A day after the world’s largest meatpacking company, JBS, confirmed that it paid the equivalent of $11 million in ransom to hackers who broke into its computer system, two federal officials spoke with WTOP about what companies, private people and the government can and should be doing to prevent and deal with the next attack.
Eric Goldstein, the executive assistant director for cybersecurity at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, told WTOP on Thursday: “This is a national-level risk that can affect every organization in America, public or private, big and small across sectors.”
He didn’t directly answer a question about whether the government could require a minimum standard of cyberdefense, but said that his agency’s website, cisa.gov, “has resources that all companies can use to secure their own networks against these risks.”
Even so, attacks will happen, and Goldstein said the key to surviving them was not just to harden systems against attacks, but to “focus on the resilience of our critical functions — fuel, food, banking, telecommunications — the things that you and I rely on for our everyday lives.”
“All organizations, even as they invest in cybersecurity, should also look to make sure that the services they provide can be less dependent upon IP networks and systems,” Goldstein said. “So that if a cyber intrusion or a ransomware attack does occur, the services they provide will still be available to the American people and the business’s customers.”
Three ways to fight back
Sen. Mark Warner, the chairman of the Senate Intelligence Committee, pointed out that the JBS payment comes on the heels of the Colonial Pipeline hack that put half the country into a gasoline panic, as well as attacks on a ferry system in New England and “the whole Irish health care system about three weeks ago.”
He laid out three ways the government can fight back.
“One, we need to have a mandatory reporting requirement. These companies don’t even have to tell the government when they are attacked, so that we can actually bring law enforcement and our other tools to the table.”
“Second, we really do need to create some level of international standards. So that when we see these attacks come from criminal gangs, for example, out of Russia, if they are attacking critical infrastructure, whether it’s here or Europe or elsewhere, we can have a united world response.”
“And three, we really need to start a … debate about whether there should even be payments of ransomware. … Even if you pay, there should be more transparency in the payments.”
Warner said there was “broad bipartisan consensus” on his committee for legislation mandating the reporting of these attacks.
He encouraged President Joe Biden to “put this on the table” when he meets with President Vladimir Putin of Russia, where many of the biggest hackers are based.
Should they pay the ransom?
Both officials discouraged the practice of paying ransom.
“Our guidance is to strongly discourage the payment of ransom,” Goldstein said. “The more ransoms that get paid, the more attacks we will see.” He added that there’s no guarantee that paying ransom will actually get a company’s data back.
Warner acknowledged it’s not that simple: “Of course, you start with the premise that, hey, folks shouldn’t pay this ransom. But if it’s a hospital, and there’s a chance that people may die if you don’t do something in the short term, it’s not as easy a discussion as you initially think.”
“But even if you pay,” he added, “there ought to be transparency on the payments. And maybe that means we shouldn’t be using crypto right now.”