The FBI and Justice Department upped the ante on the rhetoric around ransomware attacks on Thursday and Friday, telling a number of news outlets that cyberattacks will be treated with almost the same level of concern as terrorist attacks.
Christopher Wray, the director of the FBI, compared the government's fight against ransomware to the situation the country faced after 9/11 in an interview with The Wall Street Journal. He added that the FBI has identified nearly 100 different types of ransomware, each of which has already been implicated in attacks.
He also took direct aim at the Russian government, singling them out for harboring many of those behind the different brands of ransomware. But he also revealed that the FBI has had limited success working with some private-sector cybersecurity officials in obtaining encryption keys without paying any ransoms.
The comments came after three significant developments in the government's response to the recent wave of ransomware attacks on companies in critical industries like Colonial Pipeline and global meat processor JBS.
Anne Neuberger, deputy assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, sent a letter to private sector leaders on Thursday urging them to prepare for potential attacks and implement a number of security measures to prevent an incident.
Senior Justice Department officials then told Reuters that memos had been sent out to all US Attorney's Offices explaining that ransomware attacks would be investigated in a manner similar to incidents of terrorism.
Technology journalist Kim Zetter shared a snippet of a memo sent by Deputy Attorney General Lisa Monaco that said urgent reports should be filed whenever a US Attorney's Office learns about a new ransomware attack. The memo adds that officials should notify a newly created ransomware task force about any new developments in cases, potential emergencies, or incidents that will "generate national media or Congressional attention."
"Urgent Reports should be submitted, for instance, when a United States Attorney's Office learns of a ransomware attack on critical infrastructure or upon a municipal government in their District," Monaco wrote.
Reuters reported that the new guidance also said senior Justice Department officials need to be notified of any cybercrime cases involving cryptocurrency exchanges, botnets, digital money laundering, illicit online forums, "bulletproof hosting services" and counter anti-virus services.
Rep. Jim Langevin told ZDNet that the memo from Neuberger was a sign that President Joe Biden was taking the ransomware incidents seriously, but he urged the White House to give CISA more power to issue similar guidelines.
"The advice in the White House memo is sound, and I hope corporate leaders will adopt a more risk-informed cybersecurity posture as soon as possible," Langevin said. "However, I also hope the President will follow Congress's direction and empower CISA to make similar recommendations moving forward."
Cybersecurity experts said that while the guidance from the White House was helpful, it did little to address the underlying problems thousands of organizations face when trying to protect themselves.
Robert Haynes, open-source evangelist with Checkmarx, said it was critical for organizations to identify the impact of the loss of different systems on their ability to operate.
For most businesses, Haynes noted, the threat of a ransomware attack, the cost of the ransom itself, and the huge impact on operations should be motivation enough to take these threats extremely seriously.
"The primary focus needs to be on prevention, and then mitigation assuming a total loss of systems. Leaders should be aware that the recovery time will involve rebuilding systems and restoring data, even with a successful recovery of encrypted files," Haynes said. "The risks are real and the disruption, no matter how good your data protection solutions are, can be costly."
Dirk Schrader, global vice president at New Net Technologies, suggested the government find a way to make it a requirement for organizations to report any case of ransomware to authorities and strongly discourage ransom payments.
But he noted that companies may not be willing to report a ransomware incident if that will delay the return to normal operations.
Kevin Breen, director of cyber threat research at Immersive Labs, explained that valuable advice from the White House, like having offline backups, was nice to say but can cause friction within enterprises because they are typically hard to implement and costly. The same goes for other guidance shared by Neuberger like network segmentation.
"If you're not already doing it, implementation may be complex," he said, adding that incident response tests will be key for preparing any organization for an attack.
"These need to be done with a higher cadence than traditionally, and across the entire workforce to take into account the impact on technical, legal, communications and other cross-functional teams."
The Justice Department's efforts to create a centrally coordinated response will give authorities a deeper pool of evidence and data while also helping with the identification and targeting of the entire chain, Breen added, noting that it may also help add legislative teeth to mitigation efforts.
Breen went on to say that the other measures being taken by the FBI and Justice Department were happening because ransomware gangs had "poked the sleeping giant one time too many."