The White House released an open letter on June 2, 2021, urging U.S. businesses to take "immediate steps" to protect themselves, their customers, and the broader economy against ransomware attacks. The letter comes amid numerous high-profile ransomware attacks affecting critical infrastructure and supply chains.
Addressed to "Corporate Executives and Business Leaders" from Deputy National Security Advisory Anne Neuberger, the letter recommends the following "highly impactful" steps. We list each of the recommendations and provide corresponding commentary.
Backups are a key mitigation against ransomware attacks. The letter folds together several recommendations for maintaining backups:
• Store backups offline: As the letter notes, ransomware frequently attempts to find and delete network-attached backup files. However, companies often need to be selective about the types and amounts of data they are backing up offline, as maintaining huge offline data troves can be burdensome.
• Regularly test backups: This is a critical step that is too often overlooked by companies. Companies must ensure that backup solutions are working properly and that backup files are complete and not corrupted.
• Back up system images and configurations, in addition to data: It is easy to overlook the importance of backing up critical images and configurations. Ransomware attacks do not simply deny companies the ability to access their files—they also can be incredibly destructive to network architecture and require a company to rebuild many of its essential computers and services. This rebuilding work is made much easier with backups of critical configurations and default images.
None of the recommendations in the White House letter will come as a surprise to seasoned cybersecurity practitioners. There are also a number of good practices that the letter does not address, such as providing phishing and cyber awareness training to employees and regularly conducting vulnerability scans.
Nevertheless, the letter is significant. It is yet another signal that the federal government is looking for a significant response to the ongoing ransomware epidemic. To that end, the Department of Justice created a task force in April 2021 to combat ransomware and other digital extortion attacks.1
The Department marked a big victory for the task force yesterday when it announced the seizure and recovery of nearly half of the bitcoin paid by Colonial Pipeline to its ransomware attackers. Moreover, recent internal guidance stated that the Department would handle ransomware attack investigations through a special central coordination process previously used for terrorism investigations.2
The letter also could serve as a sort of baseline set of expectations for companies to defend against ransomware attacks. Companies that are hit by ransomware and do not maintain any offline backups, for example, should expect increased scrutiny of their cybersecurity practices by regulators. Accordingly, corporate leadership should conduct gap assessments of their cybersecurity programs using the letter's recommendations.
To the extent a company does not implement some of the recommendations, it should either take immediate steps to do so or be able to explain why, taking a risk-based approach, it determined that some of the recommended actions were not necessary. For example, a company might decide not to use multifactor authentication on a particular system due to technical limitations, knowing that the system does not contain sensitive data and is logically segregated from other parts of the corporate network.
DWT will continue to monitor the regulatory landscape related to ransomware.