Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly announced the formation of a joint ransomware task force, plans for which were originally outlined in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
Easterly announced the news at an Institute for Security and Technology (IST) event on May 20 in Washington, D.C., and also said the task force would have its first official meeting within the next few months.
“We’re very excited about it,” Easterly said during an event interview. “We think that this will actually build really nicely on the infrastructure and the scaffolding that we’ve developed with the [Joint Cyber Defense Collaborative] to use what we have as part of the federal cyber ecosystem and the companies that are part of the JCDC alliance to plug into the hub as envisioned in the Ransomware Task Force Report.”
She added that the FBI will co-chair the task force, which means the operational leads will be Eric Goldstein, CISA’s head of cyber and Bryan Vorndran, the assistant director of the FBI’s Cyber Division.
CIRCIA’s Reporting Requirements
Passed as part of the omnibus spending bill in March, CIRCIA focuses on critical infrastructure companies—ranging from financial services firms to energy companies, or other entities where a cybersecurity event would impact economic security or public health and safety.
CIRCIA would require these entities to report any substantial cybersecurity incidents or ransom payments to the federal government within 72 and 24 hours, respectively.
The Institute for Security and Technology issued a report last year that included a framework to combat the rising threat of ransomware.
Former State Department cybersecurity coordinator Chris Painter, also a co-chair of the ransomware task force working groups, explained during the IST event that combating ransomware threats requires a high degree of coordination and cooperation between government agencies.
“Establishing the new task force signals that this issue continues to be a priority and is a recognition that combating ransomware will take a sustained, long-term effort,” he said. “It should work to leverage federal and private sector capability to disrupt the major ransomware actors in any way possible.”
Easterly said the focus would be on operationalizing progress in an agile way and disrupting these bad actors, with CISA on the resilience/defense side.
“We want to work with all of our partners across the federal cyber ecosystem and the industry to actually be able to go after these actors in a very agile way at scale,” she said.
She said the days of holding threat report briefings on a quarterly basis are long over; it is no longer a realistic way of protecting critical infrastructure threats.
“We all have to be in the room all the time, sharing information constantly so that we can create that picture together, because it’s very likely that industry is going to see a cyberattack on the homeland before we see it,” Easterly said. “So, we have to be in the same room—we have to trust each other.”
The event also featured a keynote address from Deputy Attorney General Lisa Monaco, who announced twin initiatives from the Department of Justice.
The first is aimed at tackling illegal cryptocurrency transactions while the second concerns the establishment of a cybersecurity operations international liaison position to speed up international operations aimed at disrupting the activities of cybersecurity threat actors globally
“We’ve got to evolve to keep pace with the threat and the nation-states and criminal actors driving it,” Monaco said.
Matthew Warner, CTO and co-Founder at Blumira, a provider of automated threat detection and response technology, said as attacks against businesses and infrastructure have continued to grow, so has the impact of these attacks.
“Ransomware is a systemic risk to all computing at this point, which requires a unique response from governments,” he said. “To do this, however, requires a task force that can respond in a way that we have not seen before in cybersecurity.”
He explained if governments wanted to defend their and their allies’ infrastructures—commercial or not—then reducing ransomware across the globe is paramount.
Alex Ondrick, director of security operations at BreachQuest, an incident response specialist, noted that information-sharing and trust-building between government and private business is long overdue by at least a decade, but that initiatives such as JRTF could improve upon a growing private-public partnership.
“Governments have come to increasingly rely on the private sector, yet governments are only just beginning to reciprocate information-sharing,” he said. “Given new legislation and interest, CISA’s JRTF has an opportunity to increase the lines of communication and improve information-sharing.”
Ondrick added that an increasingly decentralized ransomware threat landscape has created an opportunity for more ransomware-as-a-service (RaaS) attackers and more ransomware attacks overall.
“Ransomware has become a key fixture of cybercrime as we move towards a post-COVID-19 world, and ransomware—as related to critical infrastructure—continues to evolve,” he said. “Preventing a ransomware attack against critical infrastructure is of the utmost seriousness and urgency.
Regarding the DoJ’s initiative tackling illegal cryptocurrency transfers, Warner pointed out that the nature of blockchain—and therefore, cryptocurrencies—means every transaction is available for the world to see.
“While attackers will try to move this money around through tumblers, in the end, it must end up somewhere to convert to usable currency,” he said. “Government and NGO initiatives have the opportunity to track cryptocurrency use and look for clusters of ransomware payments being funneled through the blockchain.”
If the target wallets and/or transfers in and out of these potential ransomware wallets can be identified, then governments can disrupt the actors by seizing cryptocurrency from them—this was the case when the U.S. seized $30 million in cryptocurrency from the NetWalker ransomware group in early 2021.
“Ransomware will only continue to grow, as will new attacks leveraged by ransomware, which means that not only the government but also all private entities must level up quickly to defend properly,” Warner said.