Cyber Strategy

The new National Cybersecurity Strategy from the White House has recently been published. There are undoubtedly controversial recommendations, such as calls for the imposition of liability for insecure software products and services and the increase of military support of private cybersecurity, and I look forward to those debates. I praise the National Cybersecurity Strategy for carving the way forward against the growing threat.  The section on the threat should not be missed. 

Most notably, I want to highlight this paragraph: 

“The cyber operations of criminal syndicates now represent a threat to the national security, public safety, and economic prosperity of the United States and its allies and partners. Ransomware incidents have disrupted critical services and businesses across the country and around the world, from energy pipelines and food companies to schools and hospitals. Total economic losses from ransomware attacks continue to climb, reaching billions of U.S. dollars annually. Criminal syndicates often operate out of states that do not cooperate with U.S. law enforcement and frequently encourage, harbor, or tolerate such activities. These and other malicious cyber activities continue to threaten Americans across society, including disproportionately affecting those without the resources necessary to protect themselves, recover, or seek recourse.” 

You got to love the statistics around ransomware:

• Ransomware attacks are at an all-time high – up over 148% since the beginning of 2021. 
• Cybercrime has grown to be the 3^rd largest economy after US and China according to World Economic Forum – Projected costs in 2023 are at $8 trillion and $10.5 trillion in 2025.
• Although attacks are increasing – payments are down largely due to Department of Treasury sanctions.
• Ransomware payments dropped from $766 million in 2021 to $457 million in 2022.

Let’s pause on this last statistic since it seems to contradict all the others that refer to the issue as growing.

Chainalysis is the source of the data pointing out the significant drop in ransomware payments. They are a company that traces and understands blockchain activity and has been instrumental in helping the government identify many cyber criminals. You can read all about it in Andy Greenberg’s new book, Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency.

Chainalysis cites two reasons why ransomware payments were down last year.  Sounds like good news- right?

The two primary reasons were:

1. The Department of Treasury released an advisory on Potential Sanctions for Facilitating Ransomware Payments, and it’s scary!  If you show this advisory to your lawyers, my bet is they will not want to pay the ransom and justifiably so – but where does that leave the victim?
2. Cyber insurance firms are requiring increased protection. This leads to fewer entities being able to afford insurance protection resulting in greater risk exposure in most cases.

The government is certainly still in this fight. We have seen recently that they have launched a “disruptive technology strike force” led by the Departments of Justice and Commerce to protect American technology theft and block threats to critical assets.  

I agree this needs to be done and applaud the initiative, but it still leaves too many victims vulnerable to their data being stolen or deleted. Bottom line is that protecting our data is our personal and professional responsibility.

Our vulnerable attack surface is amplified by the IoT emergence and expanding 5G and 6G infrastructure.  It is predicted that by 2023 there will be over 21B IoT devices connected to networks.  In time, those network connections will bypass home routers and be direct connections with cloud infrastructure providing ubiquitous data storage.   

As the data warehouses grow, so does the need for storage that is unreadable by criminals and consequently inaccessible. This is doable with SaaS capability that hides the data by making it invisible to unauthorized users. For example, storage firmware can render the data unreadable at the sector level, preventing physical and remote attacks. 

The best technique I have seen is the creation and storage of keys that prevents all known key recovery techniques. These non-recoverable keys are cryptographically derived from a user-supplied password and never stored in final form. Cigent is a small company that I am on the board for that provides this unique capability and has several government users for protecting critical information.

Bottom line is that our data continues to be vulnerable, and it is a growing challenge to keep it safe. The National Cybersecurity Strategy affirms what we already know – that protecting data is the responsibility of the owners and operators of the systems that hold our data. 

In some cases, the “owner” is us, and taking personal responsibility for the protection of our most valuable assets is common sense. It will be a refreshing change when the National Cybersecurity Strategy is implemented, and vendors are more accountable for protecting our data, but it won’t be the whole answer.  

Companies, consumers, and governments need to be more diligent than ever about cyber hygiene. Data security often includes ensuring its availability, as well as keeping it protected or confidential, and finally certifying its integrity or accuracy.

At the same time, those of us in the cybersecurity sector need to be more creative than ever with solutions that work easily. It’s not enough to keep doing the same things with tweaks and adjustments. What do they say about doing the same thing over and over again….

I will close with one of my favorite Stephen Covey quotes:

“If we keep doing what we’re doing, we’re going to keep getting what we’re getting.”

Let’s change that!