.

In return for supporting the host government priorities, these criminal groups are assured they will not be prosecuted, nor will their identity be shared with other countries.

Who is Getting Hit?

At this point, pretty much anyone and everyone. We hear more about large target attacks. Examples include a national pipeline, a company that provides about 25% or the national meat processing capability.

But dozens of smaller companies have been hit, as have hospitals, local governments, and others. The range of potential damage and disruption is staggering.

Who is Vulnerable?

Same answer as above – just about everyone. That includes individuals – thousands have been locked out of their computers and accounts until they paid ransom. Any computer connected in any way to the internet is vulnerable. Digital currency is a real boost for these crimes. This is how ransom is most often paid, with no realistic hope of tracing the money.

 How Bad Could This Get?

Well, if you are looking for something to keep you awake at night, here is your winning candidate. It is difficult to describe how bad this could get.

Everything and anything could be shut down, in rolling attacks or in one massive hit. And I do mean pretty much everything.

Imagine the financial infrastructure and investment markets be locked up. Power plants failing, with whole cities and states going dark and without heat or other environmental controls. Nuclear power plants overheating.

Communications and navigation satellites going silent. Traffic lights everywhere going random. Computerized functions in trucks and cars, including safety features, failing or becoming dangers themselves.

How about a loss of air traffic control and rail network controls? Emergency calls to 911? Forget about it. American warships and other military equipment locking up or going errant in targeting.

How about dams failing to control water levels or pressure? Mail or shipment of goods? Gone, too. Think about medical storage units loosing environmental control, thus loosing medical stocks.

And Much, Much More

The list genuinely is limitless. We know that among state actors, they have much of the capability to do such things now. We know they have, for years, been probing and testing our systems, finding out what they can do and implanting bugs we are still just starting to discover.

Why are We Still So Vulnerable? Who Should I Be Angry at for This?

We are stunningly vulnerable. To be in this position two decades into the 21^st Century is inexcusable. You can be justifiably angry at a lot of people. Here are my three leading candidates:

1. Government. This is a core defense and security issue. If government does not lead and coordinate the effort, it will not happen.
   I had hoped that the Obama administration would bite into this. They took some steps and sounded some warnings but came up way short. Congress, of course, has been and remains clueless.
2. The Business Community: The leadership in many industries have known of this vulnerability for a long time. But few wanted to invest money, personnel, time, or energy to field what it takes to defend against this threat. Hard to explain to shareholders, perhaps, why so much was being spent for this invisible threat. And it was/is hard to coordinate with other entities.

   I worked some years ago for a company in the defense sector that did take all this seriously. We put serious money and effort into a constant defensive and detection effort, mostly successful. This was over a decade ago, when it was largely just a few state actors out there. We knew even back then we were being hit with probes, bugs, etc. at the rate of 1000 attacks a day. Imagine what the level must be today.

3. The IT Community: This has been an area of near total failure. Failure to engage, failure to create, failure to meet their obligations as custodians of the modern age. Most efforts today are still defensive, not predictive, and are often little more than post attack recovery efforts. If anything, in this era of The Internet of Things, with so much connectivity, we are worse off than we were in the 1920’s.
   It has been a shameful shortcoming. Were these titans of industry military leaders in the time of ancient Rome or Carthage, many would by now have been paraded in shame and stoned to death for failing to secure the people and to secure essential victories.

Any Options?

Sure, a number of helpful steps are available to us right now.

1. Standards: The government must decree what the minimum standards of security and reporting are, in all sectors. The Biden administration has made a good start in the wake of the recent pipeline attack. We need more of this, everywhere. No more excuses, from government or the private sector. By the way, comprehensive government standards make it much easier for businesses to plan and invest as needed for this battle.
2. Accountability: As soon as standards are clear, there needs to be full accountability and transparency in compliance. Reward and recognize the leaders. Penalize and publicize the slackers, including personal civil punishments for so-called leaders that fail to lead.
3. Tools, ala Manhattan Project: I have said it before in this space – we need a full out effort, fully coordinated between government, industry, academia, and others to break this gordian knot. We are too defensive and too reactive. We need far better blocking protection and the ability to reach out and punish those who dabble in this evil.
   There is some concern that if we punish others by striking back at their networks, we might begin a tit for tat cyber version of the old nuclear MAD (Mutually Assured Destruction).

   For my money, it’s worth the risk. We should make the pain unbearable for poking around in our networks, including stealing information and planting bombs to go off later. Right now the risk for them is near zero, the awards substantial, for both state and criminal actors.

A Little Leadership, Please

The administration has just declared this threat on a par with terrorism. The FBI, in some clever maneuver, got back almost all the ransom money paid to free the major national pipeline recently. Two excellent steps.

Now, let’s drive on and get to a reasonable point of security. This will be a never-ending war, but so far we are showing up to a gun battle carrying a pocket knife. Let’s raise the security for us and the pain for them.

            Bill Clontz

If you find this blog worthy of your time and curiosity, I invite you to do two things:

(1) Join the conversation. Your voice counts here. If you wish to share COMMENTS anonymously, make the last word in your comment “PRIVATE.” I will assure your privacy via anonymity.

(2) Share the word about this post with friends and colleagues. Share a link in your emails and social media posts (https://agentsofreason.com). Let’s grow our circle.