Ransomware ‘wake-up calls’: We keep sleeping through the threats

The recent ransomware attacks on Colonial Pipeline and JBS were called “wake-up calls” by various people in the U.S. government and industry. Supposedly, shutting down the flow of oil to the East Coast and stopping meat from being delivered was all of a sudden critical enough to get national attention on cybersecurity. President Biden and other government officials made statements addressing the problem, so clearly it is a national concern. Yet, history shows the U.S. government and industry will hit the “snooze button” again on the wake-up call.

Yes, the hit to the economy from the Colonial Pipeline ransomware was immense. It also highlighted the vulnerability to U.S. critical infrastructures. It may seem like something the nation has never experienced before, but we have. In fact, we experience such wake-up calls several times a year and, sadly, we forget about them. 

I have been involved in the intelligence and cybersecurity world for more than 35 years. The first wake-up call I was familiar with was The Cuckoo’s Egg incident, when East German hackers used the fledgling internet to steal top secret information. In 1988, we had the Morris worm, which shut down one-third of the internet at the time. In 1991, a telephone network in the Northeast of the U.S. went down due to a computer error that launched a crackdown of known computer hackers throughout the country. In a 1994 incident, a Russian hacker stole $10 million from Citibank. In 1998, U.S. government officials claimed they were experiencing the most coordinated, sophisticated cyber attacks they had ever seen, and it turned out to be a couple of teenagers from California using a tool they downloaded from the internet to scan Department of Defense websites. In 2000, we had the Mafia Boy denial of service attacks that shut down the top websites in the world.

Those attacks, among countless others, caused more than $1 trillion worth of damages.

Yet, all of these so-called wake-up calls were merely met with the snooze button. Just like the incidents that came before them, the hacks against Colonial Pipeline and JBS will likely be forgotten. 

Fortunately, the FBI recovered $2.3 million of the Colonial Pipeline ransom. Unfortunately, that was primarily due to the high visibility of the attack and the criminals likely being stupid in how they laundered the money. While it is welcome news that the Biden administration is requiring some industries to improve their cybersecurity, encouraging countries to better track cryptocurrency, coordinating ransomware investigations and stressing to industry that they need to improve their basic “cyber hygiene” (the term for implementing basic cybersecurity practices), all of this is unlikely to have a significant impact. The better organizations are already doing a great deal on this front. But many organizations don’t even know what basic cyber hygiene actually means, nor do they have the people or funding readily available to implement it. 

Besides imploring industry to do better, there is little the U.S. government is in a position to do. Computer crimes are among the least likely to successfully be prosecuted. Reportedly, only .003 percent of computer crimes are prosecuted. 

Cyber criminals in the U.S. are rarely prosecuted, let alone those in Iran, Russia, North Korea, or elsewhere. Even when they aren’t sponsored by the foreign government, it is highly unlikely that they will be bothered. 

It is important to understand the criminal mindset. They see an opportunity and the likelihood that they will not get caught, so they commit their crimes even if they have minimal technical ability to commit it. In countries like Russia and Iran, the crimes they commit are technically not crimes; computer crime not committed against their home country is treated as a valid job.

Ironically, Vladimir Levin, who I helped investigate in the Citibank hack, was captured while transiting at London Stansted Airport, after he was tricked into leaving Russia. I interviewed Alexey Ivanov, a Russian hacker who extorted dozens of U.S. companies through computer crimes, for my book, “Spies Among Us.” He sincerely wanted a legitimate job, and he was tricked into coming to the U.S. for a job interview. Decades ago, both men looked at computer crime as a legitimate occupation in Russia, and that is the case to this day.

If economic sanctions are lifted, Iran may be tempted to cooperate to stop cyber crimes; North Korea is a lost cause. At the moment, there is little to incentivize Russia to prosecute cybercriminals within its borders. Even if the U.S. puts some form of pressure on Russia to crack down on cybercriminals, the crackdown will likely be limited to really heinous crimes or imposed on a few criminals who do not have the right connections and do not pay bribes. 

Even if we were to stop Russian hacking, China is reportedly the largest source of computer crime. 

None of this forgives the current hacks in question perpetrated by Russian cybercriminals and that Russia is still a significant source of cybercriminals. However, focusing on this month’s hacks as a “wake-up call” — and the government’s encouragement of industry to do better, even with some more active countermeasures — is basically hitting the snooze button yet again.

Ira Winkler, CISSP, is chief information security officer at Skyline Technology Solutions and the author of six books, including, “Advanced Persistent Security.” He is a former National Security Agency (NSA) intelligence and computer systems analyst and is on the adjunct faculty for the University of Maryland Baltimore County Center for Cybersecurity, which has been recognized by the NSA as a Center of Academic Excellence for cybersecurity.