Bureaucrats Bungle Cybersecurity
One year after the Colonial Pipeline ransomware attack — which shut down fuel supplies on the East Coast for five days — the US Senate has released a damning 50-page report on how the federal government handles ransomware and related cryptocurrency issues. In short, the analysis spotlights fundamental weakness in incident reporting, exposing gaping flaws in approaches by the FBI and CISA (Cybersecurity and Infrastructure Security Agency).
Entitled “Use of Cryptocurrency in Ransomware Attacks, Available Data, and National Security Concerns,” the document was published by the US Senate Committee on Homeland Security and Government Affairs on May 24, 2022. The chair is Senator Gary Peters (Michigan). For firsthand insight, the full report provides better texture than the official synopsis found on the website senate.gov.
The analysis validates the view that ransomware incidents cost US companies far, far more than officially-acknowledged. The ever-growing annual figure, citing private-sector data from 2019, may be as much as $10 billion in ransomware demands and downtime expenses. For context, that number is roughly equivalent to the annual earnings for McDonald’s. Federal data is materially smaller because it represents a “subset of a subset” of data.
The impetus for releasing this report appears to be the Russian invasion of Ukraine. The committee emphasizes in conclusion, “Taking further action to increase the federal government’s collective awareness of the ransomware landscape and associated uses of cryptocurrency, could provide lawmakers with more information when deliberating measures to enhance the government’s ability to target Russian cybercriminals.” This position is warranted. Some three-quarters of global ransomware revenue can be traced to Russian actors.
The document may be more of an exposé than a report, given the raw take-away. The casual reader quickly realizes that the Senate committee is holding to political decorum, but in effect asserts that the government just vaguely understands the scope of the ransomware problem and therefore the government cannot help solve this problem, at least for the time being.
Theoretically, official cybersecurity data should be comprehensive and granular, akin to what economists have available to analyze inflation trends. Instead, available data is a patchwork of information that is not accessible or searchable across government agencies. One obvious blunder: information collected by FBI field offices is not commonly aggregated at the national level.
Roughly half of the report is attributed to background on ransomware attacks and illicit uses of cryptocurrencies. We learn about the distinctions between the darknet and clearnet, the concept of privilege escalation, and the role a Monero, a privacy coin. However interesting, the analysis is not prescriptive, attesting to the core problem. We know what has happened; we may not know how to prevent it. Certainly more intensive data is one essential step toward that goal.
Our Vantage Point: While Washington fumbles with cybersecurity-policy implementation, ransomware attacks will continue to grow in volume and value, posing a direct threat to commercial enterprises and government agencies.
