Inside Cybersecurity

December 7, 2021

Daily News

FDD’s Montgomery, Shea promote Solarium recommendations as missing pieces in ransomware approach

By Charlie Mitchell / October 15, 2021

This week’s White House-led meeting of global partners on ransomware produced a joint statement based on the Biden administration’s “four lines of action,” but one ingredient still missing in the Biden approach is the type of “operationalized collaboration” and information sharing called for by the Cyberspace Solarium Commission, according to the Foundation for Defense of Democracies’ Mark Montgomery and Georgianna Shea.

The 31-nation meeting concluded on Thursday with a joint statement addressing resilience, countering illicit finance, disruption and diplomacy, the four areas framing the administration’s anti-ransomware activities and used as the basis for this week’s discussions with senior officials from a broad group of countries.

Montgomery, who serves as senior advisor to the Solarium Commission, observed, “U.S. government and private sector efforts to combat ransomware require a three-pronged approach. 1) The U.S. government needs to impose greater costs on ransomware actors; 2) the U.S. government and the private sector must collaborate to ensure the private sector has timely threat information; and 3) private companies need to make the necessary investments to better protect themselves.”

Georgianna Shea

Georgianna Shea, Chief Technologist, Foundation for Defense of Democracies

He said, “The administration’s four lines of effort focus on steps 1 and 3 but overlook the important work that needs to be done to operationalize public-private collaboration. Efforts within the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to stand up the Joint Cyber Defense Collaborative aim to better coordinate cyber defense planning in advance of and in response to cyberattacks, but the lack of shared knowledge of the threat landscape will hinder its effectiveness. There is pending legislation in the House NDAA that can help solve this.”

Montgomery said, “Congress needs to fully resource the JCDC and add a collaborative environment, as outlined in the House version of the National Defense Authorization Act. The White House needs to ensure that the private sector has improved access to threat information to protect themselves. It must direct the intelligence agencies to improve the speed of declassification processes so that timely information and intelligence can be shared with the private sector.”

The FDD in a September policy brief discussed the need for establishing a “Cyber Threat Information Collaboration Environment” as recommended in the 2020 Solarium Commission report.

“The new information sharing environment called for in the NDAA would work to lower the bureaucratic hurdles that often hinder the government’s ability to pass actionable threat information to the private sector. While such information may not be sensitive, it often requires a lengthy process to get approved for dissemination at the unclassified level. Thus, the government frequently misses its window to provide useful threat information to the private sector,” the FDD said in the policy brief last month.

Mark Montgomery

Mark Montgomery, Senior Advisor, Cyberspace Solarium Commission

“The collaborative environment will be designed to remove barriers to information dissemination, establish a direct connection between private-sector companies and the government, and ensure that threat information flows more freely between the public and private sectors. At the same time, the collaborative environment will ensure that more detailed analyst-to-analyst work between government and private-sector experts can still continue at the classified level,” the FDD said.

CISA senior official Brandon Wales, the former acting director of the cyber agency, said at an event Wednesday that the agency and partners are “moving from information sharing to information-enabled operations. … We think JCDC is the future of cyber defense.”

Thursday’s joint statement from participants in the White House-led meeting addressed info-sharing in several places, saying: “Nations should also consider appropriate steps to promote incident information sharing between ransomware victims and relevant law enforcement and cyber emergency response teams (CERTs), with protection for privacy and human rights. Such sharing enables cybercrime investigations and prosecutions, and facilitates broad distribution of cyber threat mitigation steps.”

It said, “Moving forward, we are committed to sharing lessons learned and best practices for development of policies to address ransom payments, as appropriate. We will also engage with private sector entities to promote incident information sharing and to explore other opportunities for collective buy-down of risk.”

More from FDD

In the FDD release this week, the group’s chief technologist Shea added that, “As long as ransomware is lucrative, attacks will continue. The administration’s efforts to indict and sanction hackers, claw back ransomware payments, and dismantle ransomware-as-a-service infrastructure all impose costs on the attackers, but until victims stop paying the ransoms, imposing costs will only be marginally effective at deterring attacks.”

She said, “Efforts to make the private sector resilient against ransomware have focused on improving cyber hygiene and implementing cybersecurity best practices, and to the extent that these practices emphasize resiliency against attacks, it is usually by recommending maintaining system backups. Backups, however, may not prevent substantial data loss nor do they protect against the rising tide of double extortion in which ransomware attackers not only lock up data but also threaten to publicize a victim’s sensitive information.”

Shea added, “A better way to combat against ransomware is to make networks resilient against these attacks by design so that when companies fall victim to attacks – and history shows that is it not if but when – the victim can ignore the attackers and continue operations as normal. This kind of resiliency is technologically possible and will render ransomware attacks meaningless.” – Charlie Mitchell (cmitchell@iwpnews.com)