Cyberattacks: A Threat to Business in the US 2:26
Washington (CNN) -
FBI Director Christopher Wray warned of ransomware in stark terms, comparing the challenge posed by the recent wave of cyberattacks against the United States to the 9/11 terrorist attacks, and calling for a similar response. .
His remarks come at a time when officials across the government have tried to emphasize the urgency of responding to the problem after back-to-back ransomware incidents exposed the vulnerability of critical industries in the United States.
The US wants to shield pipelines against cyber attacks 1:02
"There are many parallels, there is a lot of importance and a lot of focus on our part on disruption and prevention," Wray said in an interview with The Wall Street Journal on Thursday.
"There is a shared responsibility, not just among government agencies, but in the private sector and even the average American."
"The magnitude of this problem is something that I think the country has to take on," he added.
Wray's statements reflect a growing consensus within the Biden administration that ransomware is among the most serious national security threats the United States has ever faced.
And it's part of a larger effort by the White House to convince the public that it is in control of the situation, even as some cybersecurity experts say the executive branch is limited in what it can do unilaterally to stop attacks.
Lessons from Cyberattacks on US Oil Pipelines 0:53
The comments also underscore the growing alarm at the highest levels of the US government following the back-to-back attacks on JBS Foods and Colonial Pipeline, which not only demonstrated the impact such attacks can have on the everyday lives of Americans, but the inability of the nation to protect itself against them.
The Justice Department said this week that it plans to coordinate its anti-ransomware efforts with the same protocols it uses for terrorism, and the White House published a rare open letter to companies asking them to address the threat of ransomware attacks with greater urgency.
advertising
They are hijacking companies.
Should they pay the ransom?
Deputy Attorney General Lisa Monaco also underscored the seriousness of the problem in an interview on Friday.
"I absolutely agree that we have to treat ransomware and cyberattacks as the national security threat that they are," he told CNBC.
"That is why we need to have a national panorama, and we have to use all our tools."
“We know that indeed the most recent attacks against JBS Foods and Colonial Pipeline are linked to criminal actors, criminal groups known to the security forces that have ties to Russia,” Monaco said, adding: “We cannot compromise on anything and no country should give shelter to criminal actors of any kind.
What is the preparedness in attacks on pipelines?
2:26
15,000 ransomware incidents in the past year
The United States suffered more than 15,000 ransomware incidents against organizations in the past year alone, according to Brett Callow, a threat analyst at cybersecurity company Emsisoft.
The attacks cost the United States between $ 596 million and $ 2.3 billion in 2020 in ransom payments and lost productivity, Callow said.
The actual numbers may be even higher, he added, because Emsisoft's estimates only take into account confirmed cases of ransomware incidents.
In recent years, malicious actors have been increasingly successful in targeting large companies in newsworthy attacks, according to Callow.
Thursday's Justice Department memo directs US prosecutors to internally report all ransomware investigations they are working on, in a move designed to better coordinate the US government's tracking of online criminals. .
Why are companies more vulnerable to ransomware?
6:07
The memorandum singles out ransomware, a malicious computer program that takes control of a computer until the victim pays a ransom, as an urgent threat to the interests of the nation.
Hackers paralyzed an oil pipeline.
Banks and stock exchanges are even bigger targets
"We must improve and centralize our internal monitoring of investigations and prosecutions of ransomware groups and the infrastructures and networks that allow these threats to persist," Monaco wrote.
And in a letter from the White House, National Security Council Chief Cybersecurity Officer Anne Neuberger wrote to corporate executives and business leaders that the private sector needs to better understand its key role.
"All organizations must recognize that no business is safe from ransomware, regardless of size or location," Neuberger wrote.
"We urge you to take the crime of ransomware seriously and ensure that your corporate cybersecurity is up to the threat."
American companies of all sizes should immediately implement measures such as offline backup of important data, implementation of multi-factor authentication and encryption to encrypt sensitive information, Neuberger said.
In the Wall Street Journal interview, Wray singled out the Russian government for allowing those responsible for the cyber attacks that the United States and others believe are behind the recent attacks on Colonial and JBS to continue to operate in Russia.
Cyberattacks: A Threat to Business in the US 2:26
“Time and time again, a large part of them have been traced back to actors in Russia.
So if the Russian government wants to show that it is serious about this issue, it has a lot of scope to show some real progress that we are not seeing now, ”Wray said.
Attacks on the agenda during Biden's meeting with Putin
President Joe Biden will address the JBS attack, as well as the increased threat of cyberattacks, during his meeting with Russian President Vladimir Putin later this month in Geneva, the White House has reported.
While meeting with other world leaders, Biden will also seek to create an international coalition against ransomware, the White House has said.
The administration is not "taking any option off the table" in response to the JBS incident, press secretary Jen Psaki said at a news conference this week.
Biden and Putin will meet in June: the topics to be discussed 1:21
These announcements come after several weeks in which the administration has been aggressive in tackling the threat of cybercrime and hacking from abroad.
In April, the Justice Department launched an internal task force dedicated to hunting down ransomware criminals and disrupting their financial networks.
The White House announced a 100-day effort to assess the cybersecurity of the nation's power grid, working with utilities to install monitoring technology that can scan for signs of intrusions.
Biden also signed a decree to strengthen digital security in U.S. agencies, to promote federal contractors who prioritize cybersecurity, and to sanction Russia for its role in state-sponsored cyberattacks.
It also initiated a review of the US government's approach to ransomware specifically, focusing, among other things, on cybercriminals' cryptocurrency transactions.
Microsoft warns of group cyberattacks in Russia 2:38
Following the Colonial Pipeline lockdown, the Department of Homeland Security took emergency measures to force the critical oil and gas pipeline industry to report cybersecurity incidents to the federal government within 12 hours and to designate a cybersecurity coordinator “at all times available".
In addition, companies must evaluate within 30 days the adequacy of their practices to the security guidelines of the Transportation Security Administration (TSA, for its acronym in English) for oil and gas pipelines.
Russia is the "king of disinformation" on Facebook, according to the company
The authorities acknowledged that this is only a first step after the attack that caused the interruption of the operations of one of the most important oil pipelines in the United States.
Meanwhile, the US government has taken some offensive measures in recent months in response to ransomware, according to two sources familiar with the situation.
Measures include intercepting and policing cybercriminals' networks and, in some cases, identifying individual actors involved in specific attacks within hours.
US government capabilities are limited
But even as the Biden administration takes a tougher stance on ransomware, it is struggling with the limits of its capabilities.
The government's power to infiltrate ransomware gangs is "situationally dependent" on the sophistication of the criminals themselves and their defensive measures, the sources told CNN.
When asked on Wednesday if he planned to retaliate against Russia for the JBS ransomware attack that the administration linked to Russia, Biden told the group's journalists: "We are studying that issue carefully."
US officials have been drawing comparisons between the threat of hacking and terrorism for years.
In 2018, President Donald Trump's Director of National Intelligence Dan Coats warned that the system was again "flashing red" as foreign actors carried out a series of intrusions and cyberattacks against targets in the United States, a reference to the alarming activity registered before 9/11.
And here we are, almost two decades later, and I'm here to say that the warning lights are flashing red again.
Today, the digital infrastructure that serves this country is literally under attack, "he said then.
At a strategic level, management actions to appoint senior cybersecurity officials or impose sanctions on governments that host cybercriminals can have important long-term effects, such as creating stronger international standards that discourage cybercrime, but it is Short-term financial incentives for ransomware authors are unlikely to change, said Alexis Serfaty, principal analyst at Eurasia Group, a political risk consulting firm.
The ransomware caused the closure of the Colonial Pipeline.
You too could be at risk
The administration must also grapple with the limits on its authority imposed by law, as well as loopholes in the law that Congress has failed to fill for years.
According to legal and industry experts, it is not possible for the Biden government to impose a single set of cybersecurity standards for all critical infrastructure sectors, such as pipelines, airlines and telecommunications networks, among others.
The complexity of each sector, and its relationship to the US economy in general, speaks to how difficult it is to design cybersecurity standards, let alone enforce them.
“There is a patchwork of regulatory requirements and contractual obligations.
And it's not easy to come up with a kind of standard set of cybersecurity minimum requirements that applies to all 16 [critical infrastructure sectors], "said Chris Cummiskey, former acting undersecretary of the Department of Homeland Security.
The executive branch enjoys greater influence with the private sector in its immense contracting power.
By setting cybersecurity standards for federal agencies, Biden can indirectly influence business cybersecurity by screening out non-compliant contractors, Cummiskey added.
The administration could do more to expand business incentives, said Ed Amoroso, CEO of cybersecurity firm TAG Cyber.
For example, Amoroso said, the United States government could subsidize the training of new cybersecurity professionals to help organizations apply the latest best practices.
Wanted: millions of cybersecurity experts.
Salary: what you ask
"In all sectors, there are not enough people who know how to do this," Amoroso said.
"I have been begging the administration to please establish an army cybersecurity program."
Millions of cybersecurity workers wanted 1:00
Meanwhile, federal agencies charged with regulating specific sectors of the economy each have their own congressional legislation that sets out what they can do, and in some cases, the same agency may be required to regulate one industry differently from another.
All of this makes it difficult to develop mandatory cybersecurity standards.
The result is a difficult conversation about who should take responsibility for protecting the public from cyber attacks: the government or the private sector, according to cybersecurity experts.
"The struggle right now is to understand who is going to manage that risk," said Sergio Caltagirone, vice president of threat intelligence at cybersecurity firm Dragos.
"Is the US government going to step in to protect critical infrastructure, or should the US government provide more tools and capabilities and approaches for these companies to do it themselves?"
- CNN's Alex Marquardt and Jamie Crawford contributed to this report.
CybersecurityFBI
/cloudfront-eu-central-1.images.arcpublishing.com/prisa/H6SX4JB4HJIOMBO3FUP6IGGLUI.jpg)
