The cyberthreat landscape is increasingly prolific, sophisticated and tricky to defend against. Much of this is due to a rise in state-sponsored attacks, for-hire cybercriminals and rapidly evolving offensive technologies. These add additional complexity around issues of data sovereignty and control. This is pulling the private and public sector closer together and further cooperation is needed to tackle what is at stake.
A fundamental part of the problem is the motive, opportunity, impunity cycle where we see high rewards and minimal punishments in cyberattacks. This is exacerbated by state espionage and cyber warfare, which prevents global consensus in tackling the issue.
There must be a step change in how public and private sector work together across the globe to manage cyber threats as the economic and political risk involved increases year-on-year, not to mention the risk to public safety and global geopolitics.
Impunity
Part of the issue is that threat actors can feel protected by their governments when there aren’t any co- operations in place for prosecution and where state-sponsored cyber warfare muddies the water. But what is also at stake is a lack of resources and skills to tackle cybercrime globally and, in some instances, a lack of political will. Unless governments and private sector tackle this as a global crisis – all working together – there will be little change in the proliferation of attacks. Obviously, cybercrime is remote: a threat actor may be sitting in one country attacking an organization or government in another feeling secure in the knowledge that it is highly likely he will not be punished. Being able to act with impunity means there is really no deterrent at work.
Motive
The other major issue in cybercrime more specifically are the financial benefits. The US Department of Justice said it had recovered $2.3 million worth of Bitcoin that Colonial Pipeline paid to ransomware extortionists. Ransomware is now a huge issue for organizations and, perhaps more dangerously, for public sector and critical infrastructure. If an attack puts people or an organization at risk, the policy is generally to pay the ransom and resume services or safeguard operations as swiftly as possible.
There is never any guarantee when paying a ransom that you will be safe afterwards. There is little honor among criminals, and so it is becoming increasingly common for criminals to use the same attack method more than once – they had success the first time and a few weeks later may try again. They can be successful on more than the first occasion.
Moves are being made, particularly in the US, to make the payment of ransoms difficult for organizations and reduce the amount of money going to organized criminals. Broadly, more input from government on tackling this issue is welcome, but criminalizing organizations for payment needs to be balanced with more practical support to help organizations recover quickly from an attack – this element is still lacking in legislative approaches thus far.
With the above cycle still playing out, what can we do to protect organizations?
Cybersecurity teams keep getting better at tackling cybercrime, says Maciej Zarski , Global Head of
CERT, Atos, “The threat landscape is slightly changing every year with new TTPs (Tactics, Techniques, and Procedures) but we still observe that the basic threats are very effective, including: phishing, stolen credentials, ransomware, poor security hygiene and DDoS, DoS. This means we can hunt, detect, plan and educate against these threats. However, tackling the root cause – breaking the impunity cycle – must be the long-term goal.
To break this impunity cycle what matters is accountability. Even if it does not solve the problem completely, surely it should slow down cybercrime.”
Some of the most destructive and costly ransomware groups are now in their third incarnation over as many years.
Brian Krebs
American journalist and investigative reporter from Krebs on Security