Transcript
Megan Stiefel is my guest. Megan is the Chief Strategy Officer for the Institute for Security and Technology, and we're going to talk about the Ransomware Task Force. The task force is four years in, and we're going to cover some of the progress that's been made, some of the challenges that everyone's run into along the way. So nice to meet you. How are you? Nice to meet you. Thanks for the opportunity. I'm well. Of course. How's the show going for you? It's a little chaotic always. It is. I think it's like multiple marathons with sprints in between, so you just keep- Sounds about right. You hit the ground running, and you keep running. So let's just jump right into the task force. I mean, the timing of this thing at the time was a little weird because Colonial Pipeline was a few days right after it was announced. Yes, exactly. Yes. Is that right? Yes. What were your initial impressions, opinions of the effort, and just big picture thoughts on it? Sure. So the task force, the idea for the task force really began in 2020, as we continue to see the escalation of threat actors leveraging ransomware to extort businesses. Of course, ransomware didn't start in 2020, right? No. It's been around for a long time. But over 2020 and talking with people in the executive branch at that time and not seeing significant action by the US government, we thought, well, let's gather some stakeholders together and see if we can make some recommendations. Of course, there was a change in administration, and so while that wasn't our primary audience, it was a big- Sure. It was a big audience that we were trying to reach. And the idea was really to say, look, this will take collective action to reduce as with all things in cybersecurity, but we convened the group and worked over four months. So really kind of got going in January of 2021. Of course, then COVID was already a problem, and that was also a big motivator for us was as the work-from-home work picked up, of course, the threat actors found that to be useful. And so we made the recommendations after a series of consultations and working groups, and it was Michael Daniel who was one of our co-chairs. I think he said something like, we sprinted a marathon. And so I guess I should back up a second and just kind of maybe explain your role in the task force and kind of how that got started for you. Sure. So the task force itself, I mentioned there were 60 plus organizations involved and we structured it in four key areas. How to help organizations better prepare for and respond to ransomware. So we had two work streams, one on prepare, one on respond. And then how can governments and others better deter ransomware actors as well as disrupt them? So those were the other two work streams. And we had two co-chairs for each work stream. So I had the pleasure and privilege of working again with Michael Daniel. He was my boss at the White House a long time ago. We led the respond working group, and then we had on the prepare side, Jen Ellis and John Davis. Jen at the time was at Rapid 7, so a corporate, Palo Alto Networks, John Davis. We also had co-chairs from Microsoft, Resilience, the insurer, Michael Phillips is one of our panelists tomorrow, Chris Painter, I can't forget Chris, and Phil Reiner. So really looking at trying to, again, build a coalition of vantage points through which we could address the ransomware risk through these four kind of key areas. And then there was not an even number of recommendations, there were 48 in total, but there were not 12 in each. We were front loaded in some areas and not enough in others. Right, right. Some heavyweights there. I mean, I know Jen pretty well. She's great. And Chris Painter is very smart. I mean, a lot of good people. Yes. It was really great to... I think one of the reasons that I would say that we were so effective in, or the recommendations that we made have been effective is because we had people who knew how the government would respond to this and how to leverage our collective prior insight of, I don't think I want to say how many decades of government experience we had as co-chairs, but I think that really made for the lasting impact that it's had. So of the two work streams that you mentioned, I would imagine kind of the deter, disrupt these groups is the more challenging one, given, I mean, everybody knows these guys are not here sitting in the United States for the most part. Extradition is a tough thing, getting any kind of coalition with international law enforcement takes time. Just what was your experience in that respect? I think in some ways we saw the most action in deter and disrupt in the early days. Right after colonial, then President Biden had a meeting in the Rose Garden and there was a big public push against the threat actors. And shortly thereafter, right in the fall of 2021 is when the first counter ransomware initiative meeting happened. So again, these deterrence signals that we're getting from government, the G7 had a statement over this summer of 2021 in identified ransomware. I think disruption similarly over the years has gained momentum. We still think though that there is tremendous room for opportunity to better disrupt these threat actors. And that will happen with government and industry, obviously working more closely together. We all talk about that. But I think for us, we see one of the big sticking points as the government being able to say, this is what's of highest importance to us, or, hey, that piece of information you just shared, that was really useful. And so that continues to be one of my passion projects, if you will, of this effort, I think. The takeaway, I think, has been there has been tremendous willingness on the deterrence side by governments to come to the table and talk about this. The CRI now is four years running in 70 plus countries and organizations. How do you characterize ransomware or rank it among the threats that are out there? I mean, it can be so devastating, so disrupting, so disruptive, and it's still a thing. Ten years as a profit model for a tackle. I think it's report season, right? So the Verizon DBIR is out and IC3's report came out last week. It's still up there at the top or near the top. And unfortunately, that's where I think it belongs. What we would like to see, though, is the task force, it was the ransomware task force, but it was never really about ransomware. That was the pebble in the ocean that we could get people to try and galvanize around. But we thought and we continue to think that working through some of the measures that will combat ransomware will also have knock on effects to reduce risks from other threats, including other nation state actors. So it's at the top, but it's not, you know, things that can be effective and impactful in reducing the ransomware risk will also buy down risk from other threat models. All right. So let's talk about kind of the original report and the original recommendations. I think I saw an updated report that you guys have made progress on half of the recommendations. Let's start with the good news. Where do you think the best work has been done, the most progress, et cetera? So definitely, I would say on the deterrence and disruption side, we've seen pretty solid progress. I already kind of mentioned the counter ransomware initiative and some of the public statements from government leaders. We think one of the big pushes that we had was for incident reporting. And while that's not every person's favorite topic, we do call for regulatory harmonization. But the idea of there is a tremendous gap, information gap, the quality and quantity of information that's being shared and identified about ransomware, as with many other cyber threats is not great. So we called for incident reporting in our report. And obviously, CERCIA has passed. Similarly, things like the state and local tribal and territorial grant program that CISA has been running, DHS has been running, was also a recommendation that we called for. And that's a program that we hope will be renewed in this budget season. It's critically important, especially as the administration is signaling that they want to drive the action back to the states. That program would be tremendously impactful in seeing that through. The disruption side, we called for something called the Joint Ransomware Task Force. That also became law. So some people, particularly as a civil society organization, how do you judge impact? And for us, seeing significant progress on 24-48 recommendations, including through public statements as well as legislation, is one of the ways that we judge impact. So the success, I think, is also in having industry come together through the work of the task force. And so we had competitors, frankly, sitting at the same table and putting their bottom line aside to really drive and think carefully about what could make a difference. That's a huge hurdle, though. Yes. Nobody wants to tell the other guy that we've been hit or that we're vulnerable or whatever the case may be. Yeah. Yes. There have been a lot of calls from the government around reporting in certain time frames, etc. How well do they understand the problem set? Because sometimes some of these reporting mandates weren't super realistic. Reporting within 48 hours of a breach or whatever it was, you don't understand the full scope of something at that point. Yes. One of the things that we called for, we had the Cyber Incident Reporting Framework was the project that we published in 2022. And one of the points that we made there, and we actually then submitted comments to the request for information that is informing the CERCIA implementation, the Cyber Incident Reporting for Critical Infrastructure Act, I got it all out there in one fell swoop, is that there needs to be an ability to update the information that's been disclosed. I tend to think, but it doesn't make me very popular with my industry peers, that there is a need to inform one's competitors, peers, etc., that there has been a breach because it's likely going to impact them as well. And so the quicker we can get the information to a central place that can then be shared, whether it's through the ISACs or through JCDC or other places, the better prepared we will be as a society. And that's where we know we need to move. And what kind of information are you hoping that gets disclosed? Is it just indicators of compromise or something beyond that? I think IOC is great, but context is always king. One of the things that shocked me a bit when we were, when Michael and I were working through the Respond Group was that in the Stix Taxi model of indicator sharing, there isn't like a click the box for ransomware. And so thinking about where are you seeing this IOC and what type of an attack has it been leveraged? And that, I think, was another piece that we thought. One of our other keys, I was disappointed to see, was that the format for reporting, including to the government, our government, the United States government, is not consistent. It's not common. So CISA, the folks at DHS ask for one set of information, FBI IC3 has a different set of information. So we thought also that there needed to be a commonality to try and get me in a better position with my industry peers. Make it easy. Don't overcomplicate it. The easier we can make it, the faster we will get it and the better, more protected we will be. Yeah. Otherwise, it's not useful. No. No. Yeah. All right. So of the, again, just going back to the updated report, there were 24 recommendations that are still kind of being worked on or I don't even know, lagging is the right word. Yes. What are some of those you'd like to see prioritized and where would you need help, more legislative help or more from another area? Yes. I think for me, the biggest one really is, well, one of the biggest ones is this idea around operational collaboration and how can industry and the government better work together to defeat these threat actors through a strategic campaign that will have knock on effects. That I think, as I said a couple of minutes ago, there is the most room for benefit I think on that space, but we need to shift left. We all need to shift left. And so at the time we didn't, there were not explicit references to secure by design, but certainly that is on our top priority list. While it was not one of the 48 recommendations, that's what will get us to a place where we're no longer talking about ransomware. So we need to move there before that, that is a market shift. So that will take time. On the prepare side of things, we still think that there's tremendous room for growth. I mentioned the state local grant programs, which can help organizations by rip and replace potentially, a number of other ways that those funds can be expended. But one of the things that we called for was a nationwide awareness campaign and that hasn't happened. It's great that we have, Craig Newmark has just launched, kind of brought to RSA this pause take nine and we were a member of that initiative. But really getting in the minds of consumers that it takes all of us to defeat this. And one person can actually have an outsized impact because if you don't click the phishing link, the exploit doesn't make its way. I think that's been a problem for a long time. We're kind of in this echo chamber, I know what it is, you know what the problem is. But like telling my mom, telling my sister, it's not the same and it's a different kind of messaging. Yes. And we all play like, you know, family sisso, don't forward me the email mom, just call me on the phone and ask me if it's real. Right. Yeah. I've actually trained my mom a little bit. She calls me if she gets a weird text, I'm like, don't click anything, don't touch it, leave it alone. And U.S. government, what kind of resources should they be allocating? Are they allocating that's helpful? What's your take there? I had the benefit of testifying. I've testified three times now about ransomware before Senate and House. And last year I was testifying before a subcommittee on the House side in banking and finance. And one of the things that I said is like, we need to better resource this initiative. So that means that we do continue to need to fund investigators. And we need to continue to fund our responders. So the work that CISA can do voluntarily, if they're called in, can be tremendously impactful in helping an organization reduce its gaps, its vulnerabilities. But they are going to succeed. And so we need to have investigators at the federal and state and local investigative capacity is quite minimal when it comes to cybercrime. So those are two areas where I think we would hope that there would not be cuts. And at the end of the day, it impacts Main Street ransomware. All cybercrime does. It is a Main Street consumer issue. And we want to continue to see the United States to be an economic powerhouse. So one of the ways that we need to do that is to protect our citizens. It's always the big challenge, too. It's like getting to legislators. I mean, the staff, for the most part, understands. But when you got to go at that level up, sometimes it's a little painful and, you know, you can see it in some of these hearings, some of the testimony. It's tough. And, you know, they need to understand the problem set. Yes. Yes. I did a podcast yesterday with someone on ransomware, but it was more about the technical side of it, some of the evolution, some of the tactics. And, you know, he pointed out there's some scary stuff coming, hardware level ransomware that's like eternally persistent. This isn't this is a fluid thing. Like we say ransomware, like it's this umbrella term, but it's not just this one thing. Yeah. And, you know, how does that fit into what you guys are doing, too, in terms of developing? Yes. You know, it's like instead of software as a service, it's like fraud as a service now. Yeah. And so we're looking at extending the lessons learned from the task force to try and address some of these unfinished work of the task force. So how do we begin to drive down the fraud as a service business model? But yes, the evolution from, you know, double and triple extortion to physical threats is really scary. Because my view is the information is out there that we can defeat this. We have to have the political will that we're still struggling to really capitalize on. It always feels like there has to be some giant incident to really get people to move in the right direction. That's unfortunate still. Yeah. I mean, I think had a colonial not happened, we all sort of said, you know, somebody jokes like, did you guys do that just to get your report read? No, no, no. But it really... Would have been just another report. Would have been just another report. But, you know, it's continues. Ransomware is continuing to really paralyze not just people in the United States, but around the world. I mean, the impact of ransomware globally is difficult to assess, but we have been doing a kind of an assessment last year and the year before we used leak site data to see where else ransomware is impacting governments and it continues to grow. Some of the successful disruptions of some of these groups, pretty prominent groups have been kind of at least temporarily interrupted. They always pop up again. But regardless, you know, you see the press release from DOJ and it's always DOJ, FBI, you know, nine other agencies that are involved. What's your experience in terms of like the coordination of this stuff and the actual execution of, you know, any attempt to disrupt these gangs? I want to give my tip, my hat, if I may, to our friends in law enforcement. They have a tough job. They are under resources. I was saying a couple of minutes ago, it is, I think it frustrates, particularly when you think about the security research community that is also seeing so much of this happen and are really like all of us troubled by it. But when you're following, you know, building a case and following the rule of law, we have policy and protections that we have to follow and actually they benefit us in the long run too. But to build this kind of the holistic picture does require international collaboration and capacity. You know, we are fortunate that, you know, in our country and many of the counter ransomware initiative countries, their law enforcement, their maturity level is high. But in some cases you have threat actors operating from, you know, safe havens and their neighbors are less capable of being helpful in the investigation. And so we really need to think about, in addition to better leveraging and collecting information, better building capacity globally across the law enforcement landscape. So it doesn't move as quickly as everyone would hope, but, you know, I think the pace of them has significantly increased and that's a good thing. Yeah, absolutely. I mean, it's unfortunate, but it's a good thing. And it has to be done legally. I mean, there are legal barriers that we just, you know, hack them back, do the same thing. And it's not, it's not that cut and dry it ever. No, hack back is not a sound policy solution. It is really dangerous. You know, someone was saying, what are we going to do? Hack back? I mean, some of these, they're leveraging cloud services and other capacity of US companies. So are we going to hack back in Redmond, Washington or, you know? Yeah, attribution is hard enough without taking down legitimate infrastructure. Yeah. No, there are other, we've made many recommendations about other ways that we can drive down ransomware without going on the offense in that way. We do think though that there is a need to leverage all of the tools in the US government toolbox to defeat these actors. But it comes back to political will. What about private industry? What's their role in this beyond information sharing? Or is that kind of the extent of it? I think industry has an opportunity to call upon our leadership, executive branch leadership, and the leadership of countries where they're selling services and operating businesses to say, we need your help in defeating this. I mean, it's costing them money as well. It's not just costing government's money, it's costing industry money. So it certainly I would like to see what's their role in part, you know, please bring more secure products to the market so that we can not have ransomware leveraging the vulnerabilities that we are finding. So I think that's a piece of it too. But yes, information sharing, building more secure products, and calling for there to continue to be action from the top levels of government, I think are three key things they could do. That's why I hope some of these secure by initiatives really keep going. I mean, I know there's a lot of turbulence in the government right now, but, you know, secure by design to secure by default, it's really kind of like essential hygiene practices that would eliminate a lot of this stuff. And it doesn't help stuff that's out the door already a lot, but it's a huge effort. Yes, we hope to play a key role in continuing that work. We're actively talking with stakeholders about the ongoing need to sustain the secure by design progress that's been made. And it's not just a US government or US priority, right? The work that CISA did, the team there in developing the pledge and getting so many companies to sign on was not just, they were not just US companies. And it wasn't just US government agencies that were supportive. I think there were 14 governments that signed on to the white paper that CISA published. So it shows us that there is momentum growing internationally. And I think, you know, at the end of the day, it's a way for US companies to compete and continue to innovate in a way that we can continue to outperform peers. Do you have a sense of whether it's working? I mean, you can sign a pledge, but to actually kind of do it? One of the things we would like to do is to do kind of a light touch assessment of how the companies that signed on are fulfilling their commitments. I think it's also important to recognize that we don't expect there to be change immediate. It is a market shift. It's going to take time, but we hope that there are ways that we can see indicators of progress along the way. It's always hard to say, build security in from the beginning. How do we show that it's actually a cost savings? But it is. And so digging into some of the data behind that, the economics of it, is something that we hope as the initiative evolves and steps out of government, hopefully. Stay tuned for more on that, but that's something that we can demonstrate. Yeah. I mean, if you can eliminate classes of vulnerabilities from the start, that's massive. Because there are more vulnerabilities that are more tempting than others to these guys and easier to exploit. It's not like they're burning zero days on everything. Right. And that was one of the things that we mentioned in our progress report last year, is the number of end days that were used in some of these ransomware attacks. And so eliminate a class of vulnerabilities, eliminate a huge part of the ransomware problem. Yeah. So if you had a wish list in terms of resources you need, is it money? Is it tech? Is it expertise? Probably all of the above, but is there a priority to that list? IST, we're a nonprofit. We could always use some support. We're very grateful to, like I said, Craig Newmark is one of our big funders. And Craig is the lifeline of the civil society movement around cyber, the cyber civil defense initiative. So his work is great, but it's the ongoing commitment by all of the stakeholders around the table, the 60 plus organizations and individuals to keep at this and not give up. Is it tech? Sure. But if you take a look at the report, you'll see that there isn't a single like, oh, we should use MFA or we should. What we said was on the tech side, because this is, you know, it impacts entities and organizations across the economic landscape from the smallest to the biggest, unfortunately, that there should be, we need, you know, rather than there being 50 pieces of, oh, somebody's got a, we have a blueprint, somebody else has a profile, someone else has a this, let's have one resource to rule them all. Yeah. If we can. And so that's one of the things that we're going to be doing this year is really working with the Center for Internet Security and the National Institute for Standards and Technology, not my organization, NIST, not it, IST, to update the ransomware profile that they have and merge it with our blueprint so that we can make it, again, keeping it simple for the most vulnerable of us. Yeah. I mean, they're just relentless, these actors. I mean, the stuff they're doing to hospitals or, you know, seems to be less public now, but I'm sure it's still going on. It's still going on. And they're not reporting. And it's really terrifying. It is. Yeah. And it's not just U.S. hospitals. And, you know, I'm trying to remember now, one of the countries that I saw their government had just been targeted by ransomware, particularly in some of the countries of the world, there is less of the private sector-led infrastructure. Yeah. And so you're putting not just hospitals, but government services at risk. You know, pensioners can't get their pennies out of the government. They can't buy food. So the knock-on effects are really horrific. Right. Right. So just before we wrap up, I want to talk about, like, payments. Yes. I mean, these victims are in real trouble sometimes, and it's, you know, law enforcement says don't pay, researchers say don't pay, and understand why they would, you know, provide that kind of advice. But I don't know how realistic that is all the time. And I'm just, what's your experience, you know, what are these discussions like internally for a victim? I was talking with a friend who was the CISO at a company, I won't name it, but they were hit by ransomware, and they were talking through, working through their incident response plan, and I think, you know, at some point they all decided to get a couple minutes of sleep. Yeah. And they had not decided before they went to bed whether they were going to pay. The next morning, the guy went to work, and the CEO said, we're paying. Oof. You know, if I can pay, at that point in time, it was like a $200,000 ransom, not some of these crazy demands of, you know, and payments reaching over a billion dollars last year is just nuts. Right. But it is really a heart-wrenching conversation to decide, you know, are you going to, you know, continue to fuel the fire by paying, or do you risk your intellectual property being compromised, your employees being physically put at risk? The data leaks. Data leaks. At the same time, though, the simple solution is not, let's just ban ransomware payments. Our view, and we published a roadmap last year to banning payments, we do think at the end of the day that will be effective, but we need to take some significant steps before we do that. Yeah. To have that be effective, that being a payment ban. And our assessment is that we're not far enough along those, I think there are 16 elements that we recommended ought to be accomplished before a payment ban goes into effect. We're not far enough along that pathway. You know, the UK government just did a consultation around three ideas for, one of which is a payment ban, but to think about, move this direction, the members of the Counter Ransomware Initiative committed at the federal level that they should not pay ransoms. But there are alternatives to paying. Yeah. And I think that's one of the key recommendations that we made in the task force as well. Doing some due diligence, looking at, you know, we've moved back to the threat actors have shifted. Well, the landscape has also shifted because a lot of people do have backups now where they didn't as much four years ago. So the threat actors are having to shift their TTPs to find the way that they can still put the pain, bring the pain to the victim. Right. They were always ahead though, unfortunately. Yes. It seems like one step ahead. Yes. It's a cat and mouse game. Yeah. Yeah. And I don't think AI is going to, I used it, there's the bingo word. I don't think AI can help us close some of those gaps. Right. All right, Megan, thank you so much. Thank you.