The federal government has made strides in deterring ransomware over the past year, but still has a number of milestones to reach, according to a new paper from the Institute for Security and Technology’s Ransomware Task Force.
The evaluation comes a year after the group, a private-public partnership that brought together more than 60 companies and organizations across government, nonprofits and the private sector, released a sweeping report making 48 recommendations on how to combat ransomware.
The reports urgency became clear almost immediately after its April 2021 release, with the U.S. suffering a string of high-profile ransomware attacks in the subsequent weeks, including an incident that shut down fuel provider Colonial Pipeline, an attack against the meat supplier JBS and an infiltration of managed service provider Kaseya that knocked out the services for nearly 1,500 organizations worldwide.
Of the 48 specific recommendations the Ransomware Task Force made in its initial report, 12 have seen tangible progress in the year since. Some initial steps have been taken on 29 recommendations, while seven recommendations have seen no action.
The United States has made the most progress in addressing the RTF’s recommendations for deterring ransomware, according to Friday’s update. In addition to the Department of Homeland Security launching a hiring “sprint” to combat cyber crime, the Justice Department last year created its own ransomware task force. And at the event Friday, Cybersecurity and Infrastructure Security Agency Director Jen Easterly said the DHS unit is creating another task force to collaborate with the FBI and other agencies that fight cybercrime.
The U.S. has made progress on international collaboration, too, with the Justice Department announcing additional measures Friday. Deputy Attorney General Lisa Monaco said the department is launching a joint international operation following illicit cryptocurrency transactions, and is also creating a new cyber operations liaison to work with foreign governments.
The U.S. is also part of a global Counter Ransomware Initiative that launched last October with 30 other countries, and has also worked with the G7 to address the issue.
Despite progress on the global front, RTF co-chair Megan Stifel said that the U.S. still has work to do.
“I think one of the challenges going forward is going to be expanding the scope of countries that are focused on this issue and wanting to both improve their hygiene but also support investigative efforts to try and reduce this ongoing scourge,” she said.
The new RTF paper also points to an ongoing lack of comprehensive data about ransomware attacks.
“We don’t know how to categorize the data we have because the data we have is so incomplete,” said Jen Ellis, vice president of community and public affairs at the cybersecurity firm Rapid7 and a co-chair of the Ransomware Task Force. “And that means overtime measuring progress is going to be super hard.”
The United States has made legislative progress with the Cyber Incident Reporting for Critical Infrastructure Act, which requires critical infrastructure operators to report ransomware attacks. However, with a two-year time frame for implementation, it will be a while until the law bears fruit.
Small and medium-sized enterprises also lag in support, according to the RTF’s new paper. Last year’s $1.2 trillion infrastructure law included $1 billion for a new state and local cybersecurity grant program to help governments address the ransomware threat, but DHS is still drafting guidance for that program. And many small companies still struggle with making sure their systems are secure.
“Ransomware is prevalent and prolific and it is a terrible problem and it’s not going away,” said Ellis. “Even when we thought there was going to be a huge shift to the conflict the reality is that cybercrime is still ongoing. But I do have hope for the future because we’re seeing a level of coordination and collaboration that is unprecedented and that’s what we need.”