Comments by: Jamie Boote, Senior Security Consultant, at Synopsys Software Integrity Group
Ransomware attacks against critical infrastructure represents a shift in attacker tactics that requires a shift in priorities. Previously, industries that prioritised uptime and availability to support their operations weren’t as harmed by data loss and breaches as long as their pipelines kept pumping and the factory lines kept moving forward. The White House is attempting to drive a shift in priorities for these industries that haven’t historically faced the same level of fallout for data breaches as financial institutions and medical companies.
These ransomware attacks show how dependent the US infrastructure is on private companies. These private incidents are proving to cause public harm and this memo signals that the government is interested in stepping in to protect the public interests. Unfortunately, as long as ransomware response is a budget line-item for these industries, these attacks will continue. It’s unclear what incentives or penalties can come out of anti-ransomware regulation, but if private lapses in due diligence continue to result in public breakdowns in critical logistics, industries that received little federal oversight for their IT operations could see additional attention in an attempt to minimise the threat caused by attacks against infrastructure and availability.
Hopefully this memo is the first step towards a coordinated response against ransomware attacks, but the ultimate responsibility for eliminating these threats requires cooperation from many different entities; industry to perform due diligence, regulatory bodies to provide meaningful guidance and incentives, lawmakers to provide additional legal avenues for responses and damages, and even diplomatic efforts with foreign powers that turn a blind eye to these ransomware operators.