Ransomware exposed 'blind trust' in tech companies
Over-reliance on outsourced software solutions made the West vulnerable to cyber threats. To overturn the situation, perpetrators and businesses need to be held accountable.
Silicon Valley has promised a tech utopia in exchange for lax regulation with legislators, particularly in the US, placing hopes on market self-regulation, thinks Marietje Schaake, International Director of Policy at Stanford University’s Cyber Policy Center.
"The spread of democracy was this big promise that came from Silicon Valley. And now I think there've been a lot of very harsh and very unfortunate moments of truth," Schaake said during MIT's CyberSecure 2021 conference.
From COVID misinformation to supply chain attacks affecting key institutions, recent years have shown that the trust in software business ability to provide secure solutions might have been misplaced.
While a misinformation campaign is quite different from a malware attack, both can serve the same purpose. According to Schaake, threat actors can leverage both types of attacks to sow distrust in a targeted society.
For example, ambiguity about the motives behind ransomware attacks makes them even more dangerous since it's not always clear whether malign actors use attacks for pure financial gain or espionage. The latter rarely gets punished as all countries partake in the affair.
"When it comes to ransomware, the accountability gap needs to be closed. The fact that there are hardly any consequences for perpetrators, the fact that there are a lot of flaws in software that's widely commercially available, makes it too easy for malign attackers to gain ground, whether it is for financial or geopolitical gains," Schaake explained.
A clear set of rules on what's considered espionage and what is not, would allow targeting threat actors more effectively. Without the distinction, the whole world will continue a 'race to the bottom' with hospitals, universities, and schools held hostage by criminals who face no real threat of repercussion.
"People keep hearing about attacks, and they never hear about consequences for the perpetrators."-Marietje Schaake
The lack of consequences cyber-criminals face for their actions delivers a different layer of issues as law enforcement agencies seem impotent to combat this novel threat.
"People keep hearing about attacks, and they never hear about consequences for the perpetrators. I believe it erodes their trust in the ability of institutions, law enforcement, and governments to protect them," Schaake, a former Member of the European Parliament (MEP), said.
End ‘blind trust'
The pinnacle of misplaced trust, according to Schaake, shows within the protection of critical infrastructure. Several recent high-profile attacks against energy, food, and software suppliers have shown that lack of accountability can turn dangerous.
"There has been an almost blind trust for tech companies to provide secure products. Whereas in reality […] there's plenty of reason to really worry about outsourcing so much responsibility to protecting critical infrastructure to tech companies," Schaake told a virtual audience.
While businesses will continue to build some of the aspects of critical infrastructure installations that governments use, dealing with safety issues might be left to the authorities.
The argument in favor of that lies within the structure of how democratic societies work. Governments are accountable and often more inclined to follow the rule of law. While the multinational companies can operate in shadows, obfuscating responsibility.
Moreover, companies are not immune to providing shoddy safety products, cutting corners on security to optimize for shareholder profits, not for nations' best interest.
"We need much more testing, standardizing oversights, ways to require from these companies, what is expected of them, but also to hold them to account when they fail," former MEP said.
According to Schaake, the recent ransomware tsunami has demonstrated the importance of the role tech companies play in the West and particularly the United States.
The global turbulence caused by the ransomware pandemic can be a turning point to reassess the relationship between authorities and businesses.
"To ask the very companies to self-defend and to also self-regulate is a wrong move from checks and balances and the rule of law point of view. […] I think there's just been a long trend of outsourcing, and it has gotten to an imbalanced situation which needs to be course-corrected," Schaake said.
Cyberattacks are increasing in scale, sophistication, and scope. The last 12 months were ripe with major high-profile cyber attacks, such as the SolarWinds hack, attacks against the Colonial Pipeline, meat processing company JBS, and software firm Kaseya.
The prevalence of ransomware has forced governments to take multilateral action against the threat. It's likely a combined effort allowed to push the infamous REvil and BlackMatter cartels offline and arrest the Cl0p ransomware cartel members.
Gangs, however, either rebrand or form new groups. Most recently, LockBit 2.0 was the most active ransomware group with a whopping list of 203 victims in Q3 of 2021 alone.
An average data breach costs victims $4.24 million per incident, the highest in the 17 years. For example, the average cost stood at $3.86 million per incident last year, putting recent results at a 10% increase.
More from CyberNews
Subscribe to our newsletter