Ransomware Attacks Require Improved Information Sharing

Speedy Cyber Incident Reporting Is Critical

IST’s report highlights successful information sharing efforts by agencies, including one instance in which the FBI coordinated with global law enforcement partners to break up an ongoing series of ransomware attacks. Collaboration led to the FBI helping about 1,300 victims decrypt their data, saving an estimated $130 million in ransom payments.

In another case, information sharing between the Department of Justice, the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency helped lead to the recovery of $2.3 million paid to ransomware extortionists.

Agencies recognize the need here.

“It is critically important that entities report every intrusion, including ransomware incidents, to CISA or the FBI as quickly as possible,” says Jeff Greene, acting executive assistant director for cybersecurity at CISA.

Robust reporting “allows CISA to share information that can protect others, limiting the ability of malicious actors to use the same techniques to execute multiple intrusions,” he says.

Some agencies are actively working to improve information sharing. The Treasury Department recently launched a public-private partnership called Project Fortress.

This effort aims “to ensure that we modernize our approach to cybersecurity, a major part of which is automating the sharing of threat intel directly to the IT operators and network defenders,” says Todd Conklin, deputy assistant secretary for cybersecurity and critical infrastructure protection at the Treasury Department.

Information Sharing Outcomes Should Encourage Agency Reporting

The IST report offers five information sharing recommendations:

• Develop new levers for voluntary sharing of cryptocurrency payment indicators
• incentive voluntary information sharing between cryptocurrency entities and law enforcement
• increase government sharing of ransomware intelligence
• create a standard format for ransomware incident reporting
• encourage organizations to report ransomware incidents

DISCOVER: The National Transportation Safety Board leans on microsegmentation to improve security.

This last item is of special interest, given the tendency of organizations to keep quiet about ransomware attacks over concerns about liability or bad publicity, Grossman says.

“We want to create an environment where organizations are really ready and willing to put that information forward so that there can be actions taken by the government to get their hands on these actors, follow the money if a ransom is paid and disrupt actors as soon as possible,” she says.

Government could encourage this by being more open about the outcomes of information sharing.

“Right now, reporting sometimes feels like it’s going into a black box, and no one is doing anything about it,” Grossman says. Government needs to make it clear “that entities are getting something out of reporting, that it’s not just a one-way street.”