STIGs, FIPS, ZT, and API Security
Leading by Example The United States has been a…
Continuing a review of the new National Cybersecurity Strategy, today I look at the second pillar, Disrupt and Dismantle Threat Actors. It’s heavy on collaboration, information sharing, and integrated response, and lays out five objectives that, on the surface, make sense:
However, reading through the specifics of the five objectives, I see major challenges in achieving some of these. I’ll only address a few underlying issues in order to keep this more manageable.
To start, the strategy references government success in targeting the financial infrastructure used for illicit activity and seizing cryptocurrency obtained from ransomware and fraud. Although there have been successes in tracking, seizing, and returning cryptocurrency, the scale of those achievements pales in comparison to the size of the problem set. When searching for examples, only a few can be found. One of the more newsworthy, was the millions seized following the Colonial Pipeline attack, around the order of $4.5M. However, the estimated ransomware paid over six months during the same timeframe was $590M by U.S. businesses alone — and that was only what was reported.
Victim reporting to government officials regarding ransomware attacks is nowhere near what it needs to be in order to be successful in this pillar. How can the government drive collaboration and share information to stop attacks when it is not fully aware of the problem? To understand the gap, let’s review data from different sources. An independent survey of 5,600 mid-sized organizations across 31 countries determined 58% of respondents in the U.S. were affected by ransomware in the 2021 timeframe.1
In a separate report, the number of ransomware attacks worldwide was estimated to be over 493M in 2022.2 Compare that to information from the FBI’s Internet Crime Complaint Center (IC3) which only received 2,385 ransomware complaints in 2022. And I am confident the government does not have the resources to adequately address all the complaints that it does receive.
One new factor that should help with information sharing, at least within critical infrastructure sectors, is the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). CIRCIA mandates the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement reporting requirements for covered entities. CISA must complete mandatory rulemaking activities and publish a Notice of Proposed Rulemaking (NPRM) within 24 months of CIRCIA’s enactment. CISA is to issue a Final Rule within 18 months following the NPRM.
It will be interesting to monitor the progress and success of this effort. Given the vast majority of critical infrastructure is owned by private industry, and companies face reputational risk when successful cyberattacks become public, there could be far-reaching implications to reporting requirements. But for those companies outside of critical infrastructure, reporting will continue to be an individual decision. Hence, there still will be limitations to the amount of data with which investigative agencies have to work.
Not only is the problem much larger than what’s being reported to government officials, but Ransomware-as-a-Service (RaaS) has become an enabler to those who would commit such crimes. No longer does a malicious actor have to write code and have the infrastructure to support a ransomware attack. RaaS offers a subscription model to bad actors who simply pay for the service and launch their attacks. Given the asymmetric return on investment and effort, RaaS is a business model that will likely result in increased attacks. Regardless of our national strategy, the enemy gets a vote too.
The final objective, Counter Cybercrime, Defeat Ransomware is really a summation of other efforts. It reiterates four lines of effort:
This section identifies safe haven countries, who gain tangible and intangible benefits from providing safe haven to malicious cyber actors. Either way, the U.S. has leverage in the realm of economic sanctions because of the U.S. dollar’s world reserve status. However, some of the same safe haven countries are also attempting to undermine that status. These facts combined indicate that any success in denying safe haven within those countries will not be easily gained. Until the cost exceeds the benefit for them, I don’t see any true change coming.
Given the scope of the problem, how should companies and agencies prepare? Start by recognizing most attackers are inside victim networks for months where the hardware may not be designed to monitor traffic. Then consider a partner like Noname to give you the added security you need, as well as visibility over data movement and anomalous behavior inside your network to help identify issues before it’s too late. Given that API traffic now represents over 80% of worldwide internet traffic, you should really have API security as part of your own cybersecurity strategy. Especially when the National Cybersecurity Strategy is unlikely to truly disrupt and dismantle all the threat actors out there targeting you.
1 Percentage of Organizations Hit by Ransomware in The Last Year chart; The State of Ransomware 2022, p12.
2 Annual number of ransomware attacks worldwide from 2017 to 2022, Number of ransomware attacks per year 2022 | Statista.
Experience the speed, scale, and security that only Noname can provide. You’ll never look at APIs the same way again.