Reframing cybersecurity in the 'golden era' of ransomware
Ransomware attacks have targeted hospitals, critical infrastructure and government agencies in recent months. But do cyber events provoke the same response as a physical assault?
Dave Sobel is host of the podcast The Business of Tech and co-host of the podcast Killing IT. In addition, he wrote Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business.
In this video, Sobel conducts a series of thought exercises to highlight differing perspectives on, and responses to, physical and cybersecurity events. The merging of physical and cyber attacks will likely keep the conversation going into 2022.
Transcript follows below. Minor edits have been made for brevity and clarity.
Dave Sobel:
I'm revisiting my thinking on talking about cybersecurity. I want to reframe the discussion.
I've talked about the use of language around cybersecurity. This isn't new. I've said before that if what was happening virtually was happening physically the conversation would be entirely different.
Armed, organized gangs of criminals, coordinated from within the boundaries of Russia, are roaming U.S. businesses, breaking in, using weapons, holding hostages, and demanding ransom. Let that sink in a bit. It's a different set of words, with a different emotional impact, but it is entirely true.
Let's expand this to be full-news coverage and tell the larger story of a typical breach:
Simulated newscast: Today, a gang of criminals broke into a small business. They stole every document within the facility and put it within a locked safe they are now in possession of. They have demanded thousands of dollars for the return of the business.
U.S. law enforcement was notified but is understaffed and underfunded to dedicate efforts to investigate. Due to the international nature of the crime, the criminals are now outside of their jurisdiction. Industry experts called for better training of the staff within the facility and noted that a single error of any employee could result in the total destruction of the business.
Experts also offer a series of locks, cameras and monitoring systems for the facility, all of which must be operated by trained professionals. Those systems provide no guarantee of success, although, if operated correctly, reduce the likelihood of an incident. The lock-maker business has seen explosive growth, and there are now thousands of products within the category.
The situation has reached a point where insurance companies are unwilling to cover businesses from liability, with multiple companies withdrawing from the space. For those able to acquire insurance, premiums are significantly higher than ever before.
Criminals to date have compromised the security of the U.S. government, disrupted fuel distribution across the East Coast of the U.S., have been implicated in the deaths of several under hospital care, among other acts of warfare. Under the terms of the NATO alliance, these incidents have been classified as acts of war, although currently the actors are believed to be independent crime syndicates rather than a single state-sponsored actor.
A golden age?
Think about this story for a moment.
I speak often about the financial incentives as a measure to understand the motivations of players. If you don't think the lock makers are happy with this situation, here's security provider on stage just recently:
"What we have come to learn is that we are in the golden age right now. If you look at the term golden age, it's looking back at a certain period and saying, 'Those were good times. We weren't at battle with anybody. There was no famine. We were good to go.' Fast forward three years we're all going to be ... looking at 2021, 2022 and going, 'That was a really good year. We really sold a lot that year. We really grew as a company.'"
Now, let me be clear -- this is an onstage, business development person, delivering the trained company line. Let's not shoot the messenger here.
Just let it sink in -- would you say this is a golden age, with record criminal profits ... or is it a golden age for those who are making money on selling locks too?
Because the European Union Agency for Cybersecurity used the exact same language. "We are observing the golden era of ransomware -- it has become a national security priority -- and some argue that it has not yet reached the peak of its impact," -- that's directly from their new paper on the threat landscape.
It feels rather perverse to think about criminals and suppliers considering the same opportunity by a core vulnerability in end customers. A golden era to make money on the suffering of customers.
I cannot get past the fact that if this was physical, the demands for change would seem so different. Let's consider a different framing of the problem. I want to conduct a bit of a thought exercise here.
Again, putting in context the physical damages, what would happen if the U.S. cut countries harboring criminals off from the internet?
Why is it assumed that every country gets the ability to access this resource, no matter what? If citizens break laws in the physical world, they do not get absolute freedom of movement. So why do they virtually? There are countries one simply cannot do business with -- do the thought exercise. Why do we allow this? Why is it assumed every country should get access, regardless of how they operate?
There's a general assumption that this is the world we live in.
If armed gangs of international criminals are actively breaking into businesses under the cover of another country's government, why is our response just to buy better locks for the store? Aren't the lock makers simply better served by this answer? Remember the parallel: a physical world where roving gangs are constantly banging at the door and moving unimpeded.
Because that's what the we are currently accepting. Here's another thought exercise for you:
The leader of a criminal organization was executed by Seal Team Six under orders from the U.S. government, under orders as a kill-or-capture mission, based on intelligence linking that individual to crimes committed on U.S. soil. Based on law enforcement investigation linking the organization and its leader to the deaths of American citizens, and without prior notice to the government whose country this individual was residing in, the U.S. deployed personnel and conducted operations within their borders to eliminate the criminal.
As I am sure you have deduced, this was Osama bin Laden.
What if I was just describing an operation to eliminate the leader of a ransomware organization?
Again, context. A leader of a criminal organization disrupts hospitals, fuel distribution, energy distribution and tens of thousands of businesses, all within the borders of a country that is allowing this to happen. That is terrorism.
Why is this different?
Let me be entirely clear here. I am not directly advocating for these to be made into direct actions. In fact, moves like the U.S. State Department creating a Bureau of Cyberspace is how a government makes steps toward this, so it is not a simple escalation to the end state. What instead I am highlighting was that in the case of physical terror, Americans were both accepting and supportive of aggressive action against those criminals responsible.
Yet because it is happening virtually, not only are we not loudly calling for action from leadership, but our answer instead is simply to encourage victims to buy more locks.
Buy. More. Locks.
And consider -- this set of crimes, of terrorism -- is so much more widespread.
So, what to do.
First, do not talk about the security "opportunity" as a benefit. Frankly, security investments are both necessary and an unwanted tax on businesses. Both can be true. While a certain baseline of security is always responsible and necessary, pure acceptance of the current state of affairs and then blaming victims is wrong when the conditions are open warfare.
Second, demand more. The IT sector can choose profiteers or can advocate for change. Spending customers money on security is not the best use of their investment over time. You want to play business offense, not business defense. Core internet technologies should be revised to be made secure. Bad actors should be aggressively removed, via technical, legal, political, and if required, military action. If there are not consequences for these actions, there is no reason to change behaviors.
Third, communicate with your customers differently. Cyber criminals are terrorists and are competitors to business operations. They should be discussed as such. They are a direct competitor to your customers. They steal profits. They hold hostages.
This isn't an opportunity to exploit. It's a scourge to be eliminated. It's wonton crime in our streets.
And that isn't a golden thing.
About the author
Dave Sobel is host of the podcast The Business of Tech, co-host of the podcast Killing IT and authored the book Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business. He owned and operated an IT solution provider and MSP for more than a decade and has worked for vendors such as Level Platforms, GFI, LOGICnow and SolarWinds, leading community, event, marketing and product strategies, as well as M&A activities. Sobel has received multiple industry recognitions, including CRN Channel Chief, CRN UK A-List, Channel Futures Circle of Excellence winner, Channel Pro's 20/20 Visionaries and MSPmentor 250.