By Neil Jenkins and Matthew Olney.
Note: Our guest co-author, Neil Jenkins, is the Chief Analytic Officer at the Cyber Threat Alliance. He leads the CTA's analytic efforts, focusing on the development of threat profiles, adversary playbooks and other analysis using the threat intelligence in the CTA Platform. Previously, he served in various roles within the Department of Homeland Security, Department of Defense, and Center for Naval Analyses, where he spearheaded numerous initiatives tied to cybersecurity strategy, policy and operational planning for both the public and private sectors.
As the headlines show, ransomware has become a threat to national security, life safety and critical infrastructure. As a result, the U.S. Department of Justice recently announced it would be giving ransomware attacks priority similar to that as terrorism. None of this is a surprise to the more than 60 experts who came together this year under the umbrella of the Ransomware Task Force (RTF), an effort to produce a comprehensive set of recommendations to international governments and private-sector partners on how to address this threat. In fact, the report — issued just days before the Colonial Pipeline attack — begins by saying, "Ransomware attacks present an urgent national security risk around the world."
As contributors to the report, we'd like to drill into the second priority recommendation issued by the group, calling for "...a sustained, aggressive, whole of government, intelligence-driven anti-ransomware campaign…" To a large extent, we have left the private sector to deal with the ransomware threat by themselves, and when an incident has occurred, we have treated it as a law enforcement matter. Both of these approaches have failed. When the actor only needs to find any flaw in any company or organization's defenses, then they will continue to be successful. When the primary threat society puts forth to deter these activities is "you'll go to jail" and the actors are hiding in countries that have shown no interest in cooperating with law enforcement activities for these behaviors, there is no deterrence.
A change is needed. One that acknowledges that just letting actors beat on the companies that make up the global economy is insanity and that the law enforcement-centric approach has failed to deter these actors in any meaningful way. Ultimately, what the RTF recommends is identifying those ransomware groups that pose a threat through their actions to life safety, critical infrastructure or national security, and to treat those problems not as law enforcement problems, but as national security problems. Addressing ransomware requires us to look beyond law enforcement and leverage the powers and authorities of all parts of government while simultaneously coordinating with the private sector. It will take a community effort. This approach argues for focus, creativity and ongoing pressure to blunt the onslaught of ransomware activity that we see today.
The key to the campaign is that it be "intelligence-driven." For the government, this means that the intelligence community must prioritize ransomware actors as intelligence targets and synthesize the government's unique intelligence insight with intelligence on ransomware activity from law enforcement and network defenders in the private sector. Governments must do what they are best at — attribution to specific actors — and combine that with what the private sector is best at — identifying the critical infrastructure at risk, the technical indicators of the operations, and the flows of cryptocurrency through markets. The data provided by these efforts will be used in two ways: categorize and prioritize the actors, identifying which groups are truly a threat and identify which of those groups require immediate attention. Governments can use this intelligence to identify the high-tier threats and coordinate activity to disrupt those threats among government agencies and the private sector.
Now, efforts turn from what the ransomware group has done, to what allows the group to operate. The intelligence gathered will allow governments to put together a holistic picture of the financial, operational and interpersonal aspects of the group that allow it to be effective. From that awareness, they can develop a plan to dismantle the operational capabilities of that group. In some situations, law enforcement may take the lead, working with traditional authorities to use legal processes to take down infrastructure or detain and prosecute the criminals. But it is likely it will be determined the core operational components of the group, and thus the best targets for disruption, lie beyond the reach of law enforcement. This is where creativity and collaboration come into play.
The goal is to ultimately dismantle and disrupt the target and deter others who would consider following a similar path. The intelligence gathered should identify weak points in the operations and infrastructure of the targeted actor group. Government capabilities and authorities, combined with defensive actions from the private sector, can be used to disrupt that infrastructure and decrease the effectiveness of ransomware operations. The response should be geared toward the weaknesses specific to the group and coordinated with the private sector and international partners whenever possible.
The point here is that we have to find a way to dismantle or disrupt these groups over time, whether through traditional law enforcement means or more creative uses of government power and collaboration with the private sector. In some cases, a single engagement will be insufficient to deter the actors and a consistent application of pressure will be necessary. For actors who have engaged in activity sufficient to warrant it, this sort of sustained engagement is not just appropriate, but wholly necessary.
How this would look in the U.S.
The RTF's final report provides a model for how the U.S. could organize to take these actions and increase collaboration within the federal government and with the private sector. The government must bring the various government agencies that have a role together to work toward a common goal of disrupting ransomware actors. Problems like ransomware demand coordinated efforts, and the RTF recommends that the government establish an interagency Joint Ransomware Task Force (JRTF) to lead the operations of this effort. The JRTF should be composed of law enforcement agencies, such as the FBI and the U.S. Secret Service, along with major players in the intelligence community, including the Office of the Director of National Intelligence (ODNI), the National Security Agency (NSA), and the Central Intelligence Agency (CIA).
It must also include the Cybersecurity and Infrastructure Security Agency (CISA). CISA will help the JRTF to understand the risk to critical infrastructure entities and provide targeted technical information to businesses and organizations to help them shore up their vulnerabilities and put the appropriate mitigations in place. It is imperative that we combine the disruptive elements described above with efforts to improve the security of organizations. The same intelligence we use to fight back must be used to shore up defenses. If we only focus on disrupting the current set of malicious actors and don't improve our security baseline, new actors will just step into the gap. By bringing these elements together in an operational task force, U.S. government agencies can disrupt the operations of specific ransomware actors and, through CISA, simultaneously work with cybersecurity vendors, ISPs, service providers, and the targeted organizations themselves to defend against the specific TTPs those actors are using.
The JRTF must also include U.S. Cyber Command to potentially execute lawful offensive cyber operations that could be used to disrupt the infrastructure of ransomware actors. If the government assesses that arresting the actors may not be possible, then the best option available might be to brick their command and control infrastructure or take down the forums they use to communicate with their affiliates. Cyber Command may also be best positioned to use information and influence operations targeting ransomware actors.
The State Department would also be a key player to work through diplomatic actions that will likely focus on convincing countries to take action against ransomware actors operating within their borders. The Treasury Department could assist with the development of sanctions and work with cryptocurrency markets to disrupt the flow of funds to actors. Other government agencies may also have a role to play and could be included in the JRTF as needed.
The bottom line here is that ransomware demands solutions that aren't just the ones we use to deal with criminals. If ransomware is truly a national security problem, then the government must take a national security approach to solving it, leveraging the authorities and capabilities across multiple government agencies.
Private sector engagement
The private sector has a role to play here in assessing potential threats and assisting in lawful activities to disrupt actor operations. The private sector has years of direct experience analyzing malicious activity, monitoring actors and working directly with organizations affected by ransomware. They also have expert-level understanding of how real-world networks and services operate, how these technologies are misused by actors and how they can be utilized to disrupt actor activities.
Public/private cooperation on cyber activities is not new, but the level of cooperation necessary to correctly identify national security threats and help build a safe, actionable response to those threats is. High-level threats require the combination of government and private-sector expertise to design customized disruption and deterrence activities.
There is a long history of cooperation of this sort, but it has largely been one-sided. Government must become more comfortable with making private sector experts part of the discussion process for building profiles of the actors and executing on technical disruption activities. Intelligence that is gained, to the extent possible, but especially technical indicators and actor TTPs, should be shared with private sector organizations that are capable of supporting disruption activities. This means that information needs to flow both ways so that the experts on both sides can provide their best guidance. Likewise, as the RTF report says, "Private-sector participants must recognize that not all government actions will be shared or coordinated with non-government actors due to security concerns or to protect sources and methods."