By Mark Lanterman
As we have all learned by now, no organization can ever be assured that it is immune to cyber threats and their associated risks. The best technological defenses, the best education programs, and even the best leadership cannot perfectly account for every contingency; as our digital world changes, so too do the possible vulnerabilities and attack methods. These realities are no less pressing on a national level, prompting past presidential administrations to address cybersecurity issues with varying degrees of success. But a new strategy may exemplify a modern approach that improves upon past policies and takes the current technological landscape into account.
At the time of this writing, President Biden appears likely to soon approve “a policy that goes much farther than any previous effort to protect private companies from malicious hackers—and to retaliate against those hackers with our own cyberattacks.”1 In response to the astronomical degree of risk facing U.S. organizations, particularly critical infrastructure sectors, this policy contains mandatory regulations and “authorizes U.S. defense, intelligence, and law enforcement agencies to go on the offensive, hacking into the computer networks of criminals and foreign governments, in retaliation to—or preempting—their attacks on American networks.”2
In contrast to older strategies—which were regarded by companies as being guidelines, suggestions, or were purely defensive—this document proposes a much more proactive approach, granting unprecedented leeway to U.S. agencies. The failures of past strategies, particularly measures that were presented as strongly encouraged but ultimately voluntary, have helped to shape the Biden administration’s viewpoint on what is required to truly have a positive impact. This take-charge outlook, which will likely form the basis of the soon-to-be-released policy, was already on display in a recent undertaking by the FBI.
At the end of January, it was announced that the FBI “had secretly hacked and disrupted a prolific ransomware gang called Hive, a maneuver that allowed the bureau to thwart the group from collecting more than $130 million in ransomware demands from more than 300 victims.”3 Rather than work to seize payments that had already been made by victims to the attackers, the FBI preemptively intervened to keep payments from being made in the first place. At a news conference to announce the operation, Deputy U.S. Attorney General Lisa Monaco stated, “Using lawful means, we hacked the hackers.”4 She explained that the strategy was focused on combatting cybercrime by any means possible, prioritizing prevention and the defense of victims. The success of this investigation is surely a win against the ever-present threat of ransomware, with the Hive variant being one of the most dangerous and prolific.5 Perhaps most importantly, it signals a new, empowering attitude toward cybersecurity.
The National Cybersecurity Strategy is also set to strengthen the security of the nation’s critical infrastructure by making mandatory regulations that have previously been voluntary. The expense of improved cybersecurity policies alone has been a significant deterrent for many companies, and problems with creating a uniform set of rules for each industry to follow have hampered successful implementation.6 But from what we know at the time that this article is being written, it would seem that these issues are not only being addressed in the upcoming document; they are helping to shape the administration’s hardline stance and its plans for moving forward from past problems and ambiguities.
We need only look to the headlines from recent years to understand why this strategy was formulated. From fears of a nation-state-sponsored attack campaign amid the war in Ukraine, to the Colonial Pipeline hack that affected travel7 and caused a national panic, to the ransomware attacks that have cost organizations millions, it is no wonder we need a fresh perspective. Within our own organizations, we can also (figuratively, of course!) “hack the hackers”—staying apprised of cyber threats, working to be good reporters and documenters of cyber incidents, and striving for a security posture that goes beyond compliance.
Mark Lanterman is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.
Notes
1 https://slate.com/news-and-politics/2023/01/biden-cybersecurity-inglis-neuberger.html
2 Id.
3 https://www.reuters.com/world/us/announcement-posted-hive-ransomware-groups-site-says-it-has-been-seized-by-fbi-2023-01-26/
4 https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-delivers-remarks-disruption-hive-ransomware-variant
5 https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
6 Supra note 1.
7 https://www.cnn.com/2021/05/11/business/american-airlines-fuel-stop-colonial-pipeline-shutdown/index.html