The U.S. government and its partners have slowed the swell of ransomware over the last three years, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said Wednesday at an event.
But the cyclical and persistent threat ransomware poses requires new ways of thinking, Easterly said, speaking at the Institute for Security and Technology’s annual ransomware task force event. Defenders and stakeholders have to turn the lens to software and hardware vendors, according to Easterly.
“There's a lot about the villains. There's a lot about victims. We do not talk enough about vendors,” she said.
“The way we are going to actually drive down the number of attacks, and the number of successful attacks, is if we go upstream and ensure that technology that is deployed and delivered is in fact prioritized to be secure,” Easterly said. “Not features, not speed to market, not driving down costs, but secure. That's why we're in this issue.”
Secure by design, a collective push to shift the responsibility for security in technology products and services to manufacturers and vendors, remains a principles-based work in progress. For now, there are no enforcement mechanisms tied to these guidelines.
Officials know they still have work to do downstream, and positive outcomes could take years to materialize.
While efforts such as stopransomware.gov, the Joint Ransomware Task Force, the pre-ransomware notification initiative, the ransomware vulnerability warning pilot and the known exploited vulnerabilities catalog are not magic solutions, the number of attacks would be much higher without them, Easterly said.
CISA’s pre-ransomware notification initiative and ransomware vulnerability warning pilot have each resulted in about 2,000 notifications since they began in late 2022, Easterly said. Those efforts stopped some attacks from occurring or spiraling into disasters, but ransomware remains a huge problem.
Instead of focusing on the victim or why an attack happened, Easterly said stakeholders need to address why vendors are delivering products with common vulnerabilities.
The “very basic” SQL injection vulnerability in MOVEit was solved 20 years ago, Easterly said. Ransomware attacks linked to that vulnerability in the MOVEit file-transfer service impacted nearly 2,300 organizations and exposed more than 93 million individual records.