One day after President Trump signed his long-awaited cybersecurity executive order, a global ransomware attack infected more than 200,000 computers and affected more than 100,000 organizations in more than 150 countries. The malware attack — known as WannaCrypt, Wanna Cry, or Wana Decryptor — created systemic failures across some critical industries in Europe and triggered the first-ever use of EU-mandated cyberattack response mechanisms.
For the moment, the United States has been largely spared, perhaps due in part to amateurish mistakes made by the attackers. But we have almost certainly crossed the Rubicon in terms of quick-moving, globally disruptive ransomware attacks. And American companies should prepare accordingly.
{mosads}A ransomware attack involves launching malware onto a computer or mobile device that encrypts files on the device (and possibly on any networked devices) until the victim pays a ransom for the decryption key to unlock the files. The malware in the recent attack appears to have been launched onto individual computers primarily by spear phishing emails. It then exploited a Microsoft Windows vulnerability that allowed it to propagate across computers connected to local networks.
Thus, instead of infecting just one computer, this variant of ransomware infected all computers that were networked with an infected computer — an attack type that is much more dangerous and increasingly common. The damage and extent of this attack prove that an organization’s cybersecurity is only as good as each individual user. It also illustrates that having a cybersecurity budget does not necessarily result in security if organizations fail to practice basic cyber hygiene, such as quickly patching critical vulnerabilities in operating systems.
With approximately 70 separate cybersecurity and data breach related bills introduced so far in the 115th Congress, whether this attack serves as an impetus for strong congressional or regulatory action remains uncertain, at best. This week’s House passage of a bill creating the National Computer Forensic Institute is a step in the right direction. Like other legislative and regulatory measures to date, though, it will not prevent or assist organizations in responding to quickly metastasizing malware attacks.
Fundamental steps for building a stronger, more integrated response strategy for ransomware and other quickly spreading malware-based attacks are scattered across federal and state laws and regulations, agency guidance, and industry best practices.
Key components of the strategy revolve around identifying, assessing, and managing risk associated with foreseeable cyberattacks. Using the results of cyber-risk assessments, each organization must build and constantly improve a risk-based information security program that specifically incorporates malware-based defenses and response strategies. All system users should be trained and tested on recognizing and avoiding the most common malware attack vectors, including spear phishing emails, other social engineering-based attacks, and drive-by website compromises. It is vital to share threat information with public and private sector entities, and with individual users where appropriate.
The best defense to a successful ransomware attack is a daily backup of all sensitive data, stored in a separate, secure location not connected to the internet. This allows victims to return to normal business operations quickly, while avoiding any payment of the ransom — thus defeating the financial objective of the attack. It is also essential to implement robust anti-malware technical controls, including patching, security software updates, limiting downloading activity, strong password policies, multi-factor authentication for remote access, “least privilege” user access, encryption of sensitive data, and intrusion detection and prevention systems.
Ransomware incident response plans must build on more general response strategies. Each entity should build scalable, internal and external response teams experienced in responding to extortionate malware attacks. The plan must outline key containment, remediation and investigative steps based on scenarios built around known attacks and malware. It also must establish escalation thresholds for internal notification of different levels of management, the board of directors or equivalent, employees, partners, and other impacted parties and external notification of business partners/supply chain, the media, customers, governmental entities (including law enforcement agencies and regulators) and others who may be impacted. These thresholds must consider all legal obligations and rights under statute, regulation, contract and common law in the event of a ransomware attack. Internal and external communications plans and platforms should be set in advance.
The game plan also must account for two critical issues. First, the organization must decide — ideally before an attack occurs — under what, if any, circumstances it will pay a ransom, including setting amount limits and establishing a means of obtaining and making payment in virtual currency. It must also prepare alternate communications, operations, and investigative protocols and infrastructure for use during an attack that compromises or disables devices, data, or systems.
Unfortunately, no legislation will eradicate cyberattacks and we’ll never be able to prevent all ransomware attacks. But we can better understand and prepare for these threats, so we can respond effectively and efficiently when they arise.
Edward J. McAndrew is a former federal cybercrimes prosecutor and current partner at Ballard Spahr. Kim Phan is a data security lawyer at Ballard Spahr.
The views expressed by contributors are their own and are not the views of The Hill.