Tue, 05/25/2021
This post is a summary of Episode 20 of The Nebraska Governance & Technology Center’s (NGTC) Podcast Series, Tech Refactored. Host Gus Hurwitz, Director of the NGTC was joined by Jacob Tewes, Commercial Counsel at Skydio.
On May 7, 2021, the Colonial Pipeline, a massive pipeline that carries gasoline and jet fuel from Houston, Texas to the southeastern United States and somewhat beyond, suffered a ransomware attack that forced the company to shut down the pipeline’s operations. Within hours, the company paid the ransomware demand, a sum of 75 bitcoin (presently valued at roughly $2.8 million) in order to regain access to its computer systems, however, pipeline operations didn't resume until May 12. The attack is part of a larger trend of increasing frequency in ransomware attacks; indeed attacks increased 150% over the course of 2020.
Tewes discussed a few recent trends in ransomware attacks, which generally date back “5-7 years at this point.” While initially ransomware tactics focused only on encryption of existing files and deletion of the originals, ransomware operations have now added an “exfiltration” element, where they remove a system’s files before deleting them. This adds an extra threat, in that the ransomware company can threaten to release the company’s files on the dark web - files that might contain proprietary information or embarrassing material, including internal emails that may be unflattering or even expose the company to legal liability.
Another “innovation” within the ransomware space has been the advent of a model called “ransomware as a service.” For example, an individual who works at a company with access to that company’s network can partner with a ransomware outfit like DarkSide, giving access to your company’s network for the ransomware company to penetrate, in return for a cut of the proceeds. As Tewes explains: “you provide the target, they provide the tool.”
One disturbing possibility that Tewes raises is that it may actually be, in some situations, not only cost effective for a company to pay a ransom (in fact, that may usually be the case), but it may also be more efficient for companies to maintain a policy of paying ransomware demands when they come around, then actually spend the money to improve their network security to a point where they can be confident they are insulated from these sorts of attacks. As Tewes puts it, “perhaps it’s easiest for a company to say, well, it would cost us $500,000 a year to do our cybersecurity better, and it will cost us $100,000 a year to pay these attackers, so let’s just pay the ransomware tax instead of improving our security.
Another interesting aspect to these criminal enterprises is that trust has evolved to be a major component of their businesses models, that is to say, ransomware operations take pains to establish a “brand reputation” as an outfit that actually does what they say the will with respect to restoring access to a company’s data, or refraining from releasing that data on the back end after the money has been paid. Some, like DarkSide, even have a “customer support” line, where they work with companies regarding the logistics of restoring their data and getting their systems up and running.
It’s also notable how simple techniques, like sending out phishing emails, continue to be significant points of vulnerability for large companies. Hurwitz explained it this way: “Why do attackers use simple things like phishing emails? It’s because they know they're not attacking the systems. They’re not hacking the computers as often as they are attacking the users; they know that humans do stupid things. (...) You send (a phishing email) to a thousand people. Three of them are going to click on it. You’ve just compromised three systems.”
Tewes notes that there have also been a number of relevant changes in recent years to the cybersecurity landscape. One example is the practice of companies sharing vulnerabilities that they have found and patched in their own software with other companies, in an effort to give them a “heads up” and work together to collectively make their systems more secure. Secondly, many states require that, when a theft of user data has occurred, companies must disclose that theft to their users. Along those lines, the state of California has even created a “private right of action” against companies that have failed to secure their data from theft (a private right of action is the legal right to sue another entity for damages on a person's own behalf). That individual right to sue a company for failing to protect a customer’s data is meant to provide a powerful incentive to companies to keep users’ data secure, and the more potentially compromising the data, the greater a companies potential legal exposure is in the event of a breach, because the damages that a user might suffer by having, for example, their identity stolen, could be substantial.
After the colonial pipeline ransomware attack, there has been increasing discussion around the possibility that the government might set up some sort of entity to investigate disruptions to critical infrastructure after such disruptions take place. In particular, one possibility that has been discussed is that the government might set up a board like the National Transportation Safety Board (NTSB), the entity that conducts investigations after airline crashes, railroad accidents, pipeline leaks, etc. This is in part because, in incidents like the colonial pipeline disruption, the company has a strong incentive to limit the amount of information that is disclosed and, in many instances, the public and regulators may not even be aware that a vital system has been compromised. The challenge then, as Hurwitz notes, is to properly calibrate the scope of a hypothetical entity’s investigative jurisdiction, such that it is not tasked with digging into every inconsequential incident, while also being empowered to conduct investigations when they are warranted.
Without question, ransomware incidents are phenomena that will be with us for some time; the necessary preconditions (global interconnectivity, zero days, safe harbors from which criminal’s can operate, etc.) and the incentives (enormous sums of money to be stolen) are unlikely to change in the near to medium term. What remains to be seen is whether a meaningful government response is politically feasible and what effect it would have on the prospect of protecting US critical infrastructure.
