Sign up for the Freshfields TQ digest
Data and cyber
Ransomware and cyber crime: key takeaways from our session with Nicole Perlroth and Tom Hurd
Cyber attacks are never far from the headlines, with two recent and very sophisticated incidents involving Colonial Pipeline Co. and Solar Winds raising the alarm once again about the threat posed by ransomware strikes. With technological transformation accelerating at unprecedented speed since the start of the pandemic, such attacks are a growing risk for business.
So began our Big Conversation with Nicole Perlroth (cybersecurity correspondent at The New York Times) and Tom Hurd (founding director of the UK’s Joint Biosecurity Centre and former director-general of the UK Office for Security and Counter-Terrorism). Both are on the frontline of the war against cybercrime, and both emphasized the daunting challenges ahead for corporations navigating this rapidly evolving frontier.
When the world’s most sophisticated intelligence systems are missing serious security breaches, how can companies protect themselves? What responsibilities do board members shoulder in preparing for cyber attacks? How can businesses assess whether ransom demands are worth paying, or even whether they are legally able to do so? How much of the burden of adapting to this landscape falls to governments? How does Artificial Intelligence (AI) change the picture? There’s no doubt that the cyber arena features a host of unknowns, but the insights shared over the course of the hour threw some light on important steps leaders can take now.
Here are the key takeaways:
Before the West falls victim to “The Big One” or “Cyber Pearl Harbor” – the definitive attack on the horizon – we must reflect on where we already are. Nicole Perlroth reminded us that Iran has developed from a digital backwater into one of the US’s most troublesome adversaries; China’s online activities have been poorly defended; and Russia, which has always been a sophisticated actor, is now seemingly able to penetrate information systems at will.
When do governments take their gloves off on cybersecurity? As it stands, we don’t deal with cybersecurity in the way we deal with terrorism: we don’t contemplate using lethal force against those conducting the attacks on our critical infrastructure. In the words of Tom Hurd, this now has to be an option: there is a playbook for holding at risk those who seek to do us harm.
We can expect to see new groups engage in cyber attacks, potentially including climate activists who may take it upon themselves to launch strikes as the tools available become more ubiquitous. Ransomware-as-a-service platforms such as DarkSide, which was behind the attack on Colonial Pipeline, only serve to increase the threat.
One sector that could find itself increasingly at risk is logistics, particularly as automation takes hold and more elements of the supply chain are connected to the web. The rapid technological transformation and shift to doing business online that has accelerated through the pandemic will lead to logistics providers becoming among the biggest companies in the world, and the threat surface presented by their connected technology will make them prime targets for ransomware attacks.
The Solar Winds strike highlights concerns about software supply chains and third-party exposure that have been circulating for years. What risks are buried in the software all companies use? It took nine months for the attack launched by Russia’s Foreign Intelligence Service to be detected. Even then, it was spotted not by any of the many US government agencies compromised, but by a private security company, FireEye, that also found its systems breached. Because of US legal restrictions, domestic networks remain a massive blind spot for US intelligence agencies.
In the case of ransomware, boards are having to balance national security interests against their responsibilities to the company and its investors. Responding to a ransomware attack involves answering a series of questions quickly. Do you have backup systems? How fast can these be activated? What are the exposed assets and what is the cost to the business of their being rendered inaccessible or stolen? What are your “crown jewels”: what, above all else, should you protect? These calculations will help businesses structure their priorities.
Companies considering paying a ransomware demand need to assess their legal risk under sanctions and terrorism financing legislation and regulations – paying sanctioned entities can result in criminal and civil penalties. While there are currently no stand-alone laws directly addressing ransomware payments, that will be changing in the near future.
The G7 communiqué was a step forward in recognising the scale of the cyber challenge. It must be followed by three areas of focus. First, governments must change the economic incentives around ransomware. Second, the same must be done for cyber insurance, which is currently difficult to price and is undercapitalized. Third, companies must be more transparent with attack information. Being open about when they’ve paid ransomware would make more information available for policymakers. The Biden administration is taking this issue seriously. Under the new US Executive Order on Improving the Nation’s Cybersecurity, companies can self-certify that they’ve taken measures to protect themselves from breaches, but face bans on doing business with the government should those assertions prove false.
There is some cause for optimism. Most cryptocurrency – in which many ransomware payments are made – is, contrary to popular belief, traceable. Indeed, it is often easier for investigators to track distributed ledger transactions than traditional payments funnelled through offshore accounts. In addition, as the ransomware challenge grows, we are seeing an explosion in blockchain intelligence service providers that support ransomware investigations and corporate risk assessments relating to crypto services. Boards must consistently act on their responsibility to protect the company against cyber attacks. To encourage greater focus on these issues, it may help to shift the language that surrounds them: Tom Hurd suggested positioning cyber threats as issues of reputation and safety (which are squarely within the board’s remit), rather than technology and systems. Of course, however the internal messaging is constructed, boards must adhere to their legal and regulatory requirements, many of which are technology specific. (In the US, we are expecting further specific developments in this space in the near future.) Boards may not need a cyber expert as a member, but they should become cyber literate. Boards can use tools such as the NIST Cybersecurity Framework to communicate with their technical experts and produce comprehensible and actionable information.