On October 13, the White House released a Fact Sheet updating the public on the U.S. government’s multifarious efforts to address the global ransomware threat. For companies considering their exposure to ransomware risks, and options for preparing, there are a number of insights to be gleaned from the release. Companies can take several steps to prepare now to better position themselves for the ongoing threats presented by ransomware actors and the emergent regulatory environment the government is constructing.
The Fact Sheet describes federal activities along four lines of effort and calls on private sector actors to “modernize their cyber defenses to meet the threat of ransomware.” Unstated are several additional themes that bear upon private sector considerations for the way the ransomware landscape, and engagement with the federal government, will evolve.
The Fact Sheet notes that the federal government is pursuing efforts along several lines:
- Disrupt: The government is working to damage ransomware infrastructure and actors by applying the “full weight,” (into which, read, all tools of national authority) of U.S. government capabilities to disrupt the ransomware ecosystem. The Fact Sheet lists specific law enforcement, intelligence community, and sanctions efforts to fight back against threat actors.
- Strengthen: The government seeks to enhance the ability of the private sector to withstand attacks. It has made specific calls to the private sector to bolster their own defenses by investing more in security and is pursuing several specific initiatives to prod further action. The Fact Sheet points to the Spring-time launch of a voluntary Industrial Control System Cybersecurity Initiative involving the implementation of specific security technologies, and which began with the electricity sector, but is now expanding to the natural gas pipeline and water sectors. The Administration also issued two directives implementing certain reporting and security requirements on pipeline owners and operators and sent an open letter to CEOs urging that certain security practices be observed. Finally, among other initiatives, the National Institute for Standards and Technology (NIST) is developing a Cybersecurity Framework Profile for Ransomware Risk Management that will be intended to provide industry best practice guidance on preventing, responding to, and recovering from ransomware events.
- Virtual Currency: The government is seeking to limit the use of virtual currency to effect and launder ransom payments. Actions here include the government sharing indicators and typologies of virtual currency misuse with the financial sector and sanctioning a variety of virtual currency wallets and (so far) one exchange operator.
- International Cooperation: Finally, the government is leveraging international cooperation to disrupt the ransomware ecosystem and address the safe harbors provided to malfeasant actors in a number of foreign jurisdictions. The activities in this realm sound more in international diplomacy, including technical assistance for states in positions to influence the ecosystem and direct engagement with states known to harbor threat actors.
With respect to each of these categories, there are certain implications for private parties that will shape the future legal and compliance landscape pertaining to the ransomware threat, and for which such parties can work to position themselves in advance.
- Disruption: Federal efforts to disrupt the ransomware ecosystem require technical insights into such actors’ tactics, techniques, and procedures. Corporate victims and service providers to those victims will be the primary source of such information. Commensurate with recent efforts on the Hill to draft legislation requiring heightened information sharing by companies with the government, companies (especially those in critical infrastructure sectors) should expect increasing pressure to disclose information relating to ransomware events.
- Disclosure Control Practices: To prepare for potential mandatory reporting about cyber incidents, companies would do well to shore up their internal compliance practices, including disclosure control procedures of particular interest to the SEC. Even where such obligations are not driven by public reporting obligations, corporate management will want the confidence that events are being identified and escalated up the chain to enable sufficient, timely decision-making.
- Technical Visibility: Regardless of whether they are a public reporting entity, companies suffering a ransomware attack will be best positioned to respond when they have near instantaneous visibility into their systems and which assets and information are potentially affected. Such visibility must be invested in and built over time.
- Sharing Protocol: Companies will also want to proactively consider how they are prepared to share information with the federal government. Doing so frequently requires sufficient controls and processes to strip technical data about threat actors from all personally identifiable information about customers and employees (or other third parties), as well as identifying and removing trade secrets or other proprietary corporate data not relevant to the government’s understanding of threat actors. Such mechanisms help ensure compliance, as well, with potentially applicable data privacy laws.
- Strengthening: In articulating technical security requirements through the various strengthening initiatives mentioned above, the government may be seeking to establish an informal floor to inform industry best practices. There is the risk that the government, or private litigants, may seek to criticize companies that do not meet such standards. Thus, companies should consider the following:
- Review and Assess: Closely monitor the pronouncements emerging from the federal government and establish a discipline of synchronizing legal assessments of such standards with technical implementation choices by security staff. For certain critical infrastructure entities, more concrete compliance obligations already exist, such as the new TSA pipeline directives released in the wake of the Colonial Pipeline experience. Yet, even parties not subject to such requirements would benefit from considering those and other related pronouncements and assess their relevance to their own practices.
- Public Reporting Implications: The SEC’s Chairman Gary Gensler has recently announced a focus on cyber hygiene. While the SEC has provided prior general guidance about materiality with respect to cyber events, some of the Administration’s recent announcements may influence the standards SEC develops over time to assess such hygiene. Public reporting entities, therefore, should take particular note and consider the potential for SEC engagement in their oversight and review regimen.
- Internal Frameworks: Companies not already accustomed to using the NIST Cybersecurity Framework, or some analogous risk management structure, should consider these overarching philosophical approaches for conceptualizing risk and communicating about it to executives and directors who will make investment decisions impacting technical choices. Because, as mentioned above, NIST will be releasing new guidance relating to ransomware defense, such executives and directors may put themselves in a stronger position by seeking to understand how their own organizations could implement similar practices (or already meet them).
- Virtual Currency: The Administration is targeting virtual currency exchanges subject to exploitation in laundering funds. Companies with crypto currency exposure should consider:
- Crypto Compliance Regimes: The common affiliation of crypto with nefarious cyber activity, notwithstanding the many legitimate business purposes such assets present, also creates risk that the enterprise could be caught up in illicit transactions or engagements with nefarious actors (even distinct from an attack). Companies can seek to mitigate such risks by incorporating crypto forensic and transparency efforts – understanding their own crypto activities and the risks presented by their counterparties – into established compliance policies and procedures.
- Ransomware Payments: Companies would also benefit from early thinking about their own willingness to make a ransom payment and take reasonable steps to avoid the possibility of having to make such payments. The Administration is showing a rising distaste for ransom payments, evidenced by OFAC having recently made the strongest statement yet by any U.S. government agency discouraging such payments. Moreover, draft provisions in proposed legislation would compel companies to prove they took reasonable steps to consider all alternatives to making such payments. The payment calculus is all about creating options, and options are primarily created by technical and policy measures taken well in advance of a particular event. Reading the various actions regarding increasing mandatory requirements and discouragement of payments together, the trendline is increasingly towards government distaste for payments that may eventually result in far more onerous and punitive responses to companies caught in a ransomware situation. Acting now in advance of such heightened constraints can save costs and effort in the long term.
- International Cooperation: In the international sphere, initiatives are largely within the government’s domain. Nonetheless, as is the case with disruption efforts, the government will be seeking pertinent information to assist with its pursuits.
Conclusion
The Administration’s recent release of a Fact Sheet on ransomware efforts is far more than an interesting public relations piece. Within it lie kernels of ideas and indicators about how the government will increasingly seek to interact with, and make demands on, the private sector. Companies would do well now to prepare for this emergent world.
