Where CISA’s ransomware tool falls short and what to do about it
US technology is under attack. Nearly every category of cybersecurity has been breached in every corner of our economy and way of life, and according to a survey by Sophos, the average cost to mitigate an attack in 2020 was $1.85 million. Increasing numbers of cybersecurity professionals believe the federal government and local law enforcement have a role in policing and protecting our environments from the new and wild domain of Internet security.
In the latest attempt to demonstrate value to the citizenry, the US federal government offered a new “assessment” tool, through the Cybersecurity and Infrastructure Security Agency (CISA). The Ransomware Readiness Assessment (RRA), the latest module to the Cyber Security Evaluation Tool (CSET), purports to help organizations understand its cybersecurity posture and improve that standing.
This new tool, and the whole concept of government-sponsored technological applications, leaves more questions than answers. Let’s take a closer look at how this tool falls short and what we really need to make progress against ransomware.
A Deeper Look at the Threat
According to Chainalysis, victims paid nearly $350 million in ransom via cryptocurrency in 2020, a 311% increase over 2019. Recent attacks like Colonial Pipeline, which led to consumer panic in the gas industry, and JBS Foods, show how ransomware groups are strategic in their targeting. Unless you have a security tool that specifically looks for preinfections like Trickbot or Emotet, they often go undetected, leaving many companies vulnerable.
While there are certainly national security issues that come with ransomware — North Korea and Russia are in the US’s crosshairs — to get to the crux of the issue, you have to follow the money. It requires a complex solution, far more nuanced than the RRA.
Since the RRA only shows whether ransomware is present in any given moment, it doesn’t account for any future exploited vulnerabilities. By dipping its toe in the water of a company’s security operation, the federal government should also share responsibility. Is the CISA now responsible for knowing whether ransomware is present? Is this government agency joining the competitive industry of reviewing for compliance?
To read the complete article, visit Dark Reading.