Last updated at Thu, 17 Mar 2022 13:01:34 GMT

In past decades, 攻击者破坏系统并窃取敏感信息,引发了一波关注消费者隐私和违规通知的法规. The current surge in ransomware attacks is prompting a new wave of action from policymakers. Unlike the more abstract harms threatened by breaches of personal information, ransomware will grind systems to a halt, suspending business 和 government operations 和 potentially threatening health 和 safety. One indication of the shift in awareness of this form of cybercrime is that President Biden 解决 the ransomware threat 多个 in 2021.

勒索软件威胁的风险增加,正促使监管机构更加认真地审视网络安全保障的监管要求是否有效,或者是否需要新的要求来帮助打击这一威胁. 联邦机构也在加强信息共享和事件报告方面的协调, 本届政府正在加强与国际伙伴和私营部门的合作. Let’s look at a few recent 和 ongoing initiatives.

Cybersecurity requirements for critical infrastructure

2021年3月, 国土安全部部长马约卡斯宣布了一系列加强关键基础设施网络安全的举措, citing ransomware as a national security threat driving the effort. Less than 两个 months later, the Colonial Pipeline ransomware event disrupted the East Coast fuel supply.

Not long after the Colonial attack, 运输安全管理局(TSA)行使其权力,对管道部门实施安全法规. 通过 两个 单独的 规则, TSA required pipeline operators to establish incident response 和 recovery plans, implement mitigation measures to protect against ransomware attacks, undergo annual cybersecurity audits 和 architecture reviews, among other things.

In December 2021, TSA also 发布 new security regulations for the aviation, 货运铁路, passenger rail 行业. 法规要求(除其他事项外)向CISA报告勒索软件事件,并维护事件响应计划以进行检测, 减轻, recover from ransomware attacks.

勒索软件是网络安全要求突然收紧的一个关键激励因素. Previously, the cybersecurity regulations for pipelines were voluntary, with an accommodative relationship between pipeline operators 和 their regulators. Policymakers are increasingly voicing concern that other critical infrastructure 行业 are in a similar position. 当勒索软件成功破坏关键基础设施运营时,基本的社会需求将面临风险, some lawmakers are 信号 openness to creating additional cybersecurity regulations for critical 行业.

外国资产控制办公室 sanctions

联邦政府也在利用其制裁权力来阻止勒索软件的支付. According to a recent FinCEN 报告, the average amount of 报告ed ransomware transactions was approximately $100 million 每个月 in 2021. These payments encourage more ransom-based attacks 和 fund other criminal activities.

The Office of Foreign Assets Control (外国资产控制办公室) 发布 指南警告说,向受制裁的个人和组织支付赎金违反了制裁条例. Liability for these violations, 外国资产控制办公室的笔记, 即使该人不知道勒索软件付款已发送给受制裁实体,也适用.

批评这种做法的人士警告说,对特定的攻击组织实施制裁是无效的,因为这些组织可以简单地改名换利或与其他犯罪分子合作,以获取报酬. 他们还说,对付款实行制裁只会使那些受到攻击的组织或个人进一步受害,并剥夺他们恢复的选择,或迫使他们转入地下. Ransomware is already grossly under-报告ed, critics of sanctions warn that sanctions will likely encourage a lack of transparency.

More recently, 外国资产控制办公室 also 发布 virtual currency 指导 — aimed at currency companies, 矿工, 交流, 而用户——强调向受制裁实体支付勒索软件的便利 非法. 该指南还描述了在交易期间评估违反制裁风险的最佳做法. In addition, 外国资产控制办公室 实施 对一家俄罗斯加密货币交易所实施制裁,理由是该交易所涉嫌为勒索软件参与者提供金融交易便利——这是此类制裁的首次实施.

外国资产控制办公室 followed up with an advisory 关于虚拟货币行业的制裁指导,并对一家加密货币公司实施制裁,该公司没有尽职调查,以防止向勒索软件犯罪团伙提供付款便利.

Ransomware 报告ing

向联邦当局报告勒索软件支付和勒索软件相关事件的要求是另一个值得关注的领域. 通过拜登政府,对联邦机构和承包商提出了事故报告要求 Executive Order但国会正在采取措施,将这些要求扩大到其他私营部门实体.

Both the House of Representatives 和 the Senate have advanced 立法 that would require businesses to 报告 ransomware payments within 24 hours. The 报告 would need to include the method of payment, instructions for making the payment, 以及其他细节,以帮助联邦调查人员跟踪支付流程,并识别勒索软件的长期趋势. 该法案还要求关键基础设施的所有者和运营商在72小时内报告重大网络安全事件(包括破坏性勒索软件攻击). 有趣的是, 该立法对“勒索软件”的定义包括所有基于勒索的攻击(例如威胁 分布式拒绝服务), not just malware that locks system operations until a ransom is paid.

尽管众议院和参议院的立法清除了几个障碍,但它没有在2021年通过国会. 然而, we expect a renewed push for incident 报告ing, or other 立法 to address ransomware, in 2022 和 beyond.

更新-三月. 17, 2022: The Cyber Incident Reporting For Critical Infrastructure Act has been enacted 和 is now law. For more details, check out our blog post.

A more collaborative, whole-of-government approach

The Biden Administration 特征 ransomware as an economic 和 national security concern relatively early on 和 has 详细的 numerous federal efforts to counter it. 我们还看到国际政府和执法合作的显著增加, public-private collaboration to identify, 起诉, disrupt ransomware criminals, address their safe harbors. In addition to the above, recent efforts have included:

  • In April 2021, the Department of Justice (DOJ) 创建 a Digital Extortion Task Force, in June 升高 ransomware to be a priority on par with terrorism.
  • In June 2021, the 美国政府 attended the G7 Summit 和 discussed ransomware, making a 承诺 “共同努力,紧急应对犯罪勒索软件网络不断升级的共同威胁.他们接着“呼吁所有国家紧急识别并破坏在其境内运作的勒索软件犯罪网络”, hold those ne两个rks accountable for their actions.”
  • Also in June 2021, ransomware was discussed during the EU-US Justice 和 Home Affairs Ministerial Meeting, 双方承诺共同打击勒索软件,包括采取执法行动, 提高公众对如何保护网络的意识,以及向犯罪分子支付赎金的风险, 并鼓励那些对这一罪行视而不见的国家在其领土上逮捕、引渡或有效起诉罪犯.”
  • In August 2021, the Cybersecurity 和 Infrastructure Security Agency (CISA) announced the formation of the Joint Cyber Defense Collaborative (JCDC) to “integrate unique cyber capabilities across 多个 federal agencies, many state 和 local governments, countless private sector entities.”
  • In August 2021, the White House announced the voluntary Industrial Control System Cybersecurity Initiative to strengthen the resilience of critical infrastructure against ransomware.
  • In September 2021, NIST 发布 a ransomware risk management profile for its Cybersecurity Framework.
  • In October 2021, the White House hosted a Counter Ransomware Initiative Meeting, 将全球30个国家的政府聚集在一起,“讨论勒索软件日益升级的全球安全威胁”,并确定潜在的解决方案.
  • Also in October 2021, a group of international law enforcement agencies 和 private sector experts collaborated to force ransomware group REvil offline.
  • In November 2021, the US Department of Justice announced the arrest of three ransomware actors, charges against a fourth, the “seizure of $6.1 million in funds traceable to alleged ransom payments.它将这些成功归功于“与国际社会密切合作的成果”, 美国政府, especially our private-sector partners.”
  • Collaboration by 多个 federal agencies to produce the StopRansomware 网站, which provides basic resources on what ransomware is, how to reduce risks, how to 报告 an incident or request assistance.
  • Ongoing work of senior policymakers such as Deputy Attorney General Lisa Monaco, as well as federal agencies such as CISA 和 the FBI, 保持对勒索软件威胁的及时警报的稳定流动,以及公共和私营部门合作打击它的必要性.

Ransomware brings security center-stage

For years, it was arguable that most policymakers did not “get” the need for cybersecurity. Now the l和scape has changed significantly, with ransomware 和 nation-state competition driving the renewed sense of urgency. Given the seriousness, 持久性, widespread nature of the ransomware threat, Rapid7 supports new measures to detect 和 减轻 these attacks. These trends do not seem likely to abate soon, 我们预计,在未来一段时间内,网络安全方面的监管活动和信息共享将受到勒索软件的推动.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, news about security today.