CISA exec: Lack of ransomware incident reporting is crippling defense efforts
The severe lack of ransomware incident reporting in the U.S. is hampering efforts by the government to not only protect organizations and businesses but also take retaliatory measures against the gangs launching attacks, according to a senior official at the Cybersecurity and Infrastructure Security Agency (CISA).
Eric Goldstein, executive assistant director for cybersecurity at CISA, spoke at length on Tuesday about how damaging the lack of data on ransomware attacks in the U.S. is for organizations like his.
“A tiny fraction of ransomware infections are reported to the government and the problem is getting worse because we don’t even know what that actual number is. We have no idea the actual denominator of ransomware instructions that are occurring across the country on any given day,” Goldstein explained.
He noted that the lack of reporting means CISA struggles to know what most ransomware groups are doing when they break into organizations. He went down a list of things CISA would have greater visibility into if they had more information on the spate of ransomware incidents.
According to Goldstein, more data would allow CISA to share indicators of compromise, unique infrastructure characteristics, unique TTPs and specific CVEs used before attacks.
Right now, Goldstein said CISA is doing this “in a speculative way based on a sample of data that may or may not reflect what is actually happening on the ground.”
“The more that we have that virtuous cycle between the cyber defense community, where we have ongoing, ideally real-time reporting of the instructions or the attempts that are happening, we can help work that from a cyber defense standpoint,” Goldstein added.
“We can share broadly and protect others but we can also feed that in an anonymized way to the other parts of government, where we can be much faster in figuring out who are the humans executing these attacks, what is the infrastructure they are using, and how are they funneling money from the victims to the point when they can turn it into fiat currency to do what they want to do.”
Even unsuccessful ransomware attacks can offer experts key technical information on intrusions that could help other victims, according to Goldstein, who said law enforcement, the Treasury Department and other U.S. government bodies could take a range of actions if provided with more concrete information.
Part of the effort to stop ransomware attacks is cost imposition on the groups behind the incidents, and this can only be done if agencies get more data on attacks, Goldstein added.
Greater incident reporting would also give CISA a chance to render aid and help organizations struggling to respond to a ransomware attack.
“We really can’t fully execute that virtuous cycle between defense and cost imposition without better reporting. It also means that if we’re trying to promulgate the right actionable guidance to say, ‘If you’re an organization, make sure you patch these CVEs first, make sure you put in place these controls before any others,’” Goldstein told the audience.
“We’re not doing that in a data-driven way.”
No time to wait for incident reporting rules
Two weeks ago, Senate Homeland Security and Governmental Affairs Committee chairman Gary Peters (D-Mich.) and other senators repeatedly lamented the lack of data on ransomware attacks in a 51-page report.
The study said ransomware attacks impacted at least 2,323 local governments, schools, and healthcare providers in the U.S. in 2021, but noted that the figure is a severe undercount considering how few ransomware attacks are reported. CISA told the Senate that only about one-quarter of ransomware attacks are reported.
A cyber incident reporting bill was passed and signed into law earlier this year but it only covers critical infrastructure organizations. The organizations have to report breaches to CISA within 72 hours and report ransomware payments within 24 hours.
The law also grants CISA the power to subpoena entities that don’t report a cyber incident or ransomware payment.
CISA has two years after passage of the Act to issue the notice of proposed rule-making and another 18 months to issue the final rule, meaning it may be years until they officially become law.
On Wednesday, Goldstein said organizations and the government cannot wait for the official rules to come into effect.
“We have to catalyze reporting of incidents now because that’s the only way that we’re going to actually get in front of this threat from a cyber defense context and enable the kind of targeted, rapid cost imposition that’s actually going to cause some real deterrence among these adversaries,” he said.