In the wake of a series of high-profile ransomware attacks the level of angst emanating from both politicians and law enforcement professionals is increasing sharply. Christopher Wray, director of the Federal Bureaus of Investigations (FBI) has informed the U.S. Congress the agency is investigating approximately 100 different ransomware attacks, many of which are being ascribed to entities that appear to be operating out of countries that either don’t appear to be doing much to curtail that activity or may be actively encouraging it. The Biden administration has also made it clear ransomware will be a topic brought up as a topic of conversation during a forthcoming summit with Russia.
As much as cybersecurity professionals may applaud those efforts, the venue they should be focusing most of their attention on is what’s occurring in the halls of Congress. There is now a bipartisan effort underway to create legislation that would require organizations to disclose how they were victimized by a ransomware attack. The basic rationale is ransomware attacks are a national threat. Failing to share details of a ransomware attack to enable other organizations to better protect themselves is essentially aiding and abetting the cybercriminals that threaten the country.
Most ransomware attacks as most cybersecurity professionals well know are the result of sloppy IT practices. Cybercriminals are exploiting passwords they found on the Dark Web to compromise systems in a way that allows them to appear to be just another legitimate user of, for example, a virtual private network (VPN). The legislation that ultimately gets passed is not likely to go so far as to blame the victim for not having the appropriate level of cybersecurity hygiene in place to prevent a ransomware attack. However, as a public record, it will nevertheless be the equivalent of public shaming. Media outlets will at the very least use those records to disclose a ransomware attack took place, with all the attenuating valuation implications attached when it becomes clear an organization was unable to operate while it negotiated with cybercriminals to regain control over their data.
Among other things, the legislation being proposed would make it illegal to ransom data and possibly even set up a recovery fund for victims. As that legislation winds through Congress ransomware will undoubtedly become an even bigger board-level issue than it already is. On the plus side, more funding will be allocated to thwarting ransomware attacks that exploit weaknesses in IT environments that every IT professional knows are pervasive.
Most cybersecurity professionals will initially welcome the increased focus on cybersecurity despite any admonitions about being careful what one might wish. Once legislation is passed there will undoubtedly be a lot more blame to be passed around. Scapegoats, not all of them justifiably, will be sought and ultimately sacrificed.
Cybersecurity professionals, of course, are no strangers to corporate politics. However, when professional politicians get involved the nature of the game changes as the stakes inevitably rise. IT professionals should take note and prepare accordingly.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.