White House Urges Companies to Take Ransomware Attacks More Seriously

The White House on Thursday issued a letter calling on companies to take more seriously the threat of ransomware attacks.

According to CNN, Anne Neuberger, the National Security Council’s top cyber official, wrote to corporate executives and business leaders that the private sector needs to better understand its critical role.

“All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location,” she said. “We urge you to take ransomware crime seriously and ensure your corporate cyber defense match the threat.”

Back-to-Back Ransomware Attacks

The White House letter follows back-to-back ransomware attacks carried out by Russian cybercriminals. The first targeted Colonial Pipeline, the largest refined products pipeline in the United States. The attack pushed gas prices higher and disrupted supply in the eastern United States.

And this week, JBS USA, part of the world’s largest meat supplier, was hit by a cyberattack. It affected some of the servers supporting its North American and Australian IT systems.

Rick Holland is CISO and vice president of strategy at Digital Shadows. He said the memo “presents an opportunity for security leaders to move their security agenda forward.”

Digital Shadows’ Rick Holland

“The extortion threat is a clear and present danger,” he said. “And despite internal efforts, often, it takes external guidance to help justify budget and resources.”

Security leaders shouldn’t use ransomware as a fear, uncertainty and doubt (FUD) strategy to “bend your business to your will.”

“The FUD approach is destined to fail,” Holland said. “Instead, take a measured, non-hyperbolic approach in explaining the threat and risks to your executive leadership. The current state of enterprise networks is analogous to patients with chronic illnesses like heart disease. It has taken years to get to this state. There isn’t a magical intervention that will mitigate the risk overnight. We have to address the root causes of the illness, not just the symptoms. The White House’s suggestions aren’t cheap and will take time to implement. There is a very long tail to addressing the extortion threat.”

Time for Action

Despite the prognosis and timeline, you can look for quick wins, Holland said.

“Testing your incident response plan with an extortion tabletop exercise is something that organizations can immediately do,” he said. “As many organizations will soon begin their 2022 budgeting process, now is the time to build the business case for any of the mitigations that aren’t already in place. A tabletop exercise can help identify needed investments in people, processes and technology. One comment that stands out to me from Neuberger’s memo is the need for a ‘skilled, empowered security team.’ We so often focus on technology to solve our problems. Focus on your teams first. Have dedicated training and development programs.”

The White House letter addressing ransomware attacks ends with “the federal government stands ready to help you implement these best practices.”

“This is an interesting statement, as many of the recommendations require significant investments in time and money,” Holland said. “I don’t see how the federal government will help with the costs of implementing the recommended best practices.”

Digital Warfare

Bill O’Neill is vice president of public sector at ThycoticCentrify.

“Over the past year, our schools, law enforcement, unemployment offices, health care systems, critical infrastructure and more have been ravaged by cyberattacks,” he said. “And its victims have paid millions of dollars in ransom that they simply do not have.”

Attacks like these make it abundantly clear that we’re entering a new era of digital warfare, O’Neill said.

“President Biden and his administration have now made it clear that ransomware is a national threat,” he said.

Shared Assessments’ Tom Garrubba

Tom Garrubba is CISO at Shared Assessments.

“These repeated breaches indicate it is time to hold critical infrastructure organizations accountable,” he said. “Financial institutions and even retail have been held to a higher level of legislative scrutiny. So why is it that infrastructure organizations appear to skate by? Perhaps it’s time to bring in the executives and board members of these breached organizations to publicly explain these breaches and how their organizations are addressing the IT risks in the current environment.”