White House Warns Companies to Act Now on Ransomware Defenses
An open letter urged them to take many of the defensive steps that the federal government requires of its agencies and contractors.,
The White House warned American businesses on Thursday to take urgent security measures to protect against ransomware attacks, as hackers shift their tactics from stealing data to disrupting critical infrastructure.
The bluntly worded open letter followed a string of escalating ransomware attacks that stopped gasoline and jet fuel from flowing up the East Coast and closed off beef and pork production from one of the country’s leading food suppliers.
Anne Neuberger, the deputy national security adviser for cyber and emerging technologies, wrote that the Biden administration was working with partners “to disrupt and deter” attacks that deployed ransomware, a form of malware that encrypts data until the victim pays.
But she urged companies to adopt many of the same defensive steps that it has recently required of federal agencies and companies that do business with the government.
The message amounted to a rush effort to construct the kind of defensive infrastructure for cyberattacks on the United States that has been broadly discussed for years — but that companies have been slow to adapt, because either the threat seemed distant or the cost far too high.
The recent attacks have propelled ransomware to the top of President Biden’s national security agenda. It is expected to be part of his discussions next week in Europe, during meetings with allies, and in his summit with President Vladimir V. Putin of Russia. The administration accuses Russia of both launching cyberattacks against the United States and harboring ransomware hackers.
Ms. Neuberger noted “a recent shift in ransomware attacks — from stealing data to disrupting operations.” She urged firms to make sure that their “corporate business functions and manufacturing/production operation are separated,” so that an attack on business records, such as emails or billing operations, does not cut off critical production and supply lines.
The past month has shown that companies often do not understand the linkages between those two in their own systems — even if they previously insisted the functions were already separated. When Colonial Pipeline was hit with a ransomware attack last month, the attackers — a criminal group, DarkSide, with substantial operations in Russia — froze the business records side of the business, not the operational controls over the pipeline.
But Colonial, a privately held firm that supplies nearly half of the gas, jet fuel and diesel to the East Coast, took the added step of shutting the pipeline down because it could not get access to its billing systems or monitor the flow of petroleum to specific locations. And with billing systems out of reach, the company had no way to charge customers for deliveries.
The effects were immediate: Lines appeared at gasoline stations because of panic buying, airlines ran short of jet fuel and had to make stops on what were advertised as nonstop flights, and prices surged. Colonial failed to communicate effectively with government officials, and ultimately paid a $4.4 million ransom — against the usual advice of the F.B.I.
Ms. Neuberger’s letter noted that the Biden administration was working to develop “cohesive and consistent policies toward ransom payments” and to enable “rapid tracing and interdiction of virtual currency proceeds.”
Yet Ms. Neuberger, who held several key posts at the National Security Agency, noted that although the White House was working to bring ransomware attacks to heel, government could do only so much.
“Much as our homes have locks and alarm systems and our office buildings have guards and security to meet the threat of theft, we urge you to take ransomware seriously and ensure your corporate cyberdefenses match the threat,” Ms. Neuberger wrote.
It was a telling analogy — because it was one U.S. officials have used for a decade. Yet for years, American businesses — which operate and maintain 85 percent of the nation’s critical infrastructure — have pushed back on regulations that would have mandated minimum levels of cybersecurity.
A 2012 cybersecurity bill that would have required stricter cybersecurity standards for businesses that operate critical sectors, like pipelines, dams and power plants, was ultimately watered down after the U.S. Chamber of Commerce, the nation’s largest business lobby, argued that the regulations would be too burdensome and expensive for American companies.
Last week, Mr. Biden acted through executive order in an effort to force some of those changes on the pipeline industry, using the Transportation Safety Administration’s oversight powers on the pipeline industry.
In the absence of comprehensive government mandates, however, cybersecurity practices have been voluntary. The result is that many businesses and other organizations have been, in effect, left to fend for themselves. And the latest ransomware attacks have exposed the extent to which American cities, town governments, police departments and even the one of the ferry services between Cape Cod, Martha’s Vineyard and Nantucket have failed to erect sufficient defenses.
The latest attack on one of the world’s largest suppliers of beef, JBS, for example, was pulled off by a Russian group known as REvil, which has had great success breaking into companies using very simple means. The group typically gains access into large corporations through a combination of email phishing, in which it sends an employee an email that fools him or her into entering a password or clicking on a malicious link, and exploiting a company’s slowness to patch software.
REvil’s cybercriminals will often search for and exploit vulnerable computer servers or break in through a well-known flaw in Pulse Secure security devices, called a VPN, or virtual private network, that companies use in an effort to protect their data. The flaw was detected and patched two years ago, and flagged by American officials again last year after a series of cyberattacks by Chinese hackers. But many companies have still failed to patch it.
Yet a year later, many companies have still neglected to run the patch, essentially leaving an open window into their systems.
In the White House memo, titled “What We Urge You to Do Now,” Ms. Neuberger asked businesses to focus on the basics. One step is multifactor authentication, a process that forces employees to enter a second, one-time password from their phone, or a security token, when they log in from an unrecognized device.
It encouraged them to regularly back up data, and segregate those backup systems from the rest of their networks so that cybercriminals cannot easily find them. It urged companies to hire firms to conduct “penetration testing,” essentially dry runs in which an attack on a company’s systems is simulated, to find vulnerabilities. And Ms. Neuberger asked them to think ahead about how they would react should their networks and held hostage with ransomware.
Recorded Future, a security firm that tracks ransomware attacks, estimated that there were 65,000 successful ransomware attacks last year, or one every eight minutes. But as businesses automate their core operations, the risk of more consequential ransomware attacks only grows.
On Thursday, just as the White House was releasing its memo, new ransomware attacks surfaced, this time on Cox Media Group, which owns 57 radio and television stations across 20 American markets. Late Wednesday, the government of Mobile County, Ala., said its systems had been held hostage with ransomware.
“Ransomware attacks are only going to get worse and more pervasive into people’s lives, and they’re not disappearing anytime soon,” said Allan Liska, an intelligence analyst at Recorded Future. “There’s a line of cybercriminals waiting to conduct these ransomware attacks. Anytime one goes down, you just see another group pop up.”