Wednesday, October 6, 2021

 Bank Info Security carried a report today that said:

Speaking at security firm Mandiant's Cyber Defense Summit, Anne Neuberger, who serves as the deputy national security adviser for cyber and emerging technology in the Biden administration, and Gen. Paul M. Nakasone, the commander of U.S. Cyber Command and director of the National Security Agency, outlined today's threat landscape, highlighting the ability of malicious actors to penetrate federal and corporate networks.

Both federal officials underscored the threat of ransomware on everyday commerce and its ability to alter and shape foreign policy. Asked to predict whether network defenders will be forced to combat ransomware five years down the road, Nakasone answered frankly, "Every day."

The two crimes that established the reputation of the FBI were "white slavery" and "protection."  The latter of course was extortion.  We do not hear much about either any more.  We should hope for the same result from law enforcement for ransomware.  I will continue to hope and work for political pressure.  I do not accept that government can simply wash its hands of the problem.     

That said, even if I am right, it is not likely to happen anytime soon.  It is clear that today's cybersecurity is not sufficient in the light of the rate of successful ransomware attacks.  I have argued that we need to raise the cost of attack against our systems roughly ten fold.  Start with strong authentication and work toward the so called "zero trust" model in which every process restricts access to itself, protects itself from any process that can see it, and authenticates every process with which it interacts.  

In addition one must implement new backup and recovery strategies.  Current strategies were based upon the assumptions that we would have to recover a small number of files from errors, device failures, or once in forty year catastrophes.  We now need strategies that enable us to recover entire enterprises in hours to days.  At a minimum plan to recover each essential application, not merely files, and to do it in the time appropriate for that application.  For some mission critical applications that time may be measured in minutes to hours.

Plan for a successful attack on third parties on which you are dependent.  Consider single points of failure and plan on how to use alternate sources.  

It is a target rich environment and not every enterprise will be breached but one should plan for an attack as often as every year or two.  This is a "bet your business" risk and hope is not a strategy.   



  1. One of my latest presentations ( discusses your two points on increasing the attacker's barrier to entry - think of NIST CSF's tenets of Identify, Protect, Detect - and the need to focus on recovery point objectives (RPO) as well as return to operations (RTO) - NIST CSF's tenets of Detect, Respond, Recover.