The development of a set of cybersecurity standards — similar to the generally accepted accounting principles that businesses use for financial information — could go a long way in arming companies with more options when it comes to cybersecurity breaches and make them more likely to report when these events happen, cybersecurity experts say.
The explosion in the number of ransomware attacks in recent months is highlighting the fact that the U.S. still doesn’t have “standards of what good cybersecurity looks like,” says Michael Daniel, president and CEO of the Cyber Threat Alliance and a former cybersecurity coordinator on the National Security Council Staff under President Obama.
“In accounting we have GAAP, which is a body of work built up so that when you’re looking at a company’s books and numbers, you know what they mean,” Daniel says. Similarly, in the physical world, there are standard, expected security protocols that are fairly universal. A business will routinely install cameras, a fence, and locks on the gates at a plant, manufacturing facility or distribution center.
“We do not have similar standards in cybersecurity,” he says.
Among the reasons: complex technology, a plethora of companies pitching their solutions, and the ever-changing nature of the threats themselves. As a result, “it’s difficult to know how much a company is liable for, or what someone else says they’re liable for, or, if they’re in a regulated business, what the regulators say you’re liable for,” he adds. Without these guideposts, many companies are less likely to reveal they’ve been breached or have paid ransomware.
The recent cyberattacks against Colonial Pipeline, SolarWinds and meat supplier JBS have added a sense of urgency in dealing with these threats and what they are costing companies. After its breach, Colonial reported that it paid a $5 million ransom to the hackers, but U.S. law enforcement officials were able to recover $2.3 million of that earlier this week.
On Wednesday, JBS said it paid the ransomware hackers who breached its computer networks about $11 million. Sen. Mark Warner, D-Va., is preparing a bipartisan bill that would require some businesses to report cyber incidents to the government so law enforcement can quickly get involved. During an Axios event about cybersecurity, where he previewed the bill, he said he expects it to be introduced in the next few weeks and believes broad support can help it pass quickly.
The creation of more explicit cybersecurity standards may have taken a step forward last week when the Biden administration urged corporate executives and other business leaders to get better prepared for these attacks. In a memo from Anne Neuberger, deputy national security advisor for cyber and emerging technology, businesses were warned that “the threats are serious and they are increasing.”
Ransomware attacks involve malware that encrypts files on a device or a company’s network that results in the system becoming inoperable. The criminals behind these cyberattacks typically demand a ransom — often in bitcoin or some other cryptocurrency — in exchange for the data being returned.
The White House memo outlined best practices for safeguarding against ransomware attacks including backing up data, systems images, and configurations, regular testing, and network segmentation. This last practice is particularly key for large enterprises, say Daniel.
“If a company has done proper segmentation, every time the bad guys try to cross a segment you get the opportunity to detect them before they can trigger the malware,” he says. “By employing this practice you make yourself more resilient against having a successful ransomware attack launched against you, and if you do have one you’re usually able to mitigate the damage and recover much more quickly. This is what gives companies a lot more options than believing they have to pay the ransomware.”