U.S. companies may have to learn to live with ransomware attacks, experts told California lawmakers on Thursday — even if that means giving attackers the payment they’re demanding to release control of vital systems.
“We’re not an advocate for paying the ransom, but the reality is that you may need to think about that,” NERC Senior Vice President Manny Cancel, the CEO of the Electricity Information Sharing and Analysis Center (E-ISAC), told the California State Assembly’s Select Committee on Cybersecurity. He suggested that utilities may have to consider preparing to pay a ransom ahead of an attack — for example, by buying stocks of cryptocurrency, which are often demanded in ransom payments and may be hard to acquire at a favorable exchange rate on short notice.
The question of whether and when to pay off ransomware attackers has become increasingly salient following recent high-profile ransomware attacks against Colonial Pipeline and JBS USA, the U.S. branch of Brazilian meat packing giant JBS. The Colonial hack attracted particular attention from regulators, lawmakers and the public because it forced the company to temporarily shut down its entire network, which delivers nearly half of the U.S. East Coast’s supply of gasoline, diesel and other fuel products. (See Glick Calls for Pipeline Cyber Standards After Colonial Attack.)
Both Colonial and JBS admitted to paying the ransom demanded of them, using cryptocurrency valued at $4.4 million and $11 million respectively. Such payments are against the official recommendation of the FBI, as multiple lawmakers pointed out to Colonial’s CEO Joseph Blount when he testified before the U.S. Senate last month. (See Colonial CEO Welcomes Federal Cyber Assistance.) Blount said that authorizing the payment was “one of the toughest decisions I have had to make in my life” but “the right thing to do for the country” because of the possible effects of a long shutdown.
Several participants in Thursday’s hearing said that electric utilities and other owners of critical infrastructure assets have lower leverage against attackers than many other private organizations, since these systems are vital to everyday life. For this reason, attackers are increasingly likely to see such victims as an easy target.
“The criticality of these systems puts pressure on victims to pay the ransoms and to pay them quickly,” said Randy Rose, senior director of cyber threat intelligence at the Center for Internet Security. “We expect to see more targeting of critical networks and operational technology … because the goal of these actors is a quick payday, and few organizations have the uptime requirements of those who operate in critical infrastructure.”
Payment Still the Last Resort
Appeasement was by no means the only strategy discussed at the hearing: Cancel said that paying a ransom should be only one option in a response plan that is thoroughly worked out and drilled before any breach occurs. “You don’t want to figure out how to respond to a ransomware attack when you’re actually experiencing it,” he said. Preparations should also include preparing backups and practicing restoring from them; reducing the number of accounts with administrative privileges that attackers can take advantage of; and enhancing cyber hygiene of management and staff.
Assemblyman Ed Chau asked several questions about potential government actions that could mitigate the threat of cyberattacks and, particularly, ransomware. First Chau turned to Cancel, wondering whether the fact that many critical infrastructure assets are privately owned makes it harder to coordinate and share information in the event of a security breach.
“There is occasionally some reluctance, particularly where there are concerns about attribution, penalty, or other liabilities that may occur,” Cancel acknowledged. He said that the E-ISAC allows members to share information anonymously, describing this as “a powerful way of getting the information and then allowing us to share that information with other members of the sector, and even with our government partners as well.”
Chau then asked whether federal action against the cryptocurrency markets could help make ransomware less attractive, prompting Ryan Kovar, a security strategist at information technology firm Splunk, to warn that the complex and shadowy nature of cryptocurrency means that attempts to disrupt it could just give rise to new types of digital coins that are even harder to track.
Ron Bushar, senior vice president and government chief technology officer at FireEye, suggested that it might be more effective to try and remove some of the stigma around paying ransoms. This could help law enforcement by making companies more willing to admit that they have paid their attackers and share information about the payments that could lead to arrests of the perpetrators or even recovery of the funds, as when the FBI recovered a large portion of Colonial’s ransom payment in June.
“I think in the short term, some sort of potential liability protection or shielding along with disclosure, either prior to or immediately after a ransom payment, in order to enable law enforcement to better track and prosecute these sorts of payments, may be a middle ground that makes sense to stem the tide,” said Bushar.