Disrupting and Dismantling Threat Actors Will Not Come Easy

National Cybersecurity Strategy: Disrupting and Dismantling Threat Actors Will Not Come Easy

Limited Reporting and Limited Resources Leads to Limited Successes

To start, the strategy references government success in targeting the financial infrastructure used for illicit activity and seizing cryptocurrency obtained from ransomware and fraud. Although there have been successes in tracking, seizing, and returning cryptocurrency, the scale of those achievements pales in comparison to the size of the problem set. When searching for examples, only a few can be found. One of the more newsworthy, was the millions seized following the Colonial Pipeline attack, around the order of $4.5M. However, the estimated ransomware paid over six months during the same timeframe was $590M by U.S. businesses alone — and that was only what was reported.

Victim reporting to government officials regarding ransomware attacks is nowhere near what it needs to be in order to be successful in this pillar. How can the government drive collaboration and share information to stop attacks when it is not fully aware of the problem? To understand the gap, let’s review data from different sources. An independent survey of 5,600 mid-sized organizations across 31 countries determined 58% of respondents in the U.S. were affected by ransomware in the 2021 timeframe.¹

In a separate report, the number of ransomware attacks worldwide was estimated to be over 493M in 2022.² Compare that to information from the FBI’s Internet Crime Complaint Center (IC3) which only received 2,385 ransomware complaints in 2022. And I am confident the government does not have the resources to adequately address all the complaints that it does receive.

New Reporting Requirements and New Challenges

One new factor that should help with information sharing, at least within critical infrastructure sectors, is the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). CIRCIA mandates the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement reporting requirements for covered entities. CISA must complete mandatory rulemaking activities and publish a Notice of Proposed Rulemaking (NPRM) within 24 months of CIRCIA’s enactment. CISA is to issue a Final Rule within 18 months following the NPRM.

It will be interesting to monitor the progress and success of this effort. Given the vast majority of critical infrastructure is owned by private industry, and companies face reputational risk when successful cyberattacks become public, there could be far-reaching implications to reporting requirements. But for those companies outside of critical infrastructure, reporting will continue to be an individual decision. Hence, there still will be limitations to the amount of data with which investigative agencies have to work.

Not only is the problem much larger than what’s being reported to government officials, but Ransomware-as-a-Service (RaaS) has become an enabler to those who would commit such crimes. No longer does a malicious actor have to write code and have the infrastructure to support a ransomware attack. RaaS offers a subscription model to bad actors who simply pay for the service and launch their attacks. Given the asymmetric return on investment and effort, RaaS is a business model that will likely result in increased attacks. Regardless of our national strategy, the enemy gets a vote too.

Summarizing the Final Pillar

The final objective, Counter Cybercrime, Defeat Ransomware is really a summation of other efforts. It reiterates four lines of effort:

Leveraging cooperation to disrupt the ransomware ecosystem and isolate countries providing safe havens to criminals

Investigating ransomware and disrupting infrastructure and actors

Bolstering critical infrastructure resilience

Addressing abuse of virtual currency to launder payments

This section identifies safe haven countries, who gain tangible and intangible benefits from providing safe haven to malicious cyber actors. Either way, the U.S. has leverage in the realm of economic sanctions because of the U.S. dollar’s world reserve status. However, some of the same safe haven countries are also attempting to undermine that status. These facts combined indicate that any success in denying safe haven within those countries will not be easily gained. Until the cost exceeds the benefit for them, I don’t see any true change coming.

Given the scope of the problem, how should companies and agencies prepare? Start by recognizing most attackers are inside victim networks for months where the hardware may not be designed to monitor traffic. Then consider a partner like Noname to give you the added security you need, as well as visibility over data movement and anomalous behavior inside your network to help identify issues before it’s too late. Given that API traffic now represents over 80% of worldwide internet traffic, you should really have API security as part of your own cybersecurity strategy. Especially when the National Cybersecurity Strategy is unlikely to truly disrupt and dismantle all the threat actors out there targeting you.

¹ Percentage of Organizations Hit by Ransomware in The Last Year chart; The State of Ransomware 2022, p12.