What has the impact of the ransomware attack on Colonial Pipeline been? How do you expect the U.S will respond?
The ransomware that was deployed impacted the business systems of Colonial Pipeline, which led to the company’s decision to temporarily halt pipeline operations. This led to a broader disruption to pipeline operations, and a noticeable spike in demand for gasoline, particularly in the eastern United States. Ransomware attacks are becoming more prevalent—almost endemic. Over the past decade we’ve witnessed an increase in the number of attacks across different sectors and different organizations. The group responsible for is called Darkside—a Russia-based cybercriminal group that provides what’s called ransomware as a service (RaaS) to various clients. It’s not clear, at least publicly, who or what entity sought out services. Several experts suspect they have been involved in this game for a while now—Darkside is simply the latest moniker.
There will likely be a number of responses to this incident, from several different actors. The Department of Homeland Security has been involved and Colonial Pipeline is contracting with FireEye, a cybersecurity firm, to conduct some of the forensics. There’ll be the immediate reaction to the technical aspects of the ransomware attack and there’ll be continuing public discussion and debate regarding how do we take down these networks? How do we give guidance to companies? There may be regulatory action coming forward as people start to debate questions about whether companies or victims of ransomware should pay the Ransom.
Does paying ransomware attackers create a concerning precedent for future attacks, i.e. the possibility of aiding and financing future attacks, which are likely to be even more sophisticated?
There are a couple of things to think about when we think about the payment of ransomware. We’ve seen a significant growth in ransomware demands. Ransomware was most prominently deployed against individuals and their personal computers. would get a demand for a few hundred dollars and usually paid in some form of cryptocurrency to be able to unlock the computer and data again. In the last few years this has migrated to other organizations. We’ve seen local governments in the United States, like Baltimore and Atlanta, a number of school districts, as well as healthcare providers, and first responder networks targeted. These trends have been accompanied by an escalation of demands—the average has grown from just a few $100 to hundreds of 1000s of dollars. The highest demand recently was as much as $30 million. We’ve seen these escalations and we’ve also seen an evolution in the different forms of ransomware.
There’s no guarantee that when you pay ransom, you’ll actually get your data back. This isn’t always private entities targeting other private entities or citizens. We could be looking at a state that is trying to coerce another actor—there’s that concern. Something secondary that doesn’t get as much attention is what happens to the resources that those engaging in ransomware have garnered. could be used for other malicious activity—ransomware payments could absolutely finance other criminal activity as well, which is a significant concern.
How disruptive has ransomware become in the past few years? Are policymakers in the United States and Canada taking this issue seriously enough?
In the past decade, ransomware has become more disruptive as it has started to impact local governments, schools, healthcare companies, and hospitals. Some of these attacks have been widespread and far-reaching. One of the most significant forms of malware that’s associated with ransomware, because of technical similarities, is NotPetya. While initially designed to target Ukraine, NotPetya quickly spread to lots of other organizations and sectors. With ransomware as a service, cyber actors are renting out malware tools to anyone willing to pay for them. It has turned into much more of a commodity service—available to lots of different people who may not even have the technical capabilities themselves. These actors are looking to garner illicit funding and illicit revenue.
Initially, ransomware was seen as a nuisance. Recent attacks on hospitals in the U.S, and the Colonial Pipeline hack have raised a lot of concern regarding the potential impact the activities of these organizations can have on our critical infrastructure. Policymakers are paying attention now. Do we need laws or regulations regarding the kinds of rules there should be about paying ransoms in the event of a ransomware attack? What is the power of law enforcement to basically go after the cryptocurrency markets? These aren’t issues that are specific to North America. This is a problem that transcends borders due to the distributed nature of cryptocurrency, which, as I mentioned earlier, is the preferred payment method for ransomware actors. We’ve really only just started coming to grips with the idea that this will be a sustained problem. Like everything else in cybersecurity, these threats will not stand still. They’re going to evolve over time. We can’t just come up with a solution that’s geared towards what we’re seeing now. We need a flexible framework to address future threats as well.
How has the merging of systems within critical infrastructure networks made us more vulnerable? Could a cyber-attack targeting American critical infrastructure have trickle down effects in Canada?
I think so. We’ve evolved towards this concept of the Internet of Things, or an Internet of Everything. have expressed concern that a malicious cyber group would be able to traverse from the business networks to the operational networks of an organization. Rather than just impacting the email or the business software, they may be able to manipulate the physical processes of a power plant . We no longer see ransomware as merely a nuisance, but as something with real world implications, capable of damaging physical infrastructure. There’s interdependencies between the United States and Canada—our electric grids have several connection points, but there’s also broader economic aspects like the automotive industry.
supply chains have experienced the most disruption over the last year and a half. Closely run supply chains can be easily disrupted. Even if unsuccessful, ransomware, or malwares attacks, like NotPetya could have perturbations throughout multiple sectors and functions. That’s clearly a concern and very difficult to anticipate, because of how complex these systems are. An impact to part of an electric grid could also impact something such as the ability to provide emergency response.
Between preventing, detecting, and responding to cyber incidents, which one of these areas requires the most improvement?
All three require improvement. We’d obviously like to have the ability to stop an attack before it’s able to successfully gain a foothold on network. There’s no bulletproof solution—we’re never going to be able to completely lock malicious actors out of networks and systems. We need to focus more on the speed of detection. The cybersecurity firm CrowdStrike, for example, estimated that the average dwelling time of an adversary on a network is almost 100 days. Threatening actors are gaining access to networks, and they’re able to engage in reconnaissance, exfiltrate data, and potentially other harmful activities. Its more than three months in some instances before are even being detected by cybersecurity tools and cyber defenders. We’re clearly behind the curve. In terms of response, there’s a lot of planning that needs to be done—that’s critical, especially when ransomware has the ability to impact the critical infrastructure that supports the lifeblood, well-being, and lifeline sectors of economies.
Recently, you were involved with a Rand research paper called RAND’s Scalable Learning and Resilience Model (SWARM). What is SWARM? How would it be an improvement on other cyber defense frameworks?
developed what we call a SWARM approach, because we recognize the need to move from a reactive to a more predictive model of cybersecurity and defense. SWARM is centered around the idea that, focusing purely on the technical indicators of compromise and atomic indicators, and some of the more elevated forms of cyber threat intelligence, is not enough to be able to defend against more sophisticated actors, like the advanced persistent threat groups that we’re concerned about. We wanted to look at how to fuse some non-technical indicators, like geopolitical indicators, along with more technical indicators to put ourselves in a position to be more predictive and resilient to attacks.
First, you have to try and identify who the most relevant threat actors are—which ones are most likely to attack you. An organization like RAND does a lot of work for the United States government, and other governments around the world. We know that advanced persistent threat groups are going to be interested in us as a target, because of the work we do in international trade policy or national security policy. We also know the kinds of playbooks and techniques these groups use. You can try to focus your defensive capabilities to detect as well as defend against these techniques, and also identify the gaps in your own countermeasures. It’s also important to think about the world outside the cybersecurity realm, and the threats that might impact us. The U.S is engaged with a number of actors around the world—some of them are clearly competitors. Think about China or Russia, countries which host several cyber-criminal groups. There may be events occurring in the broader geopolitical sphere that you want to keep a track of in order to cue you to think about other phenomena which might impact you.
When President Trump met with Kim Jong Un, that should have probably served as a cue to think about North Korean cyber threats. Should we be doing a little bit more to try to detect our North Korean cyber actors that might be probing our networks in the runup to events and diplomatic meetings such as this? These are the kinds of things organizations need to work through. SWARM isn’t foolproof. Once you put it in place you can’t just let it run on its own. It requires a reasonably sophisticated cyber defense team that’s thinking through how to use the various tools and techniques available on the technical side, and also integrating geopolitical indicators into the analysis.
I think one of the things the ransomware evolution shows us is that you can’t rest on your laurels—you can’t just expect that you understand what the threats are. They’re going to constantly evolve. Cybersecurity is a team sport, which involves working across sectors, with the government at the local level, as well as the federal level. Cyber threats aren’t going away. Until we can create the most perfectly secure computer system—which I think is probably beyond our means—we have to continue to focus on those three elements that we talked about, prevention, detection, and response.
Quentin Hodgson is a senior international and defense researcher at the RAND Corporation focusing on cybersecurity, cyber operations, critical infrastructure protection, risk management, and command & control. He is also a member of the faculty at Pardee RAND Graduate School. He has led projects for the Office of the Secretary of Defense, the Department of Homeland Security, the United States Navy, the United States Air Force and NATO’s Allied Command Transformation. He came to RAND in 2017 from the MITRE Corporation, where he led projects supporting the Department of Homeland Security and the State Department on strategic planning, cybersecurity, and capacity building. He was the principal author of secretary of Defense Robert Gates’s National Defense Strategy and led efforts to reform the Department’s approach to force planning and analysis after the 2010 Quadrennial Defense Review. He holds an M.A. in international relations from the Johns Hopkins University School of Advanced International Studies and an M.Sc. in national resource management from the Industrial College of the Armed Forces, and was a Fulbright scholar affiliated with the University of Potsdam, Germany.