Ransom Disclosure Act Aims to Help Feds Fight Cybercrime
Cybersecurity experts say there are questions about this legislation that need to be addressed.
![Scary hacker Scary hacker](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt0dcb0171ecce5d72/6524421c15d9f5d62ebc439f/8-Scary-Masked-Hacker-1.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Callum Roman is head of threat intelligence at F-Secure.
“Governments know ransomware is a problem, but just how much of a problem is unclear,” he said. “Compulsory reporting of ransomware payments can help shed light on the true scale of the problem and not just the tip of the iceberg we see reported in the media.”
The legislation may run into issues on reporting based on how and where organizations decide to pay the ransom, Roman said.
“If they organize payment through an intermediary, will they have to report?” he said. “If they pay the ransom from a company in their portfolio that is not under U.S. jurisdiction, aka abroad, will they have to declare? There will always be ways around this type of legislation, but if constructed well it can have a positive impact on informing government of the real scope of the issue.”
The most interesting aspect of the suggested legislation is the directive to the DHS to investigate the cryptocurrency facilitation of ransomware, Roman said. This may spark further legislation and focus on this medium by the U.S. government.
“It certainly will help arm it with the information it needs to decide if this is an effective avenue for combating ransomware,” he said.
Tim Erlin is vice president of strategy at Tripwire.
“If the objective is to gather as much accurate information as possible about ransomware payments, then this legislation needs to ensure that victims aren’t worried about legal repercussions when reporting payments,” he said. “As it stands, this bill would put victims in a tough spot, afraid to report a payment and afraid not to.”
Information sharing is a key factor in fighting ransomware, Erlin said. However, a government custodian of that information isn’t the right solution.
“An independent entity should collect ransomware incident information, including payments, and provide anonymized, aggregate information back to the government,” he said. “Victims need to be confident that their complete reporting won’t result in additional consequences.”
Bud Broomhead is CEO of Viakoo, an enterprise IoT security provider.
“This legislation is acknowledgment of the real and persistent threat that unsecured IoT devices pose to enterprises of all sizes,” he said. “By far, hackers’ favorite targets are IoT devices because they are everywhere and easy to compromise. Just ask Target and others whose IoT devices provided the attack surface that was breached to set up ransomware disruption and extortion.”
A new survey by Ivanti shows 71% of IT and security professionals find patching to be overly complex, cumbersome and time consuming. In fact, 57% of respondents said remote work has increased the complexity and scale of patch management.
Ivanti surveyed more than 500 enterprise IT and security professionals across North America and EMEA.
Because of work from anywhere, patching has never been more challenging. Unpatched vulnerabilities remain one of the most common points of infiltration for ransomware attacks, which have increased in frequency and impact to businesses of all sizes.
The WannaCry ransomware attack, which encrypted an estimated 200,000 computers in 150 countries, remains a prime example of the severe repercussions that can occur when patches are not promptly applied. A patch for the vulnerability exploited by the ransomware had existed for several months before the initial attack, yet many organizations failed to implement it. And even now, four years later, two-thirds of companies still haven’t patched their systems. Yet organizations around the world are still being targeted by WannaCry ransomware attacks. There was a 53% increase in the number of organizations affected with WannaCry ransomware from January to March of this year..
According to the survey, 62% of respondents said patching often takes a back seat to their other tasks, and 60% said patching causes workflow disruption to users. In addition, 61% said line-of-business owners ask for exceptions or push back maintenance windows once a quarter because their systems cannot be brought down. At the same time, the speed of vulnerability weaponization continues to increase.
Moreover, 53% said organizing and prioritizing critical vulnerabilities takes up most of their time, followed by issuing resolutions for failed patches, testing patches and coordinating with other departments. Forty-nine percent believe their company’s patch management protocols fail to effectively mitigate risk.
Srinivas Mukkamala is Ivanti‘s senior vice president of security products.
“Organizations are using so many different devices, operating systems and software, making it complex and challenging to know what patches need to be implemented,” he said. “It’s critical for IT organizations to look at ways to automate the patching process to ensure they are prioritizing the right vulnerabilities to patch. Critical vulnerabilities need to be resolved immediately, whereas moderate or low severity security issues that can be mitigated or are less likely to be exploited, are not as time sensitive.”
Patching doesn’t have to be complex and time consuming, but without the right tools, it certainly can be, Mukkamala said.
“By leveraging a combination of risk-based vulnerability prioritization and automated patch intelligence technologies, organizations can understand what is being actively exploited so risk response is performed based on threat priorities,” he said.
Proper patching starts with understanding what devices and software are deployed across the organization, Mukkamala said.
“You must know what’s out there in order to properly prioritize what needs to be patched,” he said. “MSSPs and other cybersecurity providers can assist in this process by providing guidance on vulnerabilities and prioritization, but it really comes down to the organization taking the process seriously.”
Kaspersky has launched a new Ask the Analyst service that allows businesses to reach out to the company’s researchers for their opinions and guidance on cyber threats and security issues on an as-needed basis.
The program will include malware sample analysis, malware family information or certain threat descriptions, requests for dark web intelligence or further information on published Kaspersky Advanced Persistent Threat (APT) intelligence reports. Furthermore, the service will provide customers’ existing IT security teams with Kaspersky expertise.
Alexander Liskin is head of anti-malware research at Kaspersky.
“The new Ask the Analyst service provides timely access to Kaspersky research experts,” he said. “This opportunity will help our partners to increase revenue from threat intelligence deals, raise the effectiveness of their monitoring and response services (MSSPs) and enable them to strengthen customers’ threat intelligence capabilities.”
Every piece of security information, from what cybercriminals are discussing on underground forums or how to protect against specific vulnerability exploitations, can be essential in helping to protect organizations from advanced cyber threats, Kaspersky said. While some organizations can’t discuss their findings with peers, it may be beneficial to consult with an industry professional.
“We see a growing number of cybersecurity threats,” Liskin said. “An example is an unprecedented increase in the amount and insolence of ransomware attacks. Many companies have realized the importance of threat intelligence, and the need for awareness of attackers’ tactics and tools. However, threat intelligence requires good practical application, while hiring and training cyber threat experts is extremely expensive, and not every company can afford it. Kaspersky employs more than 200 world-class analysts and experts with experience in cyberattacks investigation in different countries and industries. This service allows our customers to get quick access to advice from our experts through a single entry point.”
Palo Alto Networks has announced its first distribution partnership with Ingram Micro.
Ingram Micro will distribute Palo Alto Networks’ Okyo Garde cybersecurity solution to its VARs and technology solutions providers. They will bring Okyo Garde to small businesses across the United States.
Last month, Palo Alto Networks announced Okyo Garde, a new cybersecurity offering that combines hardware, software and security services in one subscription. It’s tailored for small businesses and workplaces that include the office and home.
Karl Soderlund is Palo Alto Networks’ senior vice president of worldwide channel sales.
“Over the coming months, we will jointly enable over 1,000 mutual partners across several categories including VARs, MSPs and online resellers to help us reach every corner of the U.S. market,” he said.
Palo Alto Networks will offer channel-specific financial incentives to enhance partner profitability, and a channel-specific training and enablement platform to best prepare partner teams to win in this market.
“Future strategic channel partnerships for Okyo are expected from Palo Alto Networks later this year,” Soderlund said. “Okyo for Enterprise will be available to all Palo Alto Networks NextWave partners in the U.S. starting in early 2022.”
Ingram Micro is an ideal and committed partner with deep supply chain and technology solutions experience in bringing networking and technology solutions to its partners, Soderlund said.
“We have a strong, longstanding relationship with Ingram,” he said. “They know our space and the channel we do business with, and will help a broad category of mutual partners bring world-class security capabilities to small businesses.”
Palo Alto Networks has announced its first distribution partnership with Ingram Micro.
Ingram Micro will distribute Palo Alto Networks’ Okyo Garde cybersecurity solution to its VARs and technology solutions providers. They will bring Okyo Garde to small businesses across the United States.
Last month, Palo Alto Networks announced Okyo Garde, a new cybersecurity offering that combines hardware, software and security services in one subscription. It’s tailored for small businesses and workplaces that include the office and home.
Karl Soderlund is Palo Alto Networks’ senior vice president of worldwide channel sales.
“Over the coming months, we will jointly enable over 1,000 mutual partners across several categories including VARs, MSPs and online resellers to help us reach every corner of the U.S. market,” he said.
Palo Alto Networks will offer channel-specific financial incentives to enhance partner profitability, and a channel-specific training and enablement platform to best prepare partner teams to win in this market.
“Future strategic channel partnerships for Okyo are expected from Palo Alto Networks later this year,” Soderlund said. “Okyo for Enterprise will be available to all Palo Alto Networks NextWave partners in the U.S. starting in early 2022.”
Ingram Micro is an ideal and committed partner with deep supply chain and technology solutions experience in bringing networking and technology solutions to its partners, Soderlund said.
“We have a strong, longstanding relationship with Ingram,” he said. “They know our space and the channel we do business with, and will help a broad category of mutual partners bring world-class security capabilities to small businesses.”
A proposed law, the Ransom Disclosure Act, would give ransomware victims 48 hours to report ransom payments, including type of payment, to the federal government.
U.S. Sen. Elizabeth Warren and U.S. Rep. Deborah Ross introduced the Ransom Disclosure Act this week. The bill provides the Department of Homeland Security (DHS) with data on ransomware payments. The purpose is to bolster the federal government’s understanding of how cybercriminal enterprises operate and develop a fuller picture of the ransomware threat.
“Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals,” Warren said when announcing the bill. “My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises, and help us go after them.”
U.S. Unprepared to Fight Ransomware
Ransomware attacks are becoming more common every year, threatening national security, the economy and critical infrastructure, Ross said.
“Unfortunately, because victims are not required to report attacks or payments to federal authorities, we lack the critical data necessary to understand these cybercriminal enterprises and counter these intrusions,” she said. “The U.S. cannot continue to fight ransomware attacks with one hand tied behind our back. The data that this legislation provides will ensure both the federal government and private sector are equipped to combat the threats that cybercriminals pose to our nation.”
In addition to the ransom reporting requirement, the Ransom Disclosure Act would require the DHS to:
Commission a study on the relationship between ransomware and cryptocurrency.
Make public certain information about ransomware from the past year.
Establish a site for individuals to voluntarily report ransom payments.
Cybersecurity Experts Have Their Say
Cybersecurity experts have varying thoughts on the legislation.
Tim Wade is technical director and CTO at Vectra.
Vectra’s Tim Wade
“While studying and facilitating the voluntary reporting of ransomware payments both sound to be well within reasonable bounds, I question the prudence of compelling non-voluntary disclosure by private parties who determine that such disclosure is not in their best interests, or the best interests of their stakeholders and shareholders,” he said. “Such actions would appear to weaken some standards of privacy, fairness and liberty with respect to individual protections and the choices individuals may make with respect to their best interests within their rights.”
Scroll through our slideshow above for more on the Ransom Disclosure Act and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like